Acronis Cyber Incidents Digest # 2
In this episode of the Cyber Incidents Digest, we report on the hacking of a nuclear weapons company and the forced transition to the personal mailboxes of a coffee and restaurant equipment supplier. You will also learn about why the “good old” email hacking methods still work, and how a medical company got in trouble because of the lack of attention to account security.
REvil Ransomware Attacks US Department of Defense Contractor
Not much time has passed since the group attacked JBSand the REvil Ransomware strikes a new iconic target once again. This time, the hackers managed to infect a contractor of the US military structures, which, apparently, deals with nuclear weapons issues. And although the company is very vague about its role and says that it “helps the Ministry of Defense and the Ministry of Energy to solve complex technical issues,” its vacancies speak directly about the work with weapons. After all, who else needs Senior Nuclear Weapons Expert?
But back to the attack. The Sol Oriens company has confirmed the fact of the defeat, which occurred back in May 2021. Unfortunately, the size of the ransom, as well as the amount of stolen data, remains unknown. But, taking into account the trends of the REvil group, it can be assumed that at least ten million dollars will be demanded from the company. (For example, JBS demanded $ 11 million).
Sol Oriens said they are partnering with a third-party cyber investigation firm to help them determine the scope of the attack. Nevertheless, the management is confident that “the classified data was not stolen,” and that not the most valuable information fell into the hands of hackers. REvil claims that they did steal a number of business documents, as well as employee personal data, including payroll records and social security numbers.
Nevertheless, the very fact that such an organization has been hacked makes one think. After all, a month has passed, and experts cannot fully understand whether classified materials of a military nature were stolen or not.
Restaurant solution provider Edward Don & Co also attacked
One of the largest distributors of power supply equipment, Edward Don & Company, was attacked by ransomware. With more than 1,000 employees and more than $ 500 million in annual revenues, Edward Don & Company can be considered a major target for an attack.
Despite the fact that Edward Don & Company has not yet officially acknowledged the fact of the attack, the company’s employees suddenly switched to their personal mailboxes (mainly Gmail), through which they continue to communicate with customers. It is also significant that the organization temporarily does not accept new orders until “problems with IT systems are eliminated”.
It is also unknown which Ransomware group attacked the company. However, the use of the QBot utility during the attack suggests that this is also the handiwork of REvil. But this situation once again emphasizes the need to use means to combat unknown versions of Ransomware – after all, if even after days and weeks no one can say how the attack was carried out, what can you expect at the moment of infection of the corporate network?
And again – compromising business email
Last week, Microsoft experts revealed the scheme of using cloud infrastructure for fraud. The attackers used classic phishing to attack their victims. They sent out fake emails – for example, voicemail message notifications – to gain access to the victim’s account.
What is interesting about this scheme is the use of the good old way, which, it would seem, security systems have long been able to cope with. Attackers simply registered domains that looked like official domains and used old protocols to bypass multifactor modification. When control over the mailbox was obtained, the fraudsters set up automatic forwarding of important letters based on a number of signs. Thus, important letters, mostly of a financial nature, were sent from compromised accounts. In this case, the user may not even imagine for a long time that his email was hacked.
Business email compromise (BEC) schemes are often used to convince a company employee to transfer money to an incorrect account, which actually belongs to a fraudster. And this type of threat remains relevant – according to the FBI, just last year, losses from BEC amounted to almost $ 2 billion.
An unhealthy amount of health threats
Ohio-based medical group Five Rivers Health Centers fell victim to an attack following an email hack. The gap existed for 2 months, and the attack was organized using common phishing.
Nearly 160,000 patients were notified that their medical records and other personal data had been compromised. These include bank account numbers, driver’s license numbers and social security numbers.
After discovering the breach, the company decided to secure the accounts and launched an investigation process. Five Rivers now uses two-factor authentication, and it was decided to conduct additional courses on cybersecurity for staff. By the way, if the organization had activated additional account protection earlier, such a large-scale leak could have been avoided. And with solutions that include URL filtering and cyber protection against cyber threats, even the most naive users would be protected from such attacks.