1. After Paying Off The First Ransomware Demand, Most Firms Face A Second Ransomware Attack
- Security experts discovered that ransomware attackers deploy secondary ransomware attacks against firms that pay off initial ransom demands. After paying off a ransom demand, firms often receive a decryptor for their hijacked systems. However, most attackers corrupt hijacked systems by creating backdoors that allow future compromises.
- A data protection vendor revealed that, of the 832 IT professionals surveyed, 50% of them disclosed that their organizations had been hit with ransomware more than once in a given year. Although most organizations fail to report repeat ransomware attacks, such back-to-back incidents can impact any business continuity operation.
- While projected ransomware attacks are expected to cost the world up to $265 billion by 2031, this new ‘double back’ attack trend could likely bring about the realization of said projection much faster than expected.
Expert Commentary: As governments continue to find and prosecute ransomware attackers, sophisticated threat groups appear to be doubling down on their tactics, techniques, and procedures (TTPs) to help maximize profit. Ransomware attackers understand that there is money to be made by targeting corporate entities in critical industries. Therefore, despite the federal government’s efforts to combat the rising ransomware epidemic, repetitive attacks are becoming the norm.
2. Carnival Cruise’s Data Breach Place Customers’ Sensitive Data At Risk
- One of the world’s largest cruise ship operators, Carnival corporation, was hit with a data breach. The threat actors responsible for this incident attained unauthorized access to some of Carnival Corporation’s IT systems, thus gaining access to customers, employees, and crew members’ personal, financial, and health information.
- According to the company, threat actors accessed information such as names, addresses, phone numbers, passport numbers, birth dates, and health information. Additionally, the threat actors also accessed social security and national identification numbers.
- With over 150,000 employees in 150 countries, the leisure travel company’s ocean liner fleet provides vacation travel to about 12 million guests annually. Carnival corporation is collaborating with cybersecurity experts to mitigate this incident; there is a strong probability that affected data from this incident could be used to facilitate malicious activities, including credential stuffing attacks. Therefore, the cruise line company warns all its current and former customers and associates to take security measures to protect their personally identifiable information (PII).
Expert Commentary: Carnival Corporation experienced multiple data breaches in 2020 (in March, August, and December), which affected more than 30,000 customers and employees. However, this recent data breach appears to have impacted all nine cruise lines operating under the Carnival Corporation umbrella.
3. REvil Ransomware Group Compromised A U.S. Nuclear Weapons Contractor
- A U.S. nuclear weapons contractor, Sol Oriens, disclosed that the REvil ransomware group attacked them. Additionally, the contractor confirmed that the REvil ransomware group members infiltrated its network and likely exfiltrated sensitive data. After an ongoing cyber forensic investigation, Sol Orien discovered the REvil ransomware group claiming to be auctioning off critical stolen data during the attack.
- Operating within critical infrastructures, Sol Oriens collaborates with essential government agencies, including the U.S. Department of Defense, the National Nuclear Security Administration, and the Department of Energy Organization, to manage and implement nuclear weapons programs.
- Though Sol Oriens has yet to confirm whether the attackers stole classified data, the attackers claim to have stolen business data and employees’ data, including salary and social security numbers. In addition, the threat actors are currently pressuring Sol Oriens into sending ransom payments by threatening to release some of the stolen data associated with military agencies.
Expert Commentary: The U.S. nuclear weapons supply chain ecosystem is a critical infrastructure that any nation station threat actor would like to compromise. Due to interests from China and Russia, security experts can likely trace the REvil ransomware group’s interests in Sol Oriens’ business infrastructure to an adversarial nation-state. Until a proper forensic investigation is completed, Sol Oriens must ensure that it is equipped to decide whether to pay REvil’s ransom demands or not. In these cases, preventive security measures are critical to the recovery of an organization’s operations.
4. A Cloud-Based Misconfiguration Error At CVS Exposed Over A Billion Personal Health Records Online
- CVS Health suffered an infrastructure misconfiguration error that impacted the privacy and security of over a billion private health records to leverage cloud-based solutions. Said personal health records were exposed online.
- According to security researchers, the affected database (204GB in size) was not password-protected, nor did it contain any authentication mechanisms to prevent unauthorized access.
- A large portion of the exposed data includes medication queries, COVID-19 vaccination information, visitor ID numbers, the operating system of users who accessed CVS Health and CVS.com, etc. Although these exposed data might appear irrelevant to unsuspecting individuals, it is a gold mine for competitors and threat actors alike.
Expert Commentary: It’s no surprise that many organizations are still not familiar with cloud technologies; threat actors can leverage the security loopholes associated with this lack of awareness and training. For this specific incident, threat actors can quickly determine the identity of impacted users by matching a visitor ID number with what they searched for on CVS.com. For organizations looking to implement cloud-based solutions, it is advisable to incorporate intelligent automation to help reduce human error. Unfortunately, as long as human efforts are required to configure cloud-based solutions, these kinds of misconfiguration errors will continue.
5. G7 Leaders Demand Action From Russia On Cybercrime Within Its Borders
- Many of the most lethal ransomware groups, including DarkSide and REvil, are suspected of operating out of Russia. However, these threat actors can work freely in exchange for their participation in occasional state-sponsored cyber activities. Additionally, as long as said threat actors don’t target Russian citizens and government entities, their identities remain protected.
- In a joint session at the G7 Summit, leaders from Canada, France, Germany, Italy, Japan, the United Kingdom, and the United States issued a collective statement demanding that Russia implement more proactive actions to identify, disrupt, and prosecute cyber criminals operating within Russia.
- This direct warning to Russia stems from recent, disruptive cyberattacks that targeted critical infrastructure, including SolarWinds, JBS foods, and Colonial Pipeline. which were attributed to Russia-based attackers.
Expert Commentary: It is nearly impossible to get an adversarial nation-state to admit its role as the sponsor of cybercriminals. Although G7 leaders rebuked Russia on an international stage, it is improbable that Russia will curb cybercriminal activities within its borders. For Russian-sponsored threat actors, having a protected status within Russia allows them to conduct freelancing activities worldwide while also helping to implement geopolitical-based cyber activities for national interests. Such a mutually beneficial alliance is a significant factor in the circle of life of any popular threat group.