Monthly Breach Report: June 2021 Edition

Ransomware and cybersecurity were certainly a hot topic in the United States during the month of May when a cyberattack forced operations at Colonial Pipeline to shut down. The pipeline provides around 45 percent of the fuel for the East Coast, and its temporary shutdown led to shortages at gas pumps as customers began to panic-buy. In the end, Colonial paid out a ransom of $4.4 million USD in Bitcoin for a key to unlock their files, which still wasn’t enough to immediately restore the pipeline’s systems. While the fuel flow has been restored, the impact of the attack and shut down will be longer lasting.

The Colonial Pipeline breach was some of the biggest cyberattack news of the month, but it wasn’t the only attack that occurred, nor was it the only ransomware attack. Here are some of the other big breach stories from May.

 

Another Capitol Attack

“Ransomware” was a hot topic in May. Another ransomware gang—separate from the Colonial Pipeline attacker group—got into Washington D.C.’s Metropolitan Police Department and on May 11, published detailed information on 22 different officers in an attempted extortion. Both current and former officers were affected, and the leaked information included granular details such as Social Security numbers, results of psychological assessments, fingerprints, polygraph test results, and even residential, financial, and marital history. A report on one officer can range from 100 – 300 pages long.

The department’s first hack occurred in April, with five published profiles that were taken down when negotiations began. Negotiations soon fell apart, and the 22 profiles were released soon after.

While a different group than the ransomware attack on the Colonial Pipeline, both ransomware gangs are Russian-speaking outfits and part of a larger trend of ransomware attacks. Metropolitan PD has engaged the FBI to fully investigate the matter and has offered all MPD members free credit monitoring.

Sources

• NBC News
• Vice

 

Ransomware Strikes Insurer AXA

Avaddon ransomware group claimed to have stolen 3 TB of sensitive data from branches of insurance provider AXA located in Thailand, Malaysia, Hong Kong, and the Philippines. The exact date of the attack is not known, however AXA’s websites were hit with a Distributed Denial of Service (DDoS) that made them inaccessible for several hours on May 15. These DDoS attacks are a recent trend with ransomware groups, first observed as a leverage point back in October 2020.

AXA was given about 10 days to cooperate with Avaddon before the ransomware group would begin leaking the data, which includes medical reports (some containing sexual health diagnoses), claims, payments, customer bank account scanned documents, restricted physician information, national ID cards, and passports.

AXA has assembled a dedicated task force to investigate the incident and has informed regulators and business partners of the attack. As investigators confirm any release of sensitive data, the affected businesses and individuals will be notified and offered support. Just prior to this attack, both Australia and the US both warned of ongoing and escalating Avaddon ransomware campaigns.

Sources

• Bleeping Computer
• Heimdal Security

 

Bose Sounds off on Ransomware Too

Yet another ransomware attack was disclosed by Bose Corporation in May. In its official filed notification letter, Bose stated that in early March it had “experienced a sophisticated cyber-incident that resulted in the deployment of malware/ransomware.”

Unlike Colonial Pipeline, the consumer electronics company did not make ransom payments, instead choosing to hire external security experts to restore any impacted systems, along with forensic experts who could determine if any data was accessed or exfiltrated in the attacks. “We recovered and secured our systems quickly with the support of third-party cybersecurity experts,” said Media Relations Director Joanne Berthiaume.

Notices were sent to the few impacted individuals—including current and former employees whose information was pulled from a stored spreadsheet—and Bose is confident that no other disruption will occur from the attack.

Other experts have expressed concern over Bose’s lengthy response time to the attack, citing that it could have further endangered affected individuals. Nevertheless, Bose confirms only six individuals were impacted and is continuing to work with the FBI and data experts to monitor for leaked data.

Sources

• Bleeping Computer
• ZDNet

 

Ransomware Robs Research

A research student learned some lessons the hard way after what they thought was a “free” version of a data visualization tool turned out to be malware. Instead of helping visualize data, the malware instead used keystroke harvesting to steal browser, cookie, and clipboard data along with the student’s login information for the research institute. The agency behind the malware then registered a remote desktop protocol connection, and ten days later, Ryuk ransomware launched in the system.

The result? Between the ransomware, a lack of security measures such as two-factor authentication, and the student disabling the firewall to install the free software, a European biomolecular research institute that was working on COVID-19 research lost an entire week’s worth of vital research data. On top of the data loss, the organization also had to perform ground-up rebuilds on all their computer and server files in order to restore the data.

Security experts agree that the pirated software operators likely sold their network access to the agency that deployed the Ryuk attack. They also agree that ransomware attacks are going to continue ramping up in quantity and viciousness. Consider that this group in question targeted a research organization during a pandemic.

These same experts recommend plentiful defensive mechanisms such as multi-factor authentication for VPN and cloud services, regular data backups, account permissions limitations, and incident preparedness.

In the meantime, the month of May could be a harbinger of what’s to come in the frequency and audacity of ransomware attacks.

Sources

• Threatpost
• Infosecurity Magazine

 

Mercari in the Market after Hack

Not every attack this month was ransomware, but they were nonetheless just as debilitating: A large supply-chain attack on code coverage tool Codecov that lasted for two months included a significant impact on popular ecommerce platform Mercari. The publicly traded online marketplace started in Japan, and has since expanded to both the US and the UK.

During the two months that Codecov was under attack, threat actors modified a tool to exfiltrate sensitive information like keys, tokens, and credentials, breaching hundreds of customer networks, including Mercari. The online marketplace confirmed in May that tens of thousands of customer records were exposed between April 13 and April 18 during the Codecov breach. Compromised records include 17,085 sale records from 2014, 7,966 business partner records, 2,615 employee records, and 217 customer service support cases.

Mercari has since contacted all individuals whose information was compromised and notified the appropriate authorities. They have also purged all their information from Codecov.

Sources

• Bleeping Computer
• E Hacking News
• Cyware

 

Data Breach Tries for a Piece of the Pie

Attackers delivered a massive data breach to Domino’s India, exposing the details of 180 million orders placed via mobile or with an email ID. To make matters worse, the attackers released a webpage on the dark web that would pull data for any of the leaked orders just by searching a phone number or email address. Leaked data included transaction details such as delivery address, date, name, phone number, email, number of transactions, and total amount spent.

The hacker has also announced that they intend to release payment details and employee files as well. Jubilant FoodWorks, master franchise owner of Domino’s India, claims that they do not store customers’ financial information such as credit card details, and that none of that information could have been compromised.

Customers are still encouraged to be watchful of emails or texts that pretend to originate from Domino’s, and are reminded to only share credit card information to the franchise when on the official Domino’s India site

Sources

• Security Boulevard
• The Indian Express

 

These aren’t the kinds of headlines you want your business to feature in. Protect your data and your business with help from PKWARE. Get a customized demo now.