Meat held for ransom.
JBS, the Sao Paulo-based multinational meat processing company, sustained a ransomware attack this past Sunday. Company servers in the US and Australia were hit, inducing the company to shut down some operations in Australia, the US, and Canada. Operations elsewhere were unaffected. The company summarized the incident in a media release. A follow-up announcement Tuesday said that JBS had begun resumption of deliveries to its customers. No customer, supplier, or employee information appear to have been compromised.
JBS said Thursday that it had resolved the ransomware attack it sustained on Sunday, and that operations had returned to normal. The company's statement reads in part, "The company’s swift response, robust IT systems and encrypted backup servers allowed for a rapid recovery. As a result, JBS USA and Pilgrim’s were able to limit the loss of food produced during the attack to less than one days’ worth of production. Any lost production across the company’s global business will be fully recovered by the end of next week, limiting any potential negative impact on producers, consumers and the company’s workforce."
All things considered, the response seems to have been swift and effective, and it will be interesting to see what lessons may emerge from JBS's experience. The impact of the incident on food availability (and price) appears to have been limited, and Huffpost observes that there appears to have been no impact on food safety whatsoever, which is unsurprising given the nature of the attack.
The BBC quotes the White House as saying, “JBS notified [the White House] that the ransom demand came from a criminal organisation likely based in Russia. The White House is engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals.” Russia's Deputy Foreign Minister Sergei Ryabkov confirmed that the US Government had been in touch with Moscow.
The industry publication Beef Central has an account of the effect of ransomware on a food processor: “Like all large meat processors virtually every part of the modern JBS processing business is heavily reliant on computer systems and internet connectivity for record-keeping, regulatory documentation, sortation and countless other functions.” The attack on JBS was, like the earlier attack on Colonial Pipeline, “brazen,” in that, as Recode reports, they picked a high-profile target where an attack would achieve general notoriety.
The US FBI has attributed the ransomware attack against multinational food processor JBS to the REvil (a.k.a. Sodinokibi) criminal gang. The Bureau's statement reads in full:
"As the lead federal investigative agency fighting cyber threats, combating cybercrime is one of the FBI’s highest priorities. We have attributed the JBS attack to REvil and Sodinokibi and are working diligently to bring the threat actors to justice. We continue to focus our efforts on imposing risk and consequences and holding the responsible cyber actors accountable. Our private sector partnerships are essential to responding quickly when a cyber intrusion occurs and providing support to victims affected by our cyber adversaries. A cyberattack on one is an attack on us all. We encourage any entity that is the victim of a cyberattack to immediately notify the FBI through one of our 56 field offices."
BleepingComputer notes that REvil is an affiliate operation that surfaced in April of 2019. The gang, which operates from Russia, is generally regarded as a successor to the GandCrab group, which itself nominally suspended operations in June of that year. REvil told BleepingComputer last October that the gang itself cleared more than $100 million in profit annually. They may have at least two revenue streams: direct ransom payment and the proceeds from auctioning victims' stolen data. REvil's claims about its revenues and operations are difficult to corroborate, but the gang at least gives the appearance of being financially motivated.
As with other Russian criminal groups, however, their activities now arouse suspicions that they're state-tolerated cyber privateers, and that their motivations may be complex. Utah Public Radio quotes Ryan Larsen, a Utah State farm management extension specialist, who said, “When you read that a large percentage of the meat processing has been hacked, it causes concerns for citizens. So, I think a lot of the motivation was purely just to cause concern and to scare people." Fox News talked to various experts who thought that the prospect of the JBS hack's being a "dry run" for a more damaging operation "slightly paranoiac," albeit possible. On balance, the consensus holds that the rise in ransomware attacks has been driven by criminals' realization that there was a great deal of money to be made from extortion. ABC News reasonably sees a convergence of contributing factors: "Ransomware strikes have surged over the past year due to a confluence of factors, experts say, including the rise of hard-to-trace cryptocurrency, a work-from-home boom that has resulted in new IT vulnerabilities and a political climate marked by ongoing tensions between the U.S. and Russia -- the nation from which many of these attacks are believed to emanate."
Cozy Bear sighting?
