Ransomware hits a retailer, a consultancy, a manufacturer, and a school district. More Accellion fallout.

Summary

By the CyberWire staff

At a glance.

Boggi Milano sustains ransomware attack.
Arup consultancy affected by third-party payroll provider breach.
Update on Ubiquiti's ransomware incident.
More universities affected by Accellion compromise.
Broward County schools hit by ransomware.
Health system data exposure.

Premium fashion retailer hit below the belt.

Italian menswear brand Boggi Milano, which operates approximately two hundred stores in nearly forty countries, has confirmed it was the victim of a ransomware attack, Bloomberg reports. The Ragnarok threat group has taken credit for the incident, boasting on their underground website that they made off with approximately forty gigabytes of data, including human resource files containing salary information.

Erich Kron, security awareness advocate at KnowBe4, commented that the pandemic hasn't slowed the ransomware gangs down:

“Ransomware gangs have not taken a break during this pandemic, and this is another example of the fact that any industry is a target. Although the impact to the operation of the organization appears to be minimal, the loss of roughly 40GB of data, potentially including that of customers and employees, can be a significant issue. Fines from data breaches with this type of data can be significant, and as an organization that operates globally, could be imposed from multiple countries whose citizens have been impacted.

"Because ransomware is primarily spread through unsecured remote access points and email phishing, to protect themselves, organizations should focus on these entry points. Wherever possible, organizations should employ Multi-Factor Authentication (MFA) to secure email and login accounts, closely monitor any remote access portals and train users to spot and report email phishing attacks. In addition, to counter the issue of data exfiltration, organizations should ensure they have a good Data Loss Prevention (DLP) system in place and properly configured.”

(And why should it have slowed them down? They're all working from home anyway, aren't they?)

Mark Bower, senior vice president with comforte AG, advocates careful attention to backing up data:

“Ransomware attacks are the new great digital train robbery, stealing data and crippling business through a constantly evolving attack ecosystem and malware that can evade perimeter controls.

"Organizations must mitigate ransomware risk through constant backup to ensure data can be restored rapidly if it is locked, and also utilize proven data-centric security to foil the attack itself. If data is neutralized using modern data-centric techniques that enable data use in the enterprise while protected while restricting access to the minimum live data, attackers will get the equivalent of digital coal, not data gold, and soon move on to the next vulnerable target. For the enterprise, this avoids the impact of a data breach and financial demand at the same time.”

Arup consultancy impacted in third-party data breach.

Edinburgh News reports that global consultancy firm Arup’s third-party payroll provider suffered a ransomware attack that compromised employee data. Arup has reported the incident to the Information Commissioner's Office. “It’s incredibly worrying to know that such personal information as my bank details and address have been accessed by these cyber criminals, especially in the current climate,” one employee stated. Staff have been directed to monitor their bank accounts for any suspicious activity.

Tom Garrubba, CISO of Shared Assessments, commented on the way in which ransomware has become one of the most prevalent tactics used by malicious actors, and that defenders must consider third, indeed n-th, party risk: "Ransomware is quickly becoming the most common form of harmful “ware” attacks levied by threat actors. In cyberspace, it is all about having a good defense. All organizations – regardless of their industry – must periodically gauge their cybersecurity posture to ensure adherence to recommended best practices and industry standards. This also includes gauging the cybersecurity posture of outsourced relationships."

Ubiquiti cloud storage incident details unfold.

As the CyberWire reported earlier this week, an anonymous whistleblower claims that IoT device maker Ubiquiti has been downplaying the significance of the company’s recent data breach. Though Ubiquiti initially implied it was a mere casualty in an attack on their cloud storage provider and that user data was not impacted, the source claims to have evidence that Ubiquiti left an Amazon Web Services storage bucket unsecured, and that the hackers demanded a fifty bitcoin ransom in exchange for stolen user data and source code. Now, Bleeping Computer explains, Ubiquiti confirms that the threat actors requested payment, but is standing by its assertion that user data were not compromised. "The attacker, who unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials, never claimed to have accessed any customer information,” the company stated. The Record by Recorded Future adds that Ubiquiti obtained “well-developed evidence that the perpetrator is an individual with intricate knowledge of [its] cloud infrastructure.” While some insiders suspect Ubiquiti is minimizing the incident to protect the company’s reputation, it would appear they have not succeeded, as Security Week reports share prices have fallen from $350 per share on March 30 to $290 as of yesterday.

