Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Incident response. Show all posts

BianLian Ransomware Strikes: US Companies Grapple with Data Breach Fallout


The BianLian ransomware organization is accused of cyberattacking against three major US companies, consisting of large amounts of sensitive data. The victims of the BianLian ransomware attack—Island Transportation Corp., Legend Properties Inc., and Transit Mutual Insurance Corporation of Wisconsin—had their breaches detailed on a dark web forum by the ransomware gang.

This escalation illustrates the growing threat ransomware attacks present against important sectors across the United States.

The Targets

1. Island Transportation Corp.: A heavyweight in the bulk carrier industry, Island Transportation Corp. services the petroleum sector. Unfortunately, they fell victim to the BianLian ransomware attack, compromising a staggering 300 GB of organizational data. Among the exposed information are vital business records, accounting files, project details, and personal data.

2. Legend Properties Inc.: As a well-established commercial real estate and brokerage firm, Legend Properties Inc. found itself in the crosshairs. The attackers gained unauthorized access to 400 GB of sensitive data, including critical business information, accounting records, and personal details.

3. Transit Mutual Insurance Corporation of Wisconsin: A key player in the insurance industry, Transit Mutual Insurance Corporation of Wisconsin suffered a similar fate. The ransomware breach exposed 400 GB of organizational data, encompassing business records, accounting files, project data, and personal information.

The Broader Implications

  • Data Privacy: The compromised data includes personal information, which could lead to identity theft or financial fraud. Companies must prioritize robust data protection mechanisms.
  • Business Continuity: Disruptions caused by ransomware attacks can cripple operations. Organizations need robust backup systems and incident response plans.
  • Industry Vulnerability: No sector is immune. Whether shipping, real estate, or insurance, all must fortify their defenses against cyber threats.

Recommendations

  • Multi-Layered Security: Companies should adopt a multi-layered security approach, including firewalls, intrusion detection systems, and regular security audits.
  • Employee Training: Educate employees about phishing, social engineering, and safe online practices. Human error remains a significant vulnerability.
  • Incident Response Plans: Develop and test incident response plans to minimize damage during an attack.

The situation underscores the growing threat posed by ransomware attacks to critical sectors across the United States. 

While Island Transportation Corp.'s website remains functional, Legend Properties Inc. and Transit Mutual Insurance Corporation of Wisconsin have displayed blocking messages, indicating potential disruptions due to the attack.

MITRE Links Recent Attack to China-Associated UNC5221

 

MITRE recently provided further insight into the recent cyber intrusion, shedding light on the new malicious software employed and a timeline detailing the attacker's actions.

In April 2024, MITRE announced a breach in one of its research and prototyping networks. Following the discovery, MITRE's security team swiftly initiated an investigation, ejected the threat actor, and enlisted third-party forensics Incident Response teams for independent analysis alongside internal experts. It was revealed that a nation-state actor had infiltrated MITRE's systems in January 2024 by exploiting two Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887).

The intrusion was detected when MITRE noticed suspicious activity from a foreign nation-state threat actor targeting its Networked Experimentation, Research, and Virtualization Environment (NERVE), which is utilized for research and prototyping purposes. MITRE promptly took NERVE offline and commenced mitigation procedures. Although investigations are ongoing to ascertain the extent of compromised information, MITRE has informed relevant authorities and affected parties while endeavoring to restore alternative collaboration platforms.

Despite MITRE's adherence to industry best practices, vendor recommendations, and governmental directives to bolster its Ivanti system, oversight led to unauthorized access into its VMware infrastructure. However, MITRE emphasized that neither its core enterprise network nor its partners' systems were impacted by the breach.

MITRE researchers identified indicators of compromise associated with UNC5221, a China-linked APT group, coinciding with the security breach. The hackers gained initial access to NERVE on December 31, deploying the ROOTROT web shell on Internet-facing Ivanti appliances.

On January 4, 2024, the threat actors conducted reconnaissance within the NERVE environment, leveraging compromised Ivanti appliances to access vCenter and communicate with multiple ESXi hosts. Subsequently, the attackers utilized hijacked credentials to infiltrate accounts via RDP, accessing user bookmarks and file shares to probe the network and manipulate VMs, compromising the infrastructure.

Further malicious activities ensued, including deploying the BRICKSTORM backdoor and the BEEFLUSH web shell on January 7, 2024, facilitating persistent access and arbitrary command execution. The hackers maintained control through SSH manipulation and script execution, exploiting default VMware accounts and establishing communication with designated C2 domains.

