Major Cyber Incidents
Recent Cyber Attacks Hit Infrastructure and Critical Facilities
Ransomware attacks on Colonial Pipeline, JBS Foods, and other major organizations made headlines in 2021, and show no sign of slowing down. Across the world, hackers are exploiting security weaknesses and holding the data of companies, governments, and healthcare organizations hostage, sometimes demanding tens of millions of dollars in payment.
How is Ransomware Defined?
According to the U.S. Government’s Cybersecurity and Infrastructure Assurance Agency. “Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid.
1) Healthcare Ransomware
During times of crisis, many hackers take advantage of upheaval and disorder and look for potential monetary gain. With the onset of the COVID-19 crisis in 2020, there was increased attention on cyber-attacks in the healthcare space. A study by Comparitech(opens in a new tab) has shown that ransomware attacks had a huge financial impact on the healthcare sector, with over $20 billion lost in impacted revenue, lawsuits, and ransom paid in 2020 alone. Over the course of the year, over 600 hospitals, clinics, and other healthcare organizations were impacted by 92 ransomware attacks.
2) COLONIAL PIPELINE
Of all of the cyber and ransomware attacks in 2021, the breach of Colonial Pipeline in late April had the most news coverage. As Touro College Illinois Cybersecurity Program Director Joe Giordano notes, “The Colonial Pipeline attack made such an impact because the pipeline is an important part of the national critical infrastructure system. Taking the system down disrupted gas supplies all along the East Coast of the United States, causing chaos and panic.
3) BRENNTAG
At around the same time in early May 2021, the same notorious hacker group that targeted Colonial Pipeline, Dark Side, also targeted Brenntag, a chemical distribution company. After stealing 150 GB worth of data, Dark Side demanded the equivalent of $7.5 million dollars in bitcoin.
Brenntag soon caved to the demands and ended up paying $4.4 million. Although it was a little more than half of the original demand, it still stands as one of the highest ransomware payments in history.
4) ACER
Also in May this year, the computer manufacturer Acer(opens in a new tab) was attacked by the REvil hacker group, the same group responsible for an attack on London foreign exchange firm Travelex. The $50 million ransom stood out as the largest known to date. REvil hackers exploited a vulnerability in a Microsoft Exchange server to get access to Acer’s files and leaked images of sensitive financial documents and spreadsheets.
5) JBS FOODS
Although Spring 2021 held hopeful news for the end of the pandemic, the increased trend of cyber-attacks that began in 2020 showed no signs of slowing down. Another high-profile ransomware attack took place this May on JBS Foods, one of the biggest meat processing companies in the world. The same Russia-based hacking group that attacked Acer, REvil, is thought to be behind the attack.
Although there weren't any major food shortages because of the attack, government officials told consumers not to panic buy meat in response. On June 10th, it was confirmed that JSB paid the $11 million ransom demand after consulting with cybersecurity experts. This massive payment in bitcoin is one of the largest ransomware payments of all time.
6) QUANTA
As with the Acer attack, the REvil gang also demanded a $50 million ransom from computer manufacturer Quanta in April. Although Quanta may not be a household name, the company is one of Apple’s major business partners. After the firm refused negotiations with the hacker group, REvil targeted Apple instead. After leaking Apple product blueprints obtained from Quanta, they threatened to release more sensitive documents and data. By May, REvil seemed to have called off the attack.7) NATIONAL BASKETBALL ASSOCIATION (NBA)
Businesses and organizations from all different kinds of industries are targeted by ransomware attacks. One of the more surprising on the list this year was the National Basketball Association (NBA). In mid-April of this year, the hacker group Babuk claimed to have stolen 500 GB of confidential data concerning the Houston Rockets. Babuk warned that these confidential documents, including financial info and contracts, would be made public if their demands were not met. As of this posting, no ransom payments have been made.
8) AXA
This May, the European insurance company AXA was attacked by the Avaddon gang. The attack happened soon after the company announced important changes to their insurance policy.
Essentially, AXA stated they would stop reimbursing many of their clients for ransomware payments. This unique (and somewhat ironic) attack on a cyber-insurance firm made headlines and the hacker group gained access to a massive 3 TB of data.
9) KASEYA
The same hacker group that targeted Acer, Quanta, and JBS Foods, again made headlines in July with an attack on Kaseya. While not a name commonly known by consumers, Kaseya manages IT infrastructure for major companies worldwide. Like the attacks on Colonial Pipeline and JBS Foods, this hack had the potential to disrupt key areas of the economy on a large scale.
Cybersecurity Incidents
1) Phishing attack: Twitter
Attackers may easily masquerade as someone you trust.
According to the 2021 Verizon Data Breach Investigations Report, in 80% of social engineering- related incidents, phishing is to blame. Furthermore, this cyberattack technique was used in 36% of breaches in 2020, the year Twitter also became the victim of a severe phishing attack.
In mid-July 2020, Twitter suffered a massive spear-phishing attack. Cybercriminals compromised the social network’s admin panel, got control over accounts of famous Twitter users, both private and corporate, and staged a fake Bitcoin giveaway on their behalf.
Posing as the company’s IT department specialists, hackers contacted several of Twitter’s remote workers and asked for their work account credentials. This data helped the attackers gain access to the social network’s administrator tools, reset Twitter accounts of several dozen public figures, and post scam messages.
What can we learn from this phishing attack?
Establishing a cybersecurity policy with clear instructions is important, but it may not be enough. Organizations should also conduct regular training to help their employees fully comprehend key rules of that policy and increase their overall cybersecurity awareness. If your employees know things such as exactly who can reset their passwords, how, and under which circumstances, they will be less likely to fall into scammers traps.
2) Privilege abuse: Microsoft
Sometimes, people misuse the privileges granted them.
