• Our Vision

    To be the trusted guardian of
    New Zealand's
    Information Assets

  • Our Goal

    No advanced, technology-borne compromise of the most significant national information infrastructures by June 2016.

NCSC Security Advisory - NCSC-ADV-2015-127


This week Mandiant published a report on the security of internet facing routers entitled “SYNful Knock”. It is important not to forget this aspect of corporate network security as, if an actor gains access to this equipment, they could completely bypass other intrusion prevention/detection systems on the network. This could include routing other malicious traffic across your router (including malware) and accessing your information by viewing or diverting network traffic. Mandiant use the analogy of spending all your efforts defending a castle with high walls and top grade weaponry only to have the attackers undermine the foundations. Where the majority of attacks would focus on the application layer, this form of attack is a direct assault on the network layer.

SYNful Knock

The Mandiant report below describes a specific example of a router exploitation capability that the company has been investigating. In very basic terms, the actors appear to be using default, simple, or easily guessed passwords to access particular models of Cisco routers and then replacing the machines’ operating system software (firmware) with a malicious version. Detailed advice on detecting and mitigating this particular attack can be found in their report.


General mitigation

There are several important factors to consider when setting up a new router, or examining the security of existing equipment. Some of the points to consider are:

  • Changing all default usernames and passwords – many manufacturers set default credentials for these devices at the factory but are readily available for an attacker to find online; use strong passwords that are changed regularly; and do not re-use credentials across your estate.
  • Keep firmware up to date – check for new versions on a regular basis and ensure that verified versions of this critical software are sourced from trusted providers.
  • Disable remote management of the router across the internet, including the remote upgrade functionality, where possible; otherwise manage, maintain and monitor remote accesses to the router and do not forget to log out after configuring the router.
  • Disable unnecessary services – disable all unnecessary services to reduce the router’s exposure.
  • Enable router logging and review regularly information regarding intrusions, probes attacks etc. and ensure that the router’s real time clock is set correctly to assist with later log analysis.
  • If there is an owner’s mailing list for your router equipment, register for alerts on new vulnerabilities.

For routers that have wireless access available:

  • Do not use default SSID values as this may release information that allows an attacker to easily identify the type of router in use.
  • Ensure the best level of security is in use (WPA2-AES).
  • Restrict the range of a wireless network so that it does not extend beyond your premises.
read more

NCSC Security Advisory - NCSC-EV-2015-126

Spear Phishing Emails Used for Credential Harvesting Across
Mulitple Government Agencies

The NCSC is aware of a recent campaign involving credential harvesting attacks in the form of spear phishing emails targeting a number of different government agencies.

The attack is delivered using a spear phishing email containing a malicious link, different social engineering techniques to fool the victim and/or compromising legitimate email accounts to propagate further.


Refer here for the full NCSC Security Advisory - NCSC-EV-2015-126 .

read more

Windows 10 upgrade scam

A new scam in relation to downloading Microsoft windows 10 operating system has been identified.

In what appears to be a legitimate email from Microsoft (update@microsoft.com) the email entices the user to download the latest version of Windows 10 from a link from within the email.

In the event that the file is downloaded the user’s computer will run a malicious executable file (CBT-Locker), a type of ransomware which locks the infected computer prompting the user to pay to unlock their computer.

The following link will take you to an article with more information.


The NCSC advises using SPF record checking as part of your anti-spam filter software (see section 15.2.15 of the NZISM) to prevent emails like this coming through.

For any further assistance contact the NCSC at info@ncsc.govt.nz.



read more

NCSC Security Advisory – NCSC-ADV-201507-0110

A leak of  400GB of corporate data from Italian surveillance malware vendor ‘Hacking Team’ in the past week  has  revealed a  number of Adobe Flash Player exploits1.  Adobe has provided a patch for each of these between July 8th and July 15th following the leak which occurred on July 5th.

The NCSC is aware of Flash Player exploits being used in network exploitation. Recent reporting from security companies2,3,4 has shown that high threat APT groups have been quick to leverage the exploits and  use them to compromise targets.  Crime-ware has also taken  advantage of the new exploits and more information is available in reports on-line.

NCSC Advice
The NCSC advises the following actions to aid in protecting your system from these exploits:

  • Maintain up to date patching of operating systems and antivirus.
  • Consider disabling Flash Player in browsers until patched.
  • Explore  methods to control  access  to  webpages utilising Flash Player can limit exposure to potential compromises.
  • Investigate tools like Microsoft’s Enhanced Mitigation Experience Toolkit (EMET)  which aim to prevent vulnerabilities and increase the difficulty of exploiting software.

The NCSC also recommends following the Australian Signal Directorate (ASD) “Top four mitigation strategies to protect your ICT system.”5


[1] Common vulnerability and exposure (CVE) identifiers:





read more

Reporting an Incident

If your organisation has encountered or suspects a cyber-security incident, please complete and return the Cyber Security Incident - Report Form. If you require assistance in dealing with the incident, please complete the Cyber Security Incident – Request for Assistance Form. If required, you can speak with us directly on (04) 498-7654.

Some Interesting Stats

Some interesting stats

In its third year of operation, the NCSC saw an increase in the number of cyber security incidents reported, from a total of 134 in 2012, to a total of 219 in 2013. Scam and spam related incidents were the largest category of reported incidents at 30%. Denial of Service (DoS) attacks and Botnet/Malware activity were the second largest categories, making up 22% and 12% of incidents respectively.

The median number of days a cyber threat was present in victims system before being detected was 299 according to Mandiant’s 2013 MTrends report.  The report says 67 percent of victims were notified of the threat by an external entity. The report is available here.  

Security software provider McAfee log 200 new cyber threats every minute according to their by security software provide McAffee according to their 4th quarter, 2013 threats report. The report is available here.