Harvard and the University of California among those touched by the Accellion compromise.

Two more US universities have been added to the ever-growing list of victims of last summer’s breach of file-sharing technology firm Accellion. Harvard Business School is assessing the damage after discovering an intruder exploited Accellion’s File Transfer Application in order to steal personal student data, the Harvard Crimson explains. Isif Ibrahima, a Mandiant threat analyst who has been investigating the Accellion breach, recommends that the school ensure that all their products are up-to-date and instruct administrators to regularly review logs from Internet-facing devices “for any anomalous activity.” Meanwhile, the University of California (UC) discovered that the Office of the President’s system was also compromised in the Accellion breach, CBS Local - Sacramento reports. Though it’s unclear exactly how many individuals were impacted, the Daily Californian disclosed that members of the university community have been receiving alarming emails from the cybercriminals threatening to expose their data and directing the recipients to a public website where a sample of UC employee data had been posted.

Jerome Becquart, COO of Axiad wrote about the challenges of securing an enterprise in an increasingly complex IT ecosystem: “This illustrates the challenge organizations have to keep their various systems secure and up to date. As our digital ecosystem becomes more and more complex, the challenge of maintaining and patching systems is increasing exponentially. This is why we increasingly see the adoption of a platform approach to security and leveraging trusted cloud suppliers whenever possible is the only way forward.”

Niamh Muldoon, global data protection officer at OneLogin, thinks that the Accellion FTA compromise still has legs:

“As expected, we are continuing to see the impact of the Accellion file-sharing data breach expand. We applaud the due diligence that many of the affected organizations are taking to be transparent with their students and employees about the exposure of their personally identifiable information (PII). It is important to incorporate access control and data lifecycle management into risk assessment by asking about past data/files transfers, and whether those files have been properly managed, such as having access removed when it is no longer required. The results of the cross-functional risk assessment will determine if the organization is vulnerable per the versions of Accellion exploited by malicious attackers. Having your security and/or technology organization monitor and track official communications issued by Accellion will allow them to keep up-to-date. This is especially important because as the investigation continues more data will become available which may impact the associated risk to an organization, and require the organization to take more actions to reduce risk. If you are unclear from official communications where your organization is using a vulnerable version of not, reach out to Accellion for clarity - don’t just assume its OK.”’

Trevor Morgan, product manager at comforte AG, also thinks that we've not yet seen the last of the Accellion supply chain compromise. He thinks one of the major lessons to be learned is the importance of not overlooking risks that lurk in legacy systems:

“As the repercussions of the compromised Accellion file-transfer service continue to spread, every business needs to focus on the single most important takeaway. Whenever your organization depends on outdated “legacy” software and services, you’re putting the company at risk. The report of Stanford being the latest victim of this vulnerability clearly accentuates how easily this situation could have been remedied by noting how outdated the legacy software service was. Your business should be actively auditing your IT infrastructure and casting a critical eye at any software or service that is decades old and considered so 'legacy' that it is about to be discontinued. Furthermore, you should not be building mission-critical workflows around such legacy services, especially if your highly sensitive PII data is not guarded with data-centric security. As opposed to perimeter-based solutions that wall off sensitive data and protect the borders around it (which can still be penetrated with enough patience and effort) data-centric security measures such as tokenization and format-preserving encryption protect the data itself, obfuscating the sensitive information so that threat actors cannot leverage it. Again, the solution is clear if you want to avoid the type of situation with which Stanford Medicine and a host of other organizations are dealing: always have current- or next-generation solutions in your IT infrastructure that are constantly kept up-to-date and patched, and make that investment into effective data-centric security for your enterprise data.”

Massive US school district hit with ransomware attack.

ABC News reports that Broward County Public Schools, one of the largest school districts in the US, was the victim of a ransomware attack. The attackers have encrypted system data and are demanding a $40 million ransom, pledging to delete files and publish stolen personal data online, and going so far as to post screenshots of the negotiations on their website as a warning. The hackers are well aware that as the sixth-largest US school district, Broward County has an annual budget of $4 billion. The Florida school district has stated that there’s no evidence that personal data was stolen, and they have no plans to pay the ransom: “Efforts to restore all systems are underway and progressing well.”

