An Update on Recent Major Breaches

2021 has already been the year of unprecedented cyber attacks. What they increasingly have in common is a supply chain aspect which may or may not be exploited. When the supply chain aspect is exploited in a technological way, then customers' and partners' systems might also become compromised. Alternatively, in the case of a physical goods supply chain, delivery of the good is disrupted, whether gasoline or beef, fear-based hoarding and price spikes may result.

The supply chain aspect is something every company needs to consider from both upstream and downstream perspectives. Even if third-party systems are not compromised by a breach, their data may be and if it is, those parties might become the victim of a triple ransom.

Following are a few updates to our biggest Incident of the Week (IOTW) stories this year so far, including:

• SolarWinds
• Microsoft Exchange
• Colonial Pipeline
• JBS
• Kaseya

• With more than 140,000 members, Cyber Security Hub is the vibrant community connecting cyber security professionals around the world.

  Join Now

  SolarWinds

  In December 2020, news surfaced that IT monitoring and management tools provider SolarWinds had been the victim of a cyber attack masquerading as a software update. Hackers injected malicious code into a genuine update which was downloaded by approximately 18,000 customers. 

  The Biden administration responded with sanctions against Russia and a pledge to step up America's cyber security capabilities. More than a hundred organizations including Cisco, Intel and Microsoft were affected, along with government agencies including the Cybersecurity and Information Security Agency (CISA). FireEye discovered the malicious code and alerted SolarWinds to its existence.

  Update: NPR reported that the threat actors had breached SolarWinds nine months before the hack, identifying targets among other things. The hackers who are believed to be directed by the Russian secret service were said to "move like ghosts" undetected in the network or software update. They even covered their tracks. In May, Microsoft identified the threat actors as Russian hacking group Nobellium.

  In July, the U.S. Department of Justice (DOJ) revealed that 27 US attorneys' email accounts had been compromised from May 7, 2020 until December 27, 2020 and that the department was treating the threat as if all email associated with those accounts was involved. On a web page, the DOJ said, "The compromised data included all sent, received, and stored emails and attachments found within those accounts during that time. While other districts were impacted to a lesser degree the [Advanced Persistent Threats] group gained access to the O365 email accounts of at least 80 percent of employees working in the U.S. Attorneys' offices located in the Easter, Northern, Southern, and Western Districts of New York. The Executive Office for U.S. Attorneys has notified all impacted account holders and the Department has provided guidance to identify particular threats."

• Microsoft Exchange

  Security firm Volexity uncovered a Microsoft vulnerability that allowed hackers to take advantage of an Exchange Server flaw. Beginning in January, the threat actors had been planting web shells that enable administrative access and the ability to steal data. The 60,000 victims were targeted through their self-hosted Outlook Web Access manager. Cloud-based Outlook accounts remained secure. 

  Hacking efforts spiked when Microsoft issued a patch on March 3. However, by that time, other hackers were also taking advantage of the vulnerability. Worse, the hacking campaigns were automated which affected companies across industries.

  Microsoft blamed the attack on Hafnium, a Chinese state-sponsored hacking group. In April, The Department of Justice issued a warrant enabling the U.S. Federal Bureau of Investigation (FBI) to copy and remove web shells from hundreds of on-premises Microsoft Exchange servers owned by private organizations. Then in mid-August, a new worry surfaced which is that hackers are combining three Microsoft Exchange vulnerabilities to circumvent authentication, obtain higher user rights and execute malicious code. Those attacks cause Microsoft Exchange servers to become completely compromised.

• Colonial Pipeline

  Colonial Pipeline was shut down on May 6 by a ransomware attack by DarkSide, a Robin Hood-like hacking group. Private companies working with U.S. government agencies shutdown the cloud servers from which the attacks on the Colonial Pipeline and 12 other companies were launched. They also retrieved the stolen data which was bound for Russia.

  The Colonial Pipeline stretches from Texas to the Northeast, delivering about 45% of the fuel consumed by the East Coast was fully restored by May 12, but not before panic-stricken consumers started hoarding gas and complaining about price gouging.

  Reuters reported that the hackers stole more than 100 GB of data. The company paid $5 mn in Bitcoin, $2.3 mn of which was recovered by the U.S. government. 

• JBS

  Major international beef and pork producer JBS was hit with a ransomware attack on May 30 that affected its U.S., Australian and Canadian plants, albeit for only a few days. Its operations in Mexico and the UK were not impacted. According to CNN, the U.S. Department of Agriculture tried to alleviate the potential supply chain impacts by asking other meat processors to accommodate additional capacity. In the meantime, JBS told U.S. government officials that the ransom demand likely came from REvil a criminal organization with ties to Russia.

  Even though JBS was able to get most of its systems running with two days, it paid an $11 mn ransom "to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated."

• Kaseya

  On July 2, U.S. IT management software provider Kaseya was attacked by Russian hacking group REvil. Since Kaseya sells its software to IT departments and MSPs. Those MSPs and their customers became potential secondary and tertiary targets, respectively. One of the hardest hit was Swedish Coop grocery store, which had to close 800 stores because it couldn't accept payments via cash registers. Engadget said 40 cybersecurity contractors' systems and subsequently hundreds of businesses had been hit over the holiday weekend.

  Kaseya did not pay the ransom, though it obtained a universal decryption software that worked. However, before sharing the software with its customers, its customers were required to sign a non-disclosure agreement.