Australian Ports Recover From Cyber IncidentCitrix Bleed May Have Struck Again
Operations resumed Monday at four major Australian ports incapacitated by a cybersecurity incident. Dubai-based DP World took systems offline Friday, provoking what government officials called a significant outage frustrating the movement of goods in and out of the country.
The company's Australian subsidiary said it expects to move approximately 5,000 containers Monday out of the four affected ports in Brisbane, Sydney, Melbourne and Fremantle. It built up a backlog of 30,000 containers during the three days the incident forced the stevedore to disconnect the logistics system connecting trucks with DP World, reported the Australian Financial Review.
DP World Australia handles roughly 40% of Australia's international container cargo each year. Other stevedores at the four ports were unaffected by the incident (see: Major Australian Ports Affected by Cyber Incident).
"Although port operations have resumed, it does not mean that this incident has concluded," tweeted Air Marshal Darren Goldie, Australia's newly appointed national cybersecurity coordinator.
Neither the Australian government nor DP World has revealed details about the attack. A company spokesman told the Financial Review that it has not received a ransom demand and that it doesn't foresee a need to pay extortion money.
"While I understand there is interest in determining who may be responsible for the cyber incident, our primary focus at this time remains on resolving the incident and supporting DP World to restore their operations," Goldie tweeted on Sunday.
British security researcher Kevin Beaumont said in a Mastodon post that hackers may have gotten into DP World's systems by exploiting the Citrix NetScaler vulnerability dubbed Citrix Bleed (see: Ransomware Groups Exploiting Unpatched NetScaler Devices).
A query on internet of things search engine Shodan showed an unpatched NetScaler box on the DP World Australia network before the attack.
"It's ransomware, entry point is Citrix Netscaler #CitrixBleed," Beaumont said. Ransomware hackers affiliated with LockBit earlier this month targeted the New York financial services subsidiary of the Industrial and Commercial Bank of China, resulting in disruptions to the U.S. Treasuries market.