Tag Archive for: Colonial Pipeline

7 Major Cyber Attacks in 2021 and Lessons Learned to Strengthen Your Defenses in 2022

/by

Cyber attackers continued to successfully target organizations in all sectors and of all sizes during 2021. The biggest cyber attacks in 2021 resulted in damaging financial, reputational, and even societal consequences. Security leaders and teams should use the lessons learned from high-profile attacks to improve their organization’s security posture. Let’s look at 7 major cyber attacks in 2021 and the key lessons to learn from them.

The 2021 Cyber Attack Landscape

Threat actors continued to take advantage of additional security vulnerabilities created by the rapid pandemic-induced change to remote work. When remote work was a factor in data breaches during 2021, one study found the cost per breach increased by $1 million per incident.

37-Percent-Ransomware-2021-Cyber-AttacksRansomware remains one of the most significant cybersecurity threats with targets ranging from critical infrastructure to large enterprises to police departments. According to one report, 37 percent of organizations surveyed were hit by ransomware attacks in 2021.

Ransomware gangs now regularly use double extortion techniques. Not content with just encrypting important files or endpoints, in double extortion attacks, adversaries exfiltrate sensitive data before delivering ransomware payloads. The added incentive to pay the ransom comes from the threat of sensitive data being published on the Dark Web.

Another worrying trend in several 2021 cyber attacks was a focus on disrupting or infiltrating supply chains. Malicious actors target supply chains because they know that the downstream effects can hit multiple organizations or even result in supply shortages of critical goods and services.

2021 Cyber Attacks That Shook the World

Bearing this landscape in mind, here is a run-through of seven high-profile incidents that made global media headlines.

1. Colonial Pipeline

The Colonial Pipeline 2021 cyber attack concerned the information security community, consumers, and government agencies. Colonial Pipeline transports diesel, jet fuel, and gasoline across a 5,500-mile journey starting in Houston and terminating in New York. In May 2021, an Eastern European ransomware group known as DarkSide managed to infiltrate Colonial Pipeline’s billing system.

Darkside-Ransomware-Darth-Vader

Fearing an eventual lateral movement traversing the boundary between IT and operational technology (OT), the company halted all pipeline operations to contain the attack. The operational disruption lasted five days while Colonial Pipeline responded to the incident.

Part of the response involved paying a $4.4 million ransom to the ransomware gang. The FBI managed to recover a portion of this ransom in the aftermath. The concern around this breach was elevated by media images of panicked motorists queueing to stock up on gasoline because they feared an extended fuel shortage.

Subsequent investigations into the cyber attack on Colonial Pipeline found that the initial attack vector was a stolen password used to log in to a legacy VPN. The threat actors likely found the stolen password in a Dark Web leak list from a previous data breach. The Colonial Pipeline’s CEO, Joseph Blount, had to testify in front of the Senate Homeland Security and Governmental Affairs Committee about how the company handled this attack.

Lessons Learned:

  • Multifactor authentication is critical: In his testimony, Mr. Blount said that the hacked VPN account only had single-factor authentication. In today’s threat landscape, depending on passwords alone to secure access to accounts is very risky.
  • Poor password hygiene is still common: hackers used stolen credentials to log in to a VPN account. Aside from highlighting the vulnerabilities in relying on passwords, this attack shows how poor password hygiene, such as using passwords across multiple services and apps, remains commonplace. Better cyber awareness and training can combat this issue.
  • 24/7 monitoring is key: detecting events like suspicious use of VPNs, credential abuse, and policy violations around the use of remote access applications helps prevent compromises.

2. Accellion

Accellion provides file sharing and team collaboration tools to organizations that are reported to include Morgan Stanley, Shell Oil Company, Kroger, Health Net, Stanford University, and many others. In December 2020 and January 2021, one of the company’s legacy tools, Accellion File Transfer Appliance (FTA), became compromised with multiple zero-day vulnerabilities exploited by UNC2546 and UNC258, two threat actors with links to the Clop and Fin11 ransomware gangs.