Additional payloads, such as the WIREFIRE (aka GIFTEDVISITOR) web shell and the BUSHWALK web shell for data exfiltration, were deployed on the target infrastructure. Despite attempts at lateral movement between mid-February and mid-March, the threat actors failed to compromise other resources beyond NERVE.

MITRE concluded its update with malware analysis and Indicators of Compromise for the involved payloads, highlighting the adversary's persistent attempts to infiltrate and maintain control within the network.

Data Breach at Giant Tiger: Protecting Customer Information in the Digital Age

Data Breach at Giant Tiger: Protecting Customer Information in the Digital Age

In an increasingly interconnected world, data breaches have become a recurring nightmare for organizations of all sizes. The recent incident at Giant Tiger Stores Ltd., a popular discount retailer based in Ottawa, serves as a stark reminder of the importance of safeguarding customer information.

The Breach

On March 4, Giant Tiger discovered that its customer data had been compromised. The breach affected various categories of customers:

Email Subscribers: Names and email addresses of those who subscribe to Giant Tiger emails.

Loyalty Members and Online Orders: Names, emails, and phone numbers of loyalty members and customers who placed online orders for in-store pickups.

Home Delivery Orders: Some customers who placed online orders for home delivery may have had their street addresses compromised.

Thankfully, no payment information or passwords were part of the data breach. However, the incident highlights the vulnerability of customer data and the need for robust security measures.

Third-Party Vendor Involvement

Giant Tiger’s breach was linked to a third-party vendor. While the retailer did not disclose the vendor’s name, it relies on this external partner for managing customer communications and engagement. This situation underscores the risks associated with outsourcing critical functions to third parties. Organizations must carefully vet their vendors and ensure they adhere to stringent security protocols.

The Fallout

The fallout from a data breach can be severe:

Reputation Damage: Customers trust companies with their personal information. When that trust is violated, it erodes brand reputation. Giant Tiger now faces the challenge of rebuilding customer confidence.

Legal and Regulatory Consequences: Data breaches often trigger legal and regulatory investigations. Organizations may face fines, lawsuits, and compliance requirements. In Giant Tiger’s case, the breach occurred in Canada, where privacy laws are stringent.

Financial Impact: Remediation efforts, legal fees, and potential compensation to affected customers can strain an organization’s finances. Moreover, the cost of reputational damage can be immeasurable.

Mitigation Strategies

To prevent such incidents, companies must adopt proactive measures:

Vendor Risk Assessment: Regularly assess third-party vendors’ security practices. Understand their data handling processes and ensure they align with your organization’s standards.

Encryption and Access Controls: Encrypt sensitive data and limit access to authorized personnel. Implement robust access controls to prevent unauthorized entry.

Employee Training: Educate employees about cybersecurity best practices. Human error remains a significant factor in data breaches.

Incident Response Plan: Have a well-defined incident response plan in place. Swift action can minimize damage and protect customer trust.

Transparency and Communication

Giant Tiger’s response has been commendable. They hired cybersecurity experts for an independent investigation and promptly informed affected customers. Transparency is crucial during a breach. Customers appreciate honesty and timely updates.

Cyberattack Responses at MGM and Caesars Required Brutal Actions

 

Twin assaults on MGM Resorts and Caesars Entertainment have offered an unusual perspective at what happens when two comparable organisations, under similar attack by the same threat actor, use divergent incident response techniques. 

Both parties in this case were the victims of a cyberattack called Scattered Spider /ALPHV. Caesars was able to resume operations very soon after engaging in a fast negotiation with the cyber attackers and paying a $15 million ransom demand. 

However, MGM firmly refused to pay and only recently declared that its operations had resumed after more than 10 days of operational downtime at its hotels and casinos, costing the company tens of millions of dollars in lost income. 

Although it may be tempting to judge which strategy was superior, experts believe that any direct comparison of the Caesars and MGM responses to the incident is oversimplified. 

As an example, Rob T. Lee, chief curriculum director and faculty lead at SANS Institute, emphasises that the fundamental idea behind incident response is to strive to make the "least worst decision." And this is typically a difficult choice with both favourable and unfavourable (some would say harsh) consequences.

He explains, "many business decisions can go into that. Only once an incident is over can you see different paths that could have led to different or at least worse outcomes. There is no 'win' in these situations, only decisions that can prevent it from worsening."

Caesars or MGM: Who was right? It's complex 

One of those difficult decisions incident responders are pressed to make under pressure is whether or not to pay a ransom after a hack. It is commonly known that paying a ransom does not ensure data security or system restoration.

Even worse, it encourages more attacks by establishing a market for these cybercrimes. Business risk decisions, however, don't always boil down to black-and-white choices of right or wrong, and expediency is always a factor.

