ASIC cyber attack linked to RBNZ breach
Corporate regulator halts credit applications after cyber attack, says some credit information may have been viewed.
The Australian Securities and Investments Commission has halted credit applications after it was hit by a cyber attack, and says some credit information may have been viewed.
ASIC is investigating after it became aware of a cyber attack on one of its servers on January 15, involving unauthorised access to a server containing documents including Australian credit licence applications.
The attack has links to the recent Reserve Bank of New Zealand security incident, with both organisations relying on 20 year-old software from Californian provider Accellion.
“While the investigation is ongoing, it appears that there is some risk that some limited information may have been viewed by the threat actor,” the watchdog said in a statement.
“At this time ASIC has not seen evidence that any Australian credit licence application forms or any attachments were opened or downloaded.
“As a precaution, and to protect information and systems, ASIC has disabled access to the affected server. ASIC is working on alternative arrangements for submitting credit application attachments which will be implemented shortly. No other ASIC technology infrastructure has been impacted or breached.
“ASIC is working with Accellion and has notified the relevant agencies as well as impacted parties to respond to and manage the incident. ASIC’s IT team and cyber security advisers engaged by ASIC are undertaking a detailed forensic investigation and working to bring systems back online safely.”
Accellion said in a statement the incident related to a 20-year old legacy product, Accellion FTA, which specialises in large file transfers.
“In mid-December, Accellion was made aware of a P0 vulnerability in its legacy File Transfer Appliance (FTA) software,” a spokesman told The Australian.
“Accellion resolved the vulnerability and released a patch within 72 hours to the less than 50 customers affected.
“While Accellion maintains tight security standards for its legacy FTA product, we strongly encourage our customers to update to kiteworks, the modern enterprise content firewall platform, for the highest level of security and confidence.”
The Australian understands a total of 130 ASIC credit applications were made over the period of possible exposure, who have each been contacted.
This week the Australian Cyber Security Centre (ACSC) issued a threat advisory declaring that Australian organisations may have been caught up in the Accellion vulnerability, and said it was working with cybersecurity partners to assist local companies. It would not disclose how many Australian companies have been affected.
It issued an alert level of “high’” and said the vulnerability had the potential to provide attackers with access to content.
It recommended organisations running the affected software apply security patches, and temporarily isolate or block internet access to and from systems hosting the software until it‘s updated.
It also recommended any organisations still using the 20-year old product upgrade to supported products.
RNBZ and ASIC weren’t the only organisations caught up in the Accellion cyber attack, which is thought to be the work of state-based actors. Australian law firm Allens, which counts Westpac as a client, also disclosed it was impacted.
Topher Tebow, Acronis Cybersecurity Analyst, said more regular penetration testing could have perhaps made ASIC aware of the vulnerability sooner.
“Cybersecurity is always about finding balance between having sufficient protection suited for your threat landscape, and being able to operate and do business freely, without restrictions,” he said.
“Based on the information on hand, this appears to be a vulnerability in a file transfer system (like Dropbox or similar), likely a third-party vulnerability in systems that the organisation didn‘t have direct access to audit.
“This isn’t exactly a supply chain attack, but this time it was out of control of any affected organisations. The one thing to be done now is to work with the software providers to analyse the situation, fix the vulnerability and avoid it in the future.”
More Coverage
New cold war? America fights back over DeepSeek
China outmanoeuvred the US with the launch of DeepSeek. But the US’s biggest tech companies are fighting back to maintain dominance in the AI race.
Atlassian founders add $4bn to their personal fortunes
The personal fortunes of two of the nation’s richest businessmen rocketed by a massive $4bn on paper Friday when investors responded to their tech company beating revenue expectations.