We have received a security alert from CBA advising of increased threats to systems over the Christmas period. Please phone a contact (if possible on a known contact number – not off invoice or email) to confirm account details prior to authorising payments to new account numbers. Read more below:
What is the vulnerability?
The vulnerability, known as “Log4Shell” or CVE-2021-44228, is a remote code execution vulnerability in the Apache Log4j2 library, which is one of the most widely used Java-based logging utilities globally. Due to widespread use in popular frameworks a large number of third-party apps may also be vulnerable to exploits.
Why should I be concerned?
A remote code execution vulnerability enables a third party to remotely access your system and potentially view, change or delete data, gain on-going access to your server/network and launch future attacks, like a ransomware attack.
Cybercriminals frequently use security weaknesses in computer software to get access to your computer and the information on it. There are several reports of this vulnerability being actively exploited online and this is almost certainly likely to increase over the holiday period. Swift action is encouraged, as cybercriminals can maintain access even after patching, once a system is compromised.
Further information can be located CBA Website : https://www.commbank.com.au/support/security/cyber-alert.html
You may like to send a broadcast reminder to your staff as an awareness piece during this time to be cautious; whilst some of the areas listed below appear basic they are still entry points for the hackers.
Please keep extra vigilance around some key scenarios :
- Paying invoices ensure the account number has not changed and calling your contact that you know to confirm.
- Urgent emails internally requesting payments to be made pick up the phone and confirm with the person directly.
- Payroll account changes call the person from your HR data base not email provided.
- Donations via credit card and someone calling to advise it was an error and to refund to their account; only refund back to the card used as you are liable for charge backs.
- For Large pledge donations you may want to meet in person with your fundraising team and be clear who the donor is and vet them .
Some key reminders to protect ourselves and workplace from cyber threats:
- Don’t click on suspicious links
Ø Phishing is one of the most common cyber-attacks. Attackers pose as a trusted colleague, business contact or supplier, asking you to click on an email link, open an attachment or prompt you to provide them with information.
Ø By doing this, your email, device or account may become vulnerable to malicious software, data breaches or potentially compromise systems. It is important you know how to identify these attacks.
Ø If you are suspicious about the legitimacy of an email, do not engage with the content. This includes avoiding clicking on links, opening attachments or responding.
- Make sure you have a strong password or passphrase
Ø Your devices and accounts are valuable targets for cyber criminals. Your password is often your ﬁrst line of defence, so make sure you know what a strong password looks like. If possible, try to use “passphrases” instead of passwords, making them unique and long.
Ø Once you have a strong password for a service, it is important to protect it and avoid re-using it across multiple services. Don’t use your work passwords for any other accounts, or give them to colleagues to use and ensure that you enable.
Ø You can check if your credentials, such as email addresses and passwords, have been exposed at www.haveibeenpwned.com free online resource created by Troy Hunt, a Microsoft Regional Director.
- Free CBA E-Learning Cyber Security : ‘Cool Calm & Collected’
Ø While cyber security may seem daunting, there are steps you can take to protect yourself from this risk.
Ø We’ve created a free cyber security eLearning to equip you and your staff with the knowledge to help protect your business. The eLearning modules include guidance on email security, browsing the web, shopping and banking, password security, security on the move and email payment fraud.
Ø Follow these steps to access the eLearning:
Ø Register through the link below.
Ø Download the EdApp mobile (iOS or Android) app through the App Store or Google Play StoreTM.
Ø Share the eLearning with your staff, simply send them the EdApp welcome email you’ll receive when you register. https://www.edapp.com/commbank
- Important Cyber Security Information Links :
Ø To stay up to date on the latest cyber security trends, written by our CBA Cyber Security Team you can access articles : https://www.commbank.com.au/business/support/security/signals.html
Ø CBA 2021 Latest Security Alerts: https://www.commbank.com.au/support/security/sms-phishing-scams.html?ei=tl_security-alerts the most current SMS and email messages from Fraudsters in the community.
o A good link to check is also Scamwatch they have all the COVID scams listed :https://www.scamwatch.gov.au/types-of-scams/current-covid-19-coronavirus-scams
Stay safe and wishing you a Merry Christmas with your family and friends.