At a glance.
- RansomExx hits Scottish mental health organization.
- Red Canary reports on cyber threat trends.
- Privacy in a time of hacktivism.
RansomExx hits Scottish mental health organization.
Glasgow-based mental health charity the Scottish Association for Mental Health (SAMH) disclosed last Friday that it had experienced a cyber security incident the day before. Emsisoft threat analyst Brett Callow has disclosed to the Record that the incident was a ransomware attack at the hands of the RansomExx threat group. RansomExx has claimed on their leak site that they exfiltrated about 12G of SAMH data. On Monday, SAMH chief executive Billy Watson released a statement saying, “My thanks to our staff team who, under difficult circumstances, are finding ways to keep our support services running to ensure those they support experience as little disruption as possible. We are working closely with various agencies including Police Scotland – this is an active investigation.”
Red Canary reports on cyber threat trends.
Cybersecurity firm Red Canary has released its 2022 Threat Detection Report, and it shows that ransomware is continuing its rise, with double-extortion becoming the expected tactic. As Security Week explains, Red Canary’s report compiles data from over 30,000 confirmed threats experienced by the firm’s customers, and it shows that cybercriminals have rendered company’s backup processes futile by focusing on exfiltrating sensitive data and threatening exposure. “Backups will allow an organization to get back up and running more easily, but will not protect you against leaked data,” Red Canary says. The report also shows a trend toward cybercriminals “living off the land,” or employing common commercial tools or built-in operating system tools like remote monitoring and management (RMM) tools to bypass The report explains that RMM “allow users to remotely control hosts, providing adversaries with a user-friendly graphical interface, secure network connections via cloud hosted infrastructure, and host persistence.” Red Canary also highlights an increase in ransomware-as-service, which gives less sophisticated attackers access to highly sophisticated software while allowing the actual developers of the malware to avoid law enforcement.
Privacy in a time of hacktivism.
Hacking collective Anonymous has posted a 10GB trove of data it claims to have stolen from leading global food manufacturer Nestle. The hacktivists say the move is in retaliation for the company’s continued operations in Russia, despite Putin’s invasion of Ukraine. Nestlé landed in the second worst spot on a list compiled by Yale University’s Jeffrey Sonnenfeld tracking which companies do the most business in Russia, and during a recent speech Ukrainian President Volodymyr Zelenskyy called out Nestle by name for continuing its operations in the country. On Sunday, Anonymous posted a message threatening several brands, including Nestle, with attack if they failed to cease their operations in Russia within forty-eight hours. According to the Irish Times, Nestlé on Monday defended their business practices, stating, “We do not make a profit from our remaining activities…The fact that we, like other food companies, supply the population with important food does not mean that we simply continue as before.” Cue Anonymous, who dumped the alleged Nestlé data the same day.
Nestlé, however, claims the stolen data is not from an attack, but the result of an accidental data exposure on the company’s part. A spokesperson told Gizmodo, “It relates to a case from February, when some randomized and predominantly publicly available test data of a B2B nature was made accessible unintentionally online for a short period of time.” The Register reports that analysis of the data supports Nestlé’s claim, as it appears that instead of 10 GB, the data only amounts to about 5.7 MB of purchase orders, many of which seem to be connected to dummy accounts for internal testing purposes. That said, the bad press motivated Nestlé to change its stance, as on Wednesday a spokesperson told Fortune, “We’re in the process of suspending the vast majority [of the group’s prewar sales volume], including pet food and coffee as well as confectionery. Our guiding principle is to focus on essential foods such as baby food and medical nutrition.” The compromise was not, apparently, enough to placate Anonymous, who followed up with the eloquent ultimatum,“NO! Get your full ass out of Russia!”
We're with Nestlé on this one, however. The company has expressed its solidarity with Ukraine and said it was limiting sales in Russia to baby food and hospital nutrition products. (Specifically, Mr. Lavrov will henceforth lack access to KitKats and Nesquik.) Nestlé's distinction among its products is difficult to fault on humanitarian grounds, and their statement is worth quoting in full:
“As the war rages in Ukraine, our activities in Russia will focus on providing essential food, such as infant food and medical/hospital nutrition — not on making a profit. This approach is in line with our purpose and values. It upholds the principle of ensuring the basic right to food.
