At a glance.
- Data breach at Ferrari.
- Comment on LockBit's current activities.
Data breach at Ferrari.
BleepingComputer reports that Ferrari has notified customers that the high-end automobile firm has sustained a cyber attack that may have compromised customer information. The motive is extortion, although the company has yet to reveal whether the attack involves ransomware proper or whether it's a direct data extortion attack. In a statement it published yesterday, Ferrari wrote:
"Ferrari N.V. (NYSE/EXM: RACE) (“Ferrari”) announces that Ferrari S.p.A., its wholly-owned Italian subsidiary, was recently contacted by a threat actor with a ransom demand related to certain client contact details. Upon receipt of the ransom demand, we immediately started an investigation in collaboration with a leading global third-party cybersecurity firm. In addition, we informed the relevant authorities and are confident they will investigate to the full extent of the law.
"As a policy, Ferrari will not be held to ransom as paying such demands funds criminal activity and enables threat actors to perpetuate their attacks.
"Instead, we believed the best course of action was to inform our clients and thus we have notified our customers of the potential data exposure and the nature of the incident."
Jon Miller, CEO & Co-founder of Halcyon, sees the incident as another case of ransomware involving data theft:
“The ransomware attack against Ferrari - which appears to include the exfiltration of sensitive data that exposed client 'names, addresses, email addresses and telephone numbers' and potentially other information - highlights the fact that this is not just a ransomware problem, it is a major data loss issue too. Even if Ferrari did everything right with regard to securing the data, and even if they do everything right with regard to the incident response measure, the fact is ransomware gangs are intent on stealing data to force victims into paying the ransom demand, and often this means that there is collateral damage to the entities whose sensitive data is exposed. Remember, the focus for ransomware operators is to cause as much pain as possible for victim orgs in order to extract the highest payment possible - this means even if the victim org pays the ransom, the attackers still have the data and can sell or expose it, or come back to the victim org and ask for even more money. Not paying ransom demands does not end the financial incentive for these attacks - defeating the attack before they can exfiltrate data and before they can disrupt operations is the only way to make these attacks unprofitable.”
According to Christopher Handscomb, Solutions Engineer at Centripetal, sees the incident as a cautionary tale for luxury brands at large. “It's becoming all too common for customer data to be breached & exfiltrated with alarming ease. This poses serious concerns for luxury good vendors and their clients alike," he said. "From the company's perspective, a data breach can result in severe reputational damage and even legal action, not to mention a loss of trust from consumers who may be reluctant to share their sensitive information again leading to an impact in sales. From the customer side, clients may find their personal information - including details on their wealth, status, employment, living arrangements, and more - shared with an unknown party, potentially leading to identity theft, financial fraud, or even physical harm. To protect their customers and brand reputation, companies must be more proactive in their approach to securing essential infrastructure and safeguarding customer data.”
Comment on LockBit's current activities.
Last week's joint advisory from the US Cybersecurity and Infrastructure Security Agency (CISA) highlighted the ways in which the LockBit ransomware gang had become more rapacious and more evasive. Jeremy Ventura, Director, Security Strategy & Field CISO, ThreatX, wrote to explain LockBit's exploitation of public-facing applications:
"Besides phishing and RDP as the attack vectors, LockBit has also been known to attack and exploit public-facing applications. These applications are usually websites, and web servers with internet access. If exploited, everything within the application is at risk, including the instance itself, the container, the APIs, and the cloud environment. The LockBit Group operates in a typical RaaS fashion (Ransomware-as-a-service) –making it more difficult for enterprises to pinpoint these attacks in the kill chain/attack path. Cataloging your applications and APIs and blocking in real time for abnormalities and misuse is critical. In addition, applying security in the CI/CD pipeline is vital to securing your applications before production. It's a hard challenge, but covering the entire lifecycle of an application from development to production can help mitigate against attacks such as the ones LockBit is known for."