Last Friday, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an Alert on the spearphishing incident in which USAID credentials for Constant Contact's email service were abused to send phishing emails to a range of victims. Microsoft last week attributed the campaign to the Russian threat actor Nobelium, but CISA's Alert is noteworthy for specifically declining to offer attribution. It was updated Saturday to read: "CISA and FBI acknowledge open-source reporting attributing the activity discussed in the report to APT29 (also known as Nobelium, The Dukes, and Cozy Bear). However, CISA and FBI are investigating this activity and have not attributed it to any threat actor at this time." They'll provide updates as their investigation proceeds. The incident is still to be taken seriously, and CISA has advice on defense, but official attribution will have to wait.
The US Department of Justice on Tuesday announced the seizure of domains the USAID impersonators used to control the Cobalt Strike tools they implanted in their victims’ networks.
Mustang Panda sighting?
Check Point describes a Chinese cyberespionage campaign that deploys a novel Windows backdoor to gain access to a Southeast Asian government's sites. The campaign "placed significant effort into avoiding detection by limiting its working hours and changing its infrastructure multiple times." ESET researchers who've been working on the case tweeted that the affected government was Myanmar's, and that the responsible threat group is Mustang Panda. The Record reports that the attack effectively transformed the country's presidential website into a watering hole.
Update on Apostle, a wiper that masqueraded as, then evolved into, ransomware.
The Iranian wiper "Apostle" (described last week by SentinelOne) posed as ransomware in a campaign against Israeli targets. It's recently acquired genuine ransomware capabilities. WIRED has an overview of the campaign, and CPO Magazine notes that one motivation for the imposture is false-flagging: Tehran's operators appear to have wished to be taken for a Russian ransomware gang.
Other ransomware attacks are reported.
The Steamship Authority, which operates ferries in the US state of Massachusetts, has disclosed that it suffered a ransomware attack. Ferries continue to run, and there's no reported safety of navigation issue, but customers’ ability to book tickets and pay for them has been disrupted. The Steamship Authority recommends using cash to ride.
The Record reports that Cox Media livestreams were interrupted Thursday in what multiple sources tell the Record was a ransomware attack.
A largely unsuccessful ransomware attack against New York's Metropolitan Transportation Authority (MTA) is being attributed, BleepingComputer writes, to a Chinese threat actor that exploited a Pulse Secure vulnerability to gain access to MTA systems. SC Magazine speaks with industry sources who express concern that the operation may be a harbinger of more to come, especially if the group responsible should prove closely connected to the Chinese government.
BlackBerry reports that the Avaddon ransomware operators now pose a "triple threat," adding the prospect of distributed denial-of-service to the familiar threats of encryption and data theft.
Recent high-profile ransomware attacks have spawned a large brood of unrelated but obviously parasitic phishing campaigns. INKY has been tracking some of them, and finds that the emails represent themselves as coming from a more plausible than usual "help desk," and they announce a security upgrade prompted by the Colonial Pipeline incident. The recipients are asked to download a “ransomware system update” from an external site. That site, of course, is malicious.
European governments ask for explanations of US surveillance.
Over the weekend European journalists published results of an investigation linking US intelligence services to Danish organizations believed to have cooperated in enabling US surveillance of targets in Germany, France, Sweden, and Norway between 2012 and 2014. The Washington Post reports that France's President Macron says that's no way to treat an ally; the AP records similar reactions from other European governments. Danish politician Karsten Hoenge stated, "The government must explain how come Denmark has been acting as a willing tool for a U.S. intelligence service, and what it will mean for cooperation with Denmark’s neighboring countries."
Cisco has released patches for several high-severity vulnerabilities affecting Webex, Cisco SD-WAN, and Cisco ASR 5000 Series. CISA amplified the news, emphasizing that "An attacker could exploit some of these vulnerabilities to take control of an affected system."
Crime and punishment.
Two members of the Carbanak cybercriminal group have been sentenced to eight years in prison in Kazakhstan, the Record reports. The court found the individuals guilty of stealing 2 billion tenges ($4.6 million) from Kazakh banks, and attempting to steal another 8 billion tenges ($18.6 million).
A 17-year-old high school junior in Florida has been expelled after hacking into the Pinellas County school district's network earlier this year and cutting off internet access from 145 schools for two days, the Tampa Bay Times reports. The attack was especially inconvenient because it coincided with a period of testing. The teen said he carried out the attack after seeing a video on the vulnerability of school networks. He added says he immediately regretted what he’d done, but that "[b]y the time it was done, there was no way to undo it."
