The second of our spine-tingling October Cybersecurity Awareness Month posts.
We started our Cybersecurity Awareness Month blog posts with rather scary cybersecurity stats, and we’re continuing with some truly frightening tales of hacking and ransomware attacks that were successfully undertaken on some major targets. We wish these were just urban legends, but these are bona fide horror stories that have far-reaching impacts well beyond the millions of dollars paid to attackers.
Microsoft Exchange Servers HAFNIUM attack
March 2, 2021
This bone-chilling attack has been characterized as a “global cybersecurity crisis” due to its level of focus, method of exploit, and potential reach. The HAFNIUM attack leveraged previously unknown exploits to target vulnerabilities in Microsoft’s on-premises Exchange Server software. It utilized multiple zero-day exploits to launch a targeted attack aimed at on-premises versions of Microsoft Exchange Server. This enabled HAFNIUM operators to deploy web shells on any compromised server that would potentially allow attackers to steal data and perform additional malicious actions leading to further compromise.
Microsoft was swift in identifying the attack and in releasing a patch for the vulnerability, but the sheer number of potentially affected servers and the possible lingering effects made this an especially scary and challenging attack to deal with for CSPs and MSPs alike. Read the Pax8 response.
Kaseya ransomware attack
July 2, 2021
This ransomware attack was especially terrifying because of its cascading effect. Attackers were able to exploit an authentication bypass vulnerability within one of Kaseya’s remote monitoring and management software packages. Through this, they were able to distribute a malicious payload through hosts managed by the software, which exposed MSPs and their clients to downstream ransomware attacks.
The effect reportedly caused widespread downtime for more than 1,000 companies, which included one Swedish supermarket chain that had to close down all 800 stores for almost a week leaving some in small villages without any food shopping options. The chain didn’t pay any ransom but rebuilt their systems from scratch after waiting for an update from Kaseya.
Read the Pax8 security post regarding this attack.
The Colonial Pipeline ransomware attack
May 7, 2021
This successful ransomware attack was one that literally created a panic in the streets, or at least at the pumps. Using a stolen password on a legacy Virtual Private Network (VPN) system that lacked multifactor authentication, Eastern European hackers were able to encrypt the computers used to manage Colonial’s pipeline system. The company was forced to shut down its entire distribution pipeline, which threatened gasoline and jet fuel supplies for the entire U.S. east coast.
Colonial paid the hackers 75 bitcoin (nearly $5 million at the time), of which the U.S. government was able to recover 60 bitcoin. The financial impact of this attack is greatly overshadowed by the potentially devastating impact it could have had on our ability to travel and on our economy as a whole. Read the details on the MSSP Alert.
Attack on Oldsmar, Florida’s water supply
December 20, 2020 – February 16, 2021
The prospect of a cyberattack on our public infrastructure should scare you to your soul, especially understanding why this attack was even discovered. An ongoing deeper-level attack was discovered because of a separate incident on February 5, 2021 where a hacker remotely accessed the water treatment plant’s system and increased sodium hydroxide (more commonly known as lye) levels from 100 parts per million to 11,100 parts per million. The change was immediately detected by a plant operator, who changed the levels back before the attack had any impact on the system.
However, during the resulting investigation, an IT security firm discovered malicious code in the plant’s computers that had been there since December 20, 2020 when attackers had gained access using a watering hole attack. An Oldsmar city computer reportedly visited a website where malicious code had been inserted into the footer of a WordPress-based site belonging to an actual Florida water infrastructure construction company. Once the watering hole attack code was inserted, the attackers began collecting information on visitors to this legitimate site. Check out the local news coverage on the attacks.
JBS Meat Processor ransomware attack
February – May 2021
The nightmare-inducing aspect of this attack isn’t the whopping $11 million in cryptocurrency the company paid to recover their data, it’s the catastrophic effect it could have had on the world’s food supply. JBS is the world’s largest meat supplier, with operations in 28 U.S. states, Canada, Puerto Rico, Mexico, Europe, Australia, and New Zealand.
This attack was carefully coordinated and started with an initial reconnaissance phase in February. Then from March through the end of May, attackers launched multiple data exfiltration events, ultimately accessing a massive 5 TB of data. The attack was finally revealed on June 1 when the threat actors encrypted the JBS environment and published their ransom demands. The initial intrusion occurred in February by a third-party believed to be using leaked login credentials. Even scarier still, it’s still not known how those credentials were leaked or by whom. Get the details on the MSSP Alert.
The scariest attack that didn’t succeed
August 2021
As we were compiling this post, Microsoft announced on October 11th, that, in August of this year, it thwarted a mind-boggling distributed denial of service (DDos) attack against its Azure cloud service. The attack traffic came from a botnet comprised of approximately 70,000 bots located in multiple countries in the Asia-Pacific region and the United States. A series of very short-lived bursts were sent over approximately a ten-minute period, with each ramping up in seconds to terabit volumes. In total, three main peaks were registered, the first at 2.4 Tbps, the second at 0.55 Tbps, and the third at 1.7 Tbps — all of which were mitigated by Azure’s built-in security system. This was the largest DDoS attack the company has faced to date and is the second-largest DDoS attack ever recorded. Read Microsoft’s post on the Azure blog.
Don’t be Scared. Be Prepared.
If you take nothing else from these chilling tales, we hope you learn the lesson that victims in horror flicks never do — never wander around unprotected and alone, especially in cyberspace. Make sure your clients are well-protected and properly trained, so a poor security strategy or bad habits don’t come back to haunt them. Our security vendors have the solutions you need to continually protect your clients, and Pax8 is always here to help shine a light into the shadows and answer any questions you may have.