In healthcare alone, over 11 organizations were impacted by this supply chain attack. A zero-day attack is particularly challenging because it exploits previously unknown vulnerabilities for which no fix yet exists.

Lessons Learned:

  • The importance of vulnerability management and patching: Speed is critical in patching zero-day vulnerabilities with known exploits. Risk-based Vulnerability Management tools and services can help organizations prioritize patch assets based on priority and context.
  • The need for data exfiltration protection: In addition to double-extortion ransomware attacks, this supply chain attack demonstrated that threat actors see data exfiltration as the ultimate prize. It is important for organizations to detect precursors of data exfiltration and behavior anomalies and automate containment actions to prevent loss of data.

3. JBS

JBS is the world’s largest meat processor with reported annual sales of $50 billion and over 230,000 employees.

On Sunday, May 30, JBS USA discovered it was the victim of a ransomware attack that affected some of the servers supporting its U.S., Australian and Canadian IT systems. The company suspended all affected systems, then contacted law enforcement.

JBS Cyber Attack Ransomware

Assistance from the FBI helped to confirm that the prolific REvil ransomware operation was responsible for the JBS meat cyber attack. In a statement made to the media, JBS announced the payment of an $11 million ransom to REvil in an attempt to mitigate the risk of sensitive stolen data being published online.

Since the attack did not affect JBS’ backup data or core systems the company was able to recover from the attack in a few days with minimal disruption to the supply chain. JBS issued press releases on May 30, June 1, June 2, and June 3 to keep customers and the public apprised of the status of the incident.

Lessons Learned:

  • Backup strategies still work: Some security commentators argue that backup strategies are redundant in a world where data exfiltration is the main goal of malicious actors. However, the ability to restore normal operations quickly after a cyber attack is imperative, particularly in critical industries such as meat processing upon which much of the world depends for survival. Just backing up systems and data is not sufficient. You also must take steps to protect your backup files from attempts to delete them.
  • Early detection and response: More detailed investigations into the JBS attack found that data exfiltration began after leaked credentials were exploited as far back as February 2021. Early detection and response could have played a crucial role in thwarting attackers while they were in the network. Perimeter-focused controls are no longer sufficient for defending against attacks; security teams lacking internal resources can turn to managed detection and response.
  • Incident Response Plan: Having a written Incident Response (IR) plan and routinely practicing the process makes a difference. JBS effectively engaged the appropriate government entities and third-party consultants who assisted with the forensic and mediation work.

4: Brenntag

In April of 2021, Brenntag, a German chemical distribution company, became yet another victim of DarkSide ransomware. Brenntag employs more than 17,000 people worldwide, and the company reported over $14 billion of revenue in 2019.

Ransomware PaymentIn yet another double extortion attack, DarkSide managed to exfiltrate 150 gigabytes of data from the North American division of Brenntag’s network. After data exfiltration, the Brenntag ransomware payload encrypted multiple devices and files on the company’s network using the Salsa20 file encryption algorithm.

The immediate response to the Brenntag ransomware attack focused on containing the threat by disconnecting affected systems from the network. The company also paid a $4.4 million ransom in return for both a decryption key and not having sensitive data belonging to 6,700 individuals published online. The sensitive data included birthdates, Social Security Numbers, driver’s license numbers, and health data.

 

Credential theft appeared to play a prominent role in this attack. A ransom note seen by security researchers at Bleeping Computer alluded to the fact that threat actors “bought access to the network”.

Lessons Learned:

  • Stolen credentials are a big problem: Initial network access via stolen credentials was a common theme in several 2021 cyber attacks. Mitigation requires a multi-pronged approach that includes multi-factor authentication, ongoing cyber education, and regularly mandating password changes.
  • The paradox of cyber attacks: Threat actors often deploy sophisticated tools and techniques to evade detection once inside networks, however, the methods they use to gain initial access often exploit incredibly basic cybersecurity flaws.