Third-party employee exposes health system data.

Memorial Hermann Health System, located in the US state of Texas, is alerting impacted patients of a recent data breach, ABC13 Houston reports. A former employee of MedData, a revenue management service used by Memorial Hermann, saved files containing patient information personal folders on a “public facing website." The compromised data include dates of birth, Social Security numbers, diagnosis and medical procedure information, and insurance policy numbers.

Selected Reading

Days before Puducherry polls, HC directs UIDAI to probe into data breach (The New Indian Express) The court also made it clear that the ECI should deal with the perceived breach of code of conduct without putting a lid on the issue, and a separate probe initiated against the party should go on.

Data breach allegations: RBI orders forensic audit of Mobikwik systems (India TV News) The Reserve Bank has asked troubled digital wallet firm Mobikwik, which is facing data breach allegations, to get a forensic audit done without any delay.

()

Large Florida school district hit by ransomware attack (ABC News) The computer system of one of the nation’s largest school districts was hacked by a criminal gang that demanded $40 million in ransom or it would erase files and post students’ and employees’ personal information online

Higher Ed Sees an Increased Number of Malware Attacks Demanding Payment (IBL News) The FBI issued a warning about the increase in cyberattacks targeting higher education, K-12 schools, and seminaries in 12 U.S. states and the United Kingdom.

UC Targeted In Nationwide Cyber Attack; People Urged To Beware Of Threatening Emails (CBS Local - Sacramento) The University of California is warning its workers and students about a national cybersecurity attack targeting one of their systems.

UC Davis hit by cyberattack - Davis Enterprise (Davis Enterprise) Worldwide extortion scheme has targeted universities, government agencies and corporations UC Davis and other University of California campuses…

Nationwide cybersecurity attack compromises UC employee data (The Daily Californian) Following a cyberattack on the file transfer service used in the UC Office of the President, or UCOP, system, personal UC employee data was released to the public.

University of Maryland, Baltimore says private data was published online following ransomware attack (Baltimore Sun) The University of Maryland, Baltimore has learned that student and staff’s private information was posted on the internet this week after a ransomware group breached system security measures in December.

Hackers leak Social Security numbers, student data in massive data breach | The Stanford Daily (The Stanford Daily) The leaked Stanford data is part of a data breach affecting numerous businesses and universities that targeted a widely-used file transfer service, Accellion, used by the University.

Experts Weigh In on Fallout From HBS Data Breach (Harvard Crimson) Following a data breach of the Harvard Business School’s secure file transfer system in December, experts said they foresee ongoing consequences for the system’s users.

In a rare step, Activision warns CoD players of malware hidden in cheat apps (The Record by Recorded Future) In a rare step for a company that seldomly issues security warnings, gaming giant Activision published research yesterday detailing how cybercriminals are hiding malware inside Call of Duty: Warzone cheats, warning users to stay away from such offers.

Staff bank account numbers and addresses compromised in major data breach at global consultancy with Edinburgh office (Edinburgh News) Staff working at a global consultancy firm with an office near Edinburgh have had their personal details - including bank account numbers, addresses and names - compromised following a major cyber security attack.

Hackers Hit Italian Menswear Brand Boggi Milano With Ransomware (Bloomberg) Ragnarok hacking group says it stole 40 gigabytes of data. FBI says $144 million paid to hackers as ransom in 2013-2019.

Memorial Hermann patients' personal data may have been compromised, hospital says (ABC13 Houston) The hospital said this may have compromised some patients' personal data, including medical records and social security numbers.

5G Network Slicing Vulnerabilities Risk DoS, Location Tracking, and more (Latest Hacking News) Due to weak authentication, exploiting the 5G network slicing vulnerabilities allow location tracking, dos attacks, stealing sensitive data.

Cyber-security ‘extortionware’ whereby hackers embarrass victims to ransom. (Technomag) Cyber-security companies are warning about the rise of so-called ‘extortionware’ where hackers embarrass victims into paying a ransom.