Toll attack prompts new cybersecurity warning

Company says it is making progress on recovery from second incident

Toll attack prompts new cybersecurity warning
Garrett O’Hara


Transport and warehousing has been the third-most targeted industry by cybercriminals during the Covid-19 crisis, and a ‘second wave’ of attacks after initial recovery, such as the one faced by Toll Group, is entirely plausible, according to a cyber security expert.

Toll yesterday revealed a number of its systems had been disrupted by a new ransomware strain called Nefilim, unrelated to late January's first attack.

In an update today, it says it is making "good progress" in rebuilding the core systems which underpin most of its online operations.

"This includes cleaning affected servers and systems, and restoring files from backups," the company says.

"In the meantime, our business continuity and manual processes are keeping services moving across many parts of the network although, regrettably, some customers are experiencing delays or disruption.

"At this stage, freight shipments are largely unaffected and parcel deliveries are running essentially to schedule based on normal pick-up and delivery processes.

"Parcel tracking and tracing through the MyToll portal remains offline.

"We are prioritising the movement of essential items, including medical and healthcare supplies into the national stockpile for COVID-19 requirements.

"This includes running charter flights from China.

"We’re working closely with our large enterprise customers whose services are affected and, for our SME customers and consumers, we’re providing updates on work-around processes through our digital and social channels including Toll’s company and MyToll websites.

"We expect to maintain current business continuity and manual processing arrangements through the week, and we are in regular contact with the Australian Cyber Security Centre (ACSC) regarding the investigation and recovery process.

"Toll apologises to customers affected by delays or disruption to services."

How Toll broke news of its most recent ransomware issue, here

Tech security firm Mimecast principal technical consultant Garrett O’Hara tells ATN the Nefilim ransomware is a strain that emerged in February.

"The main difference is that Nefilim has removed the Ransomware-as-a-Service (RaaS) component and now relies on email communications for payments," O’Hara says.

"It is also the latest in ransomware families that threaten to leak the company’s stolen data if the ransom is not paid; this is similar to Maze, Sodinokibi, DoppelPaymer, and Nemty," he adds, though Toll has denied any personal data had been compromised at this point.

"Unlike other common attacks, at this stage there is no evidence of Nefilim being distributed via email," O’Hara continues.

"The similarities with Nemty suggest the ransomware most likely spreads through exposed Remote Desktop Services."

The second wave of attacks, as now faced by Toll, can and does sometimes happen, O’Hara says.

"In 2011, Australian web hosting company Distribute.IT suffered an initial breach in June, followed by a second, destructive attack a couple of weeks later when the hacker regained entry to the company’s network.

"This second attack closed the company’s doors.

"When a company is in the midst of an attack, it’s in survival mode.

"This means it might be using less capable systems to stay in business – and attackers are often aware that organisations are distracted trying to keep their business running.

"It’s also difficult to know when the remediation process is finished, as attackers will often leave ‘pieces’ behind to maintain their presence in an online environment for an extended period of time – such as a piece of malware that can connect to the company’s command control centre, or a set of malicious credentials that have been left undetected.

"After the first attack, if a company’s management team doesn’t take the necessary steps to integrate cybersecurity as a stronger focus for its staff – and doesn’t make it part of its culture – vulnerable staff are likely to be targeted again and click on the same types of malicious links."

It comes as a recent Mimecast report, The First 100 Days of Coronavirus, finds ‘transportation, storage and delivery’ is the third-most attacked industry globally by cyber criminals since the emergence of the virus, behind retail and manufacturing.

The report analyses trends in activity and details the total volume of cybersecurity threats seen over the course of December 31, 2019 – when the novel coronavirus began gathering widespread attention – to March 30, 2020.

"Due to the increased importance of the sector’s operations amid nationwide lockdowns, the continued transmission of the COVID-19 virus is threatening to cause long-term effects to the transportation, storage and delivery industry globally," Mimecast says.

"With Australia also becoming a key investment area for Chinese businesses, the volume and complexity of threats and attacks against the local vertical are likely to increase."

The report is available here

You can also follow our updates by joining our LinkedIn group or liking us on Facebook


Trucks For Hire | Forklifts For Hire | Cranes For Hire | Generators For Hire | Transportable Buildings For Hire