Organizations have a lot of users with elevated privileges: admins, technical specialists, management, and so on. Some of them are only able to access some critical resources, like specific databases or applications. Others might have full access to every system in the network and even be able to create new privileged accounts without drawing anyone’s attention.
Unfortunately, it’s hard to detect if a user with elevated access rights abuses their privileges. Such IT security incidents can remain unnoticed for months or even years, as in the case of Microsoft.
What can we learn from this incident of privilege abuse?
There are different ways for organizations to successfully prevent their employees from misusing privileged accounts. In particular, you can secure such accounts with multi-factor authentication (MFA), one-time passwords, and manual approval of access requests. Many organizations also have privileged accounts used by several people, like admin or service management accounts. In this case, you can use secondary authentication tools to distinguish actions of individual users performed under such accounts.
Also, make sure your privileged users (except for admins) can’t create new privileged accounts or elevate permissions for regular accounts. This way, you can prevent them from creating backdoors to your network.
3) Trend Micro
Japan-based Trend Micro, one of the world’s largest cybersecurity software vendors, faced a severe cybersecurity incident in 2019 when one of their employees sold a large database of customer data to a third party.In early August 2019, Trend Micro got reports that some of their customers were receiving fraudulent calls in which unknown attackers posed as the company’s technical support members. An investigation showed that a malicious employee bypassed internal defences and gained access to the customer support database, containing information such as customer names, email addresses, and, in some cases, phone numbers. However, the company claims that no financial or credit card information was stolen in the attack.
4) Shopify
In 2020, the famous e-commerce platform Shopify became the victim of an insider attack. Two Shopify employees were paid to steal transaction records of almost 200 online merchants. Malicious insiders sent screenshots and Google Drive links with customers’ data to the cybercriminal who hired them.
According to the company’s statement, customer data of the compromised merchants may have been exposed, including basic contact information and order details. Shopify claims that no sensitive personal and financial information was affected by the incident, as the attackers didn’t have access to it.
What can we learn from these instances of insider data theft?
The first step towards securing your organization’s sensitive data is limiting users’ access to it. Make sure that only a strictly limited circle of people have access to the most important resources.
Consider implementing the principle of least privilege to establish robust access management and protect your critical systems and valuable data from possible compromise.
Dedicate enough time and resources to building a robust incident response routine. Look for a solution that allows you to configure custom rules and alerts as well as configure automated responses to certain events. For example, if your cybersecurity solution can automatically block a suspicious user or process right after its detection, it may help you stop a potential attack from spreading.
Also, consider deploying copy prevention or USB management solutions that would make copying sensitive data or using an unapproved USB device impossible for your employees.
5) Apple
In 2018, the source code of iBoot, the key program responsible for loading the iOS operating system, was made publicly available on GitHub. An investigation discovered that the published code was stolen by an Apple intern who worked at the company’s headquarters in Cupertino in 2016.
The malicious insider stole the iBoot source code for iOS 9 and shared it with a small group of friends from the jailbreaking community. Initially, the group didn’t plan to share this code with anyone else, but over time, the distribution of the stolen code got out of their control.
6) Coca-Cola
You Xiaorong, a 56-year-old Chinese engineer, has been accused of stealing Coca-Cola’s trade secrets, estimated to be worth almost $120 million. You Xiaorong is believed to have gained access to the bisphenol-free (BPA-free) plastic formula owned by Coca-Cola and several other companies and to have passed the materials related to it to a Chinese organization.
From 2012 to 2017, Xiaorong You worked as a chief engineer at a Coca-Cola affiliate in Atlanta, where she was involved in developing and testing BPA-free technology. While still working at the company, she uploaded information about the technology to Google Drive. Sensitive documents whose downloading might have been detected by the information security team she simply photographed on her smartphone.
Third-party vendor attacks: Jet2 and Capital One
Subcontractors often have the same access rights as internal users.
Working with subcontractors and third-party vendors is a norm for today’s organizations. However, granting third parties’ access to your network is always associated with additional cybersecurity risks.
1) Jet2
In 2018, a former subcontractor illegally gained access to the domains of Dart Group PLC and its subsidiary Jet2, one of the largest airlines in the UK. Using a printer service account on the Jet2 internal network domain, the attacker initiated a remote desktop session and accessed a file folder with the airline’s employee credentials.
The man deleted all data from the compromised folder, thus disabling more than 2,000 people from accessing their online accounts and corporate email service. Trying to cover his tracks, the perpetrator also deleted the network logging software, which led to the shutdown of Jet2 services for over 12 hours and cost the company about $215,000.
2) Capital One
The financial company Capital One reported a massive leak of client information as a result of a database hack caused by a former employee of their cloud hosting provider, Amazon Web Services.
The data breach was executed by a former Amazon Web Services employee who used a misconfigured web application firewall to get access to Capital One’s sensitive data. As a result of the incident, the records of over 100 million people were compromised. The leaked data included applicant names, phone numbers, addresses, social security numbers, and bank account numbers.
What can we learn from these third-party vendor attacks?
When choosing a third-party vendor, pay attention to the cybersecurity policies they already have in place and the regulations they comply with. If some cybersecurity practices critical to your organization aren’t implemented by a potential subcontractor, make sure to add a corresponding requirement to your service-level agreement. For instance, the Jet2 incident could have been prevented if the subcontractor made sure to revoke access for fired employees.
Make sure to limit a subcontractor’s access to your critical data and systems to the extent necessary for doing their job. Also, deploy monitoring solutions to see who does what with your critical data. Keeping records of third-party user activity enables fast and thorough cybersecurity audits and incident investigations.
To enhance the protection of your most critical assets, apply additional cybersecurity measures like MFA, manual login approvals, and just-in-time privileged access management.