"Caesars' more rapid recovery post-ransom might give the impression they made a better decision," stated Callie Guenther, senior manager of cyber threat research at Critical Start. "From a business continuity perspective, their decision to pay might seem effective." 

The chief security scientist of Delinea and advisory CISO Joseph Carson argues that there are other issues at play. Companies that deliberate over their choices may come to the conclusion that forgoing payment makes more sense. 

According to his observations, organisations only have a four-day opportunity to reach a compromise with ransomware threat actors before views on both sides harden. After that, ransomware attackers often lose patience and enterprise security teams tend to grow entrenched in their positions. 

Another factor to consider is the cost of recovery. If recovery is unsettling but only costs a few million dollars, it may be a better option than an eight-figure extortion payment, Carson added.

Boost Cybersecurity: HR's Key Role in Guarding Your Business

 

If your company were to fall victim to ransomware today, whom would you contact? Or perhaps a more pertinent question: How would you go about contacting them? 

This scenario might appear ludicrous, there are  instances where organizations have been immobilized during the initial hours following a breach simply due to the absence of readily available contact information. 

With email and messaging systems rendered inaccessible, communication grinds to a halt, causing confusion among employees, customers, and suppliers alike. What begins as mild panic rapidly escalates into a full-blown crisis.

Commonly, people tend to associate cybersecurity exclusively with the IT or security department. However, safeguarding your company hinges on two crucial factors: the prevailing organizational culture and meticulous planning. This is precisely why some of the most pivotal players in the realm of cyber defense aren't housed within the IT team – they reside within the human resources (HR) department.

The HR team occupies a unique vantage point, enabling them to seamlessly integrate cybersecurity preparedness into the daily operations of an organization. 

Their responsibilities encompass establishing policies and processes to mitigate risks and fostering a business environment equipped to withstand foreseeable challenges, cyberattacks included. Notably, HR teams are also prime targets for hackers, given their role as custodians of sensitive personal information belonging to employees.

Regrettably, the significance of this role often goes unnoticed. Thus, sharing five strategies by which HR can fortify your business against cybercriminals.

1. Foster a Culture of Cybersecurity

Maintaining eternal vigilance is the requisite price for preserving our liberty to navigate the internet. The sheer volume of threats is staggering – recent findings indicate that educational institutions fend off over 2,300 intrusion attempts on average each week, while healthcare organizations combat more than 1,600 attacks. Given the barrage of digital threats, capturing them all becomes an incredibly daunting task. Yet, a robust cybersecurity culture equips an organization to counter these attacks and minimize the scope of damage when they do breach defenses. The challenge lies in uniting everyone under a shared understanding of appropriate online conduct.

To initiate this process, it is imperative to provide training tools that equip employees with the knowledge of permissible and prohibited online behaviors. Most organizations excel in this aspect. However, the implementation of this information on a daily basis often falls short.

The most effective means of ingraining cybersecurity as an integral aspect of individual responsibilities is its incorporation into performance evaluations. Rather than chastising employees for inadvertently clicking on dubious links, the approach should be constructive, focusing on how they uphold their cyber literacy training. Cyber health-check tools can be employed by workers to analyze their online conduct and address vulnerabilities (such as employing identical passwords across multiple platforms or neglecting two-factor authentication). Moreover, these tools can be harnessed to monitor the progress towards cybersecurity objectives at an organizational level.

Regular discourse on safety measures will seamlessly integrate them into the modus operandi of your business.

2. Safeguard Sensitive Information

HR assumes custodial responsibility for some of the most sensitive data within an organization – a fact not lost on hackers. Over the past half-decade, numerous companies have embraced platforms that empower employees to independently manage routine tasks such as vacation requests. However, these third-party platforms carry inherent risks. Cybercriminals often target them through supply chain attacks, cognizant of the potential to access vast troves of data from multiple organizations. In 2021, a widely-used file transfer system fell victim to a breach, compromising over 300 organizations. The University of California was among those affected, with exposed information spanning employees' social security numbers, driver's licenses, and passport details (prompting the UC system to provide its staff with complimentary ID monitoring services).

Primary among the duties of HR professionals is to ensure the confidentiality of employee data. Rigorous due diligence is essential before enlisting the services of any third-party HR provider. Preference should be accorded to entities conforming to international standards (notably SOC 2 and ISO 27001), while online research should uncover any past security incidents associated with the provider. It is equally vital to ascertain the storage and backup mechanisms employed for your data. Depending on your geographical location and industry, compliance with data residency regulations may be obligatory.