5: Volkswagen and Audi

VW Audi logos

Volkswagen has consistently been one of the top-selling automotive brands. In June 2021, details emerged of a significant data breach both at Volkswagen and Audi, one of the Volkswagen Group’s luxury line of vehicles. The breach exposed information belonging to 3 million customers.

For the majority of customers, the leaked details were basic and non-sensitive. However, at least 90,000 people were contacted about sensitive data exposure, including driver’s license numbers, Social Security numbers, and dates of birth.

A spokesperson indicated the Volkswagen data breach stemmed from a compromise at a third-party vendor used by the company. Vice magazine reported that a hacker obtained the data by scanning the Internet for unsecured Microsoft Azure Blobs, which are used to store unstructured data in the cloud.

Lessons Learned:

  • Third-party risks: Volkswagen trusted another vendor with its valuable customer data, but that same vendor failed to implement such a basic practice as securing all data stored in the cloud. Third-party risk management is crucial to avoid breaches like this one.
  • The need for data visibility: You cannot protect sensitive data when you do not know where it is stored or how it is secured. Comprehensive data visibility may have mitigated the possibility of this Volkswagen data breach from happening.

6: HSE Ireland

The Health Service Executive runs Ireland’s public health system. Over 67,000 direct employees help to maintain the health of Ireland’s populace. Several severe Covid-19 outbreaks stressed Ireland’s health system in 2021, and a ransomware attack in May came at the most unwelcome of times.

The installation of a ransomware payload by Conti threat actors completed a two-month operation that severely impacted the HSE’s IT infrastructure. The immediate aftermath of the HSE cyber attack resulted in healthcare professionals losing access to IT systems, including patient information systems, clinical care systems, and laboratory systems.

Equally as severe as this disruption to important health services was the exfiltration of sensitive healthcare data belonging to 1,000 patients. During negotiations about a ransom, Conti gang members began leaking patient data for up to 520 individuals on the Dark Web.

A detailed incident report found that the HSE cyber attack started in March 2021 when an employee clicked and opened a malicious Excel attachment. This attachment provided remote access to the HSE’s IT environment. Threat actors used Cobalt Strike, a penetration testing tool, to escalate their privileges on the originally compromised workstation.

Lessons Learned:

  • The need for threat intelligence: Robust threat intelligence and discovery helps detect tools like Cobalt Strike and stop similar incidents in their tracks.
  • The danger of phishing: Phishing emails with malicious attachments provide low-hanging fruit for adversaries to infiltrate your network. Robust email security software and employee training reduce the risk of malicious attachments or users being enticed to visit infected websites.

7: CNA Financial

Last but not least in our overview of 7 of the major 2021 cyber attacks is an attack that resulted in one of the largest ransom payments. CNA Financial, one of the biggest insurance companies in the United States, was hit by a March 2021 ransomware attack that encrypted up to 15,000 systems. The threat actors used a ransomware strain known as Phoenix CryptoLocker.

phoenix-cna-ransom-note

The attack began when an employee downloaded a fake browser update from a genuine website onto his/her workstation. Additional malicious activity helped to elevate privileges from the workstation to get network-wide administrative access. The final ransomware payload took down so much of the company’s IT infrastructure that executives felt they had no other option but to pay for the decryption key. The $40 million CNA Financial ransom payment set a record at the time that remains today.

  • The value of detection and response capabilities: With seemingly no functioning backup strategy in place to restore encrypted devices and files, this incident underscores the value of detection and response capabilities. By emphasizing defense-in-depth, businesses can detect and respond to cyber attacks much faster and limit their effects.
  • Some companies still pay: Despite government admonitions against paying ransom demands, several large companies paid substantial sums to hackers in 2021; none were more substantial than the $40 million that was the CNA Financial ransom. It is recommended that IT leadership prepares for this possibility by discussing options with management and their cyber insurance provider.