“Going forward, we are suspending renowned Nestlé brands such as KitKat and Nesquik, among others. We have already halted non-essential imports and exports into and out of Russia, stopped all advertising, and suspended all capital investment in the country. Of course, we are fully complying with all international sanctions on Russia.
“While we do not expect to make a profit in the country or pay any related taxes for the foreseeable future in Russia, any profit will be donated to humanitarian relief organizations.
“This is in addition to the hundreds of tons of food supplies and significant financial assistance that we have already contributed to support the people in Ukraine and refugees in neighboring countries. And these efforts will continue. We stand with the people of Ukraine and our 5,800 employees there.”
Nicely said, Nestlé. Surely not even Anonymous wants to see babies starved, or hospital patients deprived of food.
Since Anonymous did claim the compromise, and did circulate the data, and did so, according to the hacktivist collective's loose and decentralized claims, to protest Nestlé's decision to continue doing business in Russia, there are some lessons there about hacktivism and privacy. Neil Jones, director of cybersecurity evangelism, Egnyte, writing before the company said that it leaked the data itself, commented on the threat hacktivists can pose to privacy. However the data were compromised, the comment on hacktivists' potential appetite for personal information is worth considering:
“The alleged data breach of Nestle's order information, user passwords, e-mails and client data by hacker group, Anonymous, show us that 'hacktivism' is alive and well. Although details of this cyberattack are still emerging, an effective incident response plan needs to account for potential attacks that originate from hacktivist organizations, disgruntled employees and even competitors who are trying to get an edge in a critical market. Best practices to reduce the likelihood of attacks such as Nestle's include the following:
- "Restricting data access based on an end-users' 'business need to know.'
- "Implementing technology that detects suspicious log-ins, particularly from unexpected geographical regions.
- "Proactively stating your company's position on key geo-political events, via PR efforts and on social media, and updating positioning as conditions change. With the explosion of social media across the world and the ease at which many organizations can be breached, I anticipate that this trend will continue.”
Oran Avraham, CTO of Laminar, also sees hacktivism in response to world events as giving personal data a heightened value to the hacktivists:
“In response to the tense geopolitical climate, there has been a significant uptick in cases of hacktivism from groups like Anonymous. As powerful nation states go head to head and hacker groups bear cyber arms to insert their own views, private sector organizations are increasingly being targeted to send political messages.
"Data is no longer a commodity, it’s a currency — as the incident with Nestle represents. Information within an organization’s network is valuable to hacktivists groups as a means of extortion, intelligence gathering, or just to prove a point. Despite differing views, it is critical that corporate, employee and customer data remain protected.
"In this case, we can see from the analysis of the 10GB mySQL dump that the compromised database was likely from a test/staging environment. This is often a prime target for attackers as these copies tend to be unknown, less protected and unmonitored by data security teams. We call this phenomenon “shadow data”. In a recent study of 500 security professionals, 82% stated they were concerned or very concerned about shadow data inter environment.
"This incident reminds us that with a majority of the world’s data residing in the cloud, it is imperative that security becomes data-centric and solutions become cloud-native. That same study shows that 1 in 2 organizations have experienced a cloud breach in the last two years. To address these challenges, solutions need to be completely integrated with the cloud in order to identify potential risks and have a deeper understanding of where the data reside. Using the dual approach of visibility and protection, data security teams can identify shadow data and know for certain which data stores are valuable targets and ensure proper controls.”
Arti Raman, CEO and Founder ot Titaniam, casts the problem as a human rights issue, and urges that those who would protect rights not overlook the right to privacy (and that those who have responsibility for keeping information private not overlook encryption of data-in-use):
“In light of global geopolitical conflict and tensions, privacy remains a fundamental human right. Thus, data protection is essential, especially as the frequency of hacktivism and nation-state attacks steadily increases.
"Most recently, Anonymous leaked a 10GB Nestle database to make a statement. Major corporations that have reach around the globe will continue to be collateral damage in the current climate. To protect customer and internal data and minimize the risk of extortion, we recommend data-in-use encryption, also referred to as encryption-in-use.
"Historically, organizations have relied on data-in-rest encryption, but it has serious weaknesses. If the file or information is being worked on, or is accessed using privileged credentials, this protection is rendered useless, and hackers can still steal the underlying data.
"Moving to data-in-use encryption provides unprecedented immunity. Should adversaries break through perimeter security infrastructure and access measures, files will remain undecipherable and unusable to bad actors – making digital blackmail significantly more difficult if not impossible.”