Port operator DP World Australia is facing criticism for its failure to address a critical IT vulnerability, leading to a recent cyber attack.

Cybersecurity analysts say DP World's IT systems recently succumbed to the CitrixBleed exploit, a vulnerability marked “critical” by the Australian Cyber Security Centre (ACSC). 

Despite a patch being available for over a month prior to the attack, the company suffered data breaches resulting in the closure of four major Australian ports for days, leaving 30,000 containers stranded.

Analysts say they strongly suspect CitrixBleed as the likely entry point, allowing attackers to gain an initial foothold in the network.It is also believed that the breach was made as part of a global mass exploitation event involving ransomware gangs.

DP World - otherwise known as Dubai Ports - is reportedly being advised by cybersecurity firm Cyber CX, which has claimed that no ransom request had been received. Unions dispute this claim.

In the face of rising global cyber threats, the Australian Signals Directorate (ASD) and other international cyber agencies stress the importance of timely patching as a cost-effective step to minimise exposure to cybersecurity threats. 

ASD recommends entities patch critical vulnerabilities within 48 hours of assessment.

The Maritime Union of Australia is urging Minister for Home Affairs Claire O'Neill to launch a government investigation into DP World's knowledge about the cyber attack risks. 

The union has criticised DP World for neglecting a well-known cybersecurity gap, resulting in a severe supply chain crisis.

It also says that the company's lack of communication regarding the data breach's extent and impact on employee records raises concerns, and has called on DP World to address workers' concerns and the cybersecurity gap instead of implementing pay cuts and changes to employment agreements.

While the Department of Home Affairs is reportedly working with DP World to investigate the incident, it remains silent on DP World's cyber hygiene. 

However, Minister for Cybersecurity Clare O'Neill has labelled Australia's cybersecurity laws as “useless”, and called for an improved emergency response capabilities following recent data breaches.