2021 Cyber Attacks Conclusion

There are many lessons to take forward from this list of seven major cyber attacks in 2021. Basic security flaws can provide hackers with an easy route into networks; even those belonging to the largest enterprises with the highest security investments. Despite the ease of initial entry, a common thread here is that detection and response capabilities are critical to detecting and preventing breaches.

Businesses stand to gain a far more robust security posture by investing in managed detection and response (MDR). Ready-made expertise in threat intelligence, detection, and response awaits businesses that allocate some of their security budget to MDR services.

Contact Proficio today to see how our leading MDR solution helps businesses like yours defend against cyber threats.

Lessons Learned: Ransomware Attacks in 2021

/by

While ransomware attacks in 2021 never cease to stop, several high-profile occurrences in the first half of the year gained swift notoriety for either the scale of damage they inflicted or the targets they focused on. Here are four of the biggest attacks, and the lesson that can be learned from each.

Colonial Pipeline

A natural place to begin is with the most severe cyber-attack to ever target critical infrastructure in the United States. Instigated by the DarkSide ransomware group, this has been one of the most newsworthy ransomware attacks in 2021, targeting the IT environment tied to a pipeline system that extends from Texas to New York.

Hackers used a VPN account and a leaked password to gain access to the Colonial Pipeline network. The attack was noticed on May 7, 2021, when an employee saw a message on a computer screen in the control room, demanding a cryptocurrency payment. An operations supervisor decided to respond to the attack by taking the unprecedented step of shutting the entire pipeline down.

Colonial Pipeline decided to make the ransom payment of $4.4 million in bitcoin – and as a positive turn, with the help of the FBI, part of the payment has been recovered. The disruption to the pipeline lasted five days before normal operations resumed.

Takeaway: Use multi-factor authentication so that even if a password becomes compromised, hackers need to provide an additional category of evidence to access a resource on your network.

Acer

Taiwanese computer manufacturer Acer became the victim of another notable ransomware attack in March 2021. It’s believed a Microsoft Exchange vulnerability provided an entry route into Acer’s network.

The REvil ransomware group demanded a $50 million payment to return stolen data, releasing samples on the dark web. It’s not publicly known whether Acer paid the ransom.

 Takeaway: Hacking groups don’t keep a 9-5 schedule. It’s critical for organizations to use 24-7 monitoring solutions that constantly seek out new types of attacks, critical vulnerabilities, and suspicious behavior on your network. A dedicated security operations team can provide 24-7 incident monitoring, detection, and response.

Sierra Wireless

Among several high-profile technology companies hit by ransomware attacks in 2021 was the wireless communications equipment designer and manufacturer, Sierra Wireless. The attack targeted both the company’s internal IT systems and corporate website.

Production at the company’s manufacturing locations was temporarily halted while the company quickly initiated measures to counter and contain the damage. While the internal network and corporate website remained affected for a few days, any customer-facing products and services weren’t impacted.

Takeaway: The swift response during the Sierra Wireless attack is critical for rapid threat containment. Fast action can make the difference between an attempted hack and a devastating breach, which is why automated response solutions are essential for modern organizations.

Scripps Healthcare

Finishing things off is one of the most targeted industries – healthcare. In May 2021, a hospital in our own backyard was taken offline for almost a month due to a sophisticated ransomware attack.

While not much is currently known about this attack, during the same timeframe, we saw a similar attack take down Ireland’s Health Service Executive. This attack was due to an employee that unknowingly clicked a malicious link, and the cybercriminals demanded almost €15 million to return 700 gigabytes of confidential patient data.

Takeaway: Opportunistic hackers don’t take ethical or moral considerations into account when looking for targets to exploit. Knowing the signs of a ransomware attack in its early stages is key to stopping cybercriminals before they get into your networks.

 

Conclusion

While the ransomware attacks in 2021 that make media headlines often involve public infrastructure, health services, and large corporations, these incidents can happen just as easily on small to medium businesses. As we often say – it’s not a matter of if you’ll be attacked, but when – so regardless of the size of your company, preparation is vital to staying safe.