First gas, now meat: Latest cybersecurity attack shows criminals are expanding their scope

Russian hacking group REvil is behind the ransomware attack on meat processing company JBS Foods, according to the FBI.

connected-cows.jpg

(Image: Supplied)

The good news from the JBS Foods ransomware attack is that it seems to have followed one of the basic tenets of cybersecurity — make back-ups. The bad news is that cybercriminals have expanded their scope beyond stealing business data to sabotaging consumer supply chains.  

More about cybersecurity

The meat processing company JBS said on Wednesday that its operations had mostly recovered from a ransomware attack and had shut down operations in the United States and Australia earlier this week. The company is one of the biggest cattle processors in the United States. No group has claimed responsibility and JBS has not shared the details of the attack. The FBI announced Wednesday that Russian hacking group REvil is responsible for the attack. 

Joseph Carson, chief security scientist and Advisory CISO at Thycotic, said that having a backup plan in place doesn’t prevent cyberattacks but it can make the recovery process easier.

“The good news is that their backup systems appear to be unaffected by the attack, which shows that they have followed some industry best practices and have an incident response plan,” he said. “Let’s hope this sets an example for other companies of the importance of backup systems and network segmentation.”

This basic tactic may not work any more as attackers penetrate farther into corporate systems. Jim McGann, vice president of marketing and business development at cybersecurity company Index Engines, said that backup environments are under assault as well. 

“Cyber criminals are now utilizing advanced techniques, including artificial intelligence, to penetrate the data center and corrupt critical data assets,” he said. “Organizations need to be smarter and more aggressive in combating these attacks, instead of using common and predictable approaches.”

This means protecting backup data, checking its integrity and ensuring there is a known good backup in place.

Hitesh Sheth, president and CEO at cybersecurity company Vectra, said that this represents a shift in cyberwar strategy.

“Add JBS to Colonial Pipeline and other strikes, and you get new conventional wisdom: They’re going after critical infrastructure like food and fuel supply lines, which strikes at public confidence,” he said. 

On Tuesday the company said that no customer, supplier or employee data has been compromised, as best they could tell. The company also said that some operations had already resumed on Wednesday. 

Sean Curran, senior director of cybersecurity at West Monroe, said that the recent cyberattacks highlight the impact ransomware can have on the community at large.  

“While data breaches five years ago were personally impactful, they had nowhere near the societal impact that a ransomware attack can have now,” he said. “Critical infrastructure and other organizations will also need to look at how their own supply chain is impacted by downstream ransomware attacks.” 

SEE: Biden executive order bets big on zero trust for the future of US cybersecurity (TechRepublic) 

Curran said President Joe Biden’s recent cybersecurity directive is the first real attempt to standardize security practices for government organizations and the private sector but there’s a lot of work ahead. 

“Better understanding at the federal level of the challenges faced in dealing with today’s threats will increase funding,” he said. “While I am sure there will be plenty of detractors to the Executive Order and plenty more that can and should be done, without it, the status quo would have continued.”

Meg King, director of the science and technology innovation program at The Wilson Center, said that this trend shows the need for a global response to the ransomware epidemic to break the business model of ransomware.  

“This will keep happening — at great cost to life and treasure — if we don’t identify and stop the biggest actors, gain better early warning and help companies improve their cybersecurity,” she said.

Russian hacker group suspected 

CNBC reported on Wednesday that REvil was behind the attack. According to research from Cybereason, the REvil gang is the biggest ransomware cartel with the largest market share in the ransomware-as-a-service business with estimated profits of more than $100 million in 2020. Also, security researchers at Cybereason found that 60% of targets are in the U.S. and wholesale manufacturing and professional services companies. Cybereason also connects REvil to the recent attacks on Acer and Apple.

Felipe Duarte, a security researcher at Appgate, said it’s not clear where the breach started but that it’s possible a social engineering campaign infected employees through spear-phishing emails and then expanded to the internal network by exploiting nearby vulnerable systems. 

Duarte listed the most commonly used vulnerabilities in these attacks as:

  • CVE-2019-19781 — widely used by Ransomware groups like Sodinokibi to exploit outdated Citrix servers
  • CVE-2019-11510 — used to exploit vulnerable Pulse VPN appliances
  • ProxyLogin — a set of Microsoft Exchange vulnerabilities currently being used by several malware families, including the new EpsilonRed, to exploit on-premises Exchange Servers.

“If a company has internet-exposed systems, these vulnerabilities can carry an attack without the need to trick an employee,” he said. “They also open the gate for other common infection vectors based on weak credentials exploitation.”

Duarte also notes that although JBS claims that the attack did not affect its backup servers, it can take some time to restore the entire network and disclose all the affected systems.

“We expect a significant impact on the meat supply chain depending on how much time it takes for JBS systems to recover,” he said. 

Tom Hoffman, senior vice president of Intelligence, Flashpoint said that if the company was hit by a ransomware attack, some of the data might show up on dump sites within 10 to 14 days, or sooner if the threat group sees that the company is recovering and does not intend to pay for decryption keys.

Also see