3. Rationalize Data Retention Policies

Updating the data retention policy should be a priority for every HR department. Even if your organization's policy isn't documented, a policy nevertheless exists – the default being the indefinite retention of all data. This exposes you to significant risks. The severity of a breach is exacerbated by the volume of data at stake, especially if you retain unnecessary data. Many jurisdictions stipulate limits on the duration for which companies should retain sensitive information – typically around seven years for records pertaining to former employees.

4. Appoint an Incident Commander

While cybersecurity constitutes an ongoing collective responsibility, a designated individual should assume leadership during a breach. In cybersecurity parlance, this figure is known as the incident commander. Despite diverse perspectives on the most suitable course of action, decision-making authority rests with the incident commander.

The qualifications for an incident commander are succinct: they should possess a profound understanding of cybersecurity matters within your organization. Depending on the size of your enterprise, this individual could be a cybersecurity expert, the head of IT, or even an individual like Joanne from the accounting department, provided she has undergone relevant training. Regardless of the appointee's identity, their role should be pre-established, communicated clearly to your team, and ready to be activated in the event of an incident. Given the swiftness with which cybersecurity events unfold – exemplified by instances where hackers gave a mere 45-minute warning prior to disclosing sensitive information – identifying the incident commander ahead of time is critical to minimizing response delays.

5. Conduct Preparedness Drills

Effective cybersecurity hinges on both planning and practice. Numerous studies underscore the fact that individuals struggle to make sound decisions under stress. Much like fire or earthquake drills provide a framework for emergencies, the same principle applies to cybersecurity incidents. Allocate a two-hour window annually to execute a tabletop exercise involving key personnel, simulating the actions to be taken in the event of a hack. During these drills, a designated moderator outlines the attack's nature and scope, while participants collaboratively devise their responses.

Initial attempts at conducting such exercises may result in confusion, yet this is by design. The ensuing scramble highlights deficiencies in your strategies. Over time, these drills become second nature, enhancing your organization's capacity to effectively respond to cyber threats.

The Risks of Automatic Updates: A Closer Look at the Malicious 3CX Update

3CX Malicious Update

On March 31, 2023, several companies reported that their 3CX phone systems had suddenly stopped working. Upon investigation, they found that their systems had been compromised by a malicious software update delivered by 3CX's automatic update system. In this blog, we'll take a closer look at the incident and explore the lessons that can be learned from it.

The 3CX Incident: How It Happened

The attackers had managed to gain access to 3CX's update servers and replace a legitimate software update with a malicious version. This update, which was automatically installed on thousands of 3CX systems, contained a backdoor that gave the attackers full access to the compromised systems. They were able to steal sensitive data, listen in on calls, and even make unauthorized calls.

The Risks of Automatic Updates

The incident highlights the risks associated with automatic software updates, which are designed to keep systems up to date with the latest security patches and bug fixes. While automatic updates can be a convenient way to keep systems secure, they can also be a vector for malware and other malicious software.

In the case of the 3CX incident, the attackers were able to compromise the update system itself, which meant that even systems that were fully up to date were still vulnerable to the attack. This is a particularly worrying development, as it means that even the most security-conscious organizations may be at risk if their software vendors are compromised.

The Importance of Multi-Layered Security Measures

The incident also highlights the importance of multi-layered security measures. While automatic updates can be an important part of an organization's security strategy, they should not be relied upon as the sole defense against attacks. Other measures, such as regular vulnerability scanning, threat intelligence monitoring, and user training, can help to reduce the risks associated with automatic updates.

Organizations should also ensure that they have a robust incident response plan in place, which includes procedures for dealing with unexpected software failures or security breaches. This can help to minimize the impact of a security incident and ensure that systems are quickly restored to normal operation.

Evaluating Third-Party Software Security

Finally, organizations should carefully evaluate the security risks associated with any third-party software they use, including the software update mechanisms. Vendors should be asked about their security practices and measures, such as encryption, authentication, and monitoring, to ensure that their systems are protected against attacks.

3CX's Response

In response to the incident, 3CX has released a statement urging all users to immediately update their systems to the latest version, which includes a fix for the backdoor. They have also announced that they are conducting a full investigation into the incident and working with law enforcement to identify the attackers.

The 3CX incident is a stark reminder of the importance of multi-layered security measures and the risks associated with automatic software updates. While automatic updates can be a convenient way to keep systems up to date with the latest security patches and bug fixes, they can also be a vector for malware and other malicious software.

Organizations should carefully evaluate the security risks associated with any third-party software they use and take a proactive approach to security, including regular vulnerability scanning, threat intelligence monitoring, and user training. With the right security measures in place, organizations can help to reduce the risks associated with automatic updates and ensure that their systems remain secure against cyber threats.