Security professionals are plagued by a ballooning number of vulnerabilities and a shrinking patch window, according to the Australian Cyber Security Centre’s (ACSC) annual threat report.
In 2021-2022, more than 24,000 CVEs - common vulnerabilities and exposures - were identified, a 25 percent increase over the previous year, the report stated.
For high profile vulnerabilities like Log4j, the ACSC said, it observed scanning activity within hours of disclosure.
The report gives a timeline for three high-profile vulnerabilities as examples of how quickly threat actors are moving when vulnerabilities are disclosed.
In the case of an Atlassian Confluence bug that emerged last year, the centre said a proof-of-concept (PoC) exploit emerged within six days of the company announcing the patch for the bug.
On the same day the PoC emerged, the first reports of exploits came in, and one day later the ACSC saw traffic scanning on networks for the vulnerability.
“The rapid use of newly released critical vulnerabilities is now standard tradecraft for many malicious actors,” the report stated.
“Certain software and hardware is used ubiquitously across government, critical infrastructure, small business and by individual users, presenting malicious actors with a plethora of potential victim networks.”
“When a new vulnerability emerges, the ACSC’s cyber hygiene improvement programs (CHIPs) frequently identifies numerous Australian devices which are unpatched and vulnerable to exploitation.”
The report said that under CHIPs, "in 2021–22, 49 high priority operational tasks were undertaken to protect Australian networks, including scans of government entities and Australian-attributed Internet Protocol addresses for potential compromise by critical vulnerabilities.”
The ACSC report said all types of cyber crime are growing, with more than 76,000 reports in 2021-22 via ReportCyber, an increase of 13 percent over the previous year.
Although various kinds of fraud make up the vast majority of losses due to cyber crime, the ACSC said ransomware “remains the most destructive cyber crime threat.
"This is because ransomware has a dual impact on victim organisations—their business is disrupted by the encryption of data, but they also face reputational damage if stolen data is released or sold on.
“The public are also impacted by disruptions and data breaches resulting from ransomware,” the report stated.
The report also strongly emphasised the importance to the ACSC of the former government’s Project REDSPICE, a multi-billion effort the agency said is “be pivotal to addressing future cyber threats.”
There’s a perception that the project faces greater scrutiny from new home affairs minister Clare O’Neil.
“REDSPICE will expand the range and sophistication of ASD’s intelligence, offensive and defensive cyber capabilities, and deliver forward-looking capabilities essential to maintaining Australia’s strategic advantage and capability edge over the coming decade and beyond,” the ACSC report stated.
“REDSPICE provides $5 billion in opportunities for Australian industry, including small and medium Australian enterprises.”