Courts and torts.
In a 6-3 majority decision, the US Supreme Court has limited the scope of the Computer Fraud and Abuse Act (CFAA) by ruling that the law can't be used to prosecute someone for misusing a computer that they're permitted to access, Politico reports. The three dissenters were Justice Thomas, Chief Justice Roberts, and Justice Alito. The case involved a police officer who was paid to run a woman's license plate for non-law-enforcement purposes, violating the department's policy but using his own legitimate access to the system.
The ruling, written by Justice Barrett, states, "The Government’s interpretation of the 'exceeds authorized access' clause would attach criminal penalties to a breathtaking amount of commonplace computer activity. For instance, employers commonly state that computers and electronic devices can be used only for business purposes. On the Government’s reading, an employee who sends a personal e-mail or reads the news using a work computer has violated the CFAA. The Government speculates that other provisions might limit its prosecutorial power, but its charging practice and policy indicate otherwise. The Government’s approach would also inject arbitrariness into the assessment of criminal liability, because whether conduct like Van Buren’s violated the CFAA would depend on how an employer phrased the policy violated (as a 'use' restriction or an 'access' restriction)."
Justice Thomas, in his dissenting opinion, wrote, "Much of the Federal Code criminalizes common activity," and "discomfort" with that fact "does not give us authority to alter statutes." He added, "A valet, for example, may take possession of a person’s car to park it, but he cannot take it for a joyride."
Policies, procurements, and agency equities.
The attack on JBS is the second major ransomware incident to disrupt a large player in a sensitive sector in as many months. May saw the DarkSide's attack on Colonial Pipeline, and now REvil has hit a major meat supplier. Reuters reports that most affected JBS plants resumed operation yesterday, but the incident, following as closely as it did the Colonial attack, has put a burr under American saddles as President Biden prepares for a summit with his Russian counterpart later this month. "We're not taking any options off the table in terms of how we may respond, but of course there's an internal policy review process to consider that. We're in direct touch with the Russians, as well, to convey our concerns about these reports," White House press secretary Jen Psaki said.
The ransomware attacks are an increasingly sensitive issue in Russo-American relations because of the evidence that gangs like REvil and DarkSide (and there are many others) operate with the permission (at least tacitly) and effectively under the protection of the Russian state. The Washington Post reports that President Biden intends to "hammer" President Putin over the gangs during their summit, but there's general skepticism that a diplomatic protest, however starchy, will have much effect. The Russian response to complaints about its misbehavior is traditionally to demand evidence, so that Russia and the complaining parties can jointly investigate and arrive at some consensus. The Post quotes Jim Lewis of the Center for Strategic and International Studies on what's likely to happen at the summit: “The president is very determined on this, but the first thing Putin will do is say, ‘prove it.’ And he doesn’t mean ‘prove we did it.’ He means ‘prove you’ll do something back.’ ” Absent some proportional retaliation that hurts the interests of people who count, few see much prospect of a change in Russian policy with respect to cyber privateering.
Some, like NBC News, report that US patience with ransomware, especially state-tolerated or encouraged ransomware, is nearing an end, and that naming, shaming and sanctions may be played out as effective responses. "They are hair on fire," a former US official said of the Administration, and retaliatory cyberattacks may be under study, and perhaps under active consideration.
Reuters says the Justice Department will accord ransomware attacks the same priority it gives terrorism. The New York Times interprets an advisory letter from Deputy National Security Advisor Neuberger as a call for all organizations to adopt Federal contractor cybersecurity standards.
Fortunes of commerce.
The Wall Street Journal reports a surge this week in some meme stocks, that is, a rapid rise in share prices driven by speculative chat in various social media. AMC Entertainment and BlackBerry, both popular with individual retail investors, are among the meme movers. Also surging some ten percent was Samsung Entertainment, after a casual Elon Musk tweet about the kiddie song "Baby Shark" (owned by Samsung Entertainment) pumped investment. Increased liquidity the US Federal Reserve introduced into American markets last year is seen as the root cause of the speculative jumps, with social media providing powerful amplification. GameStop's rise in January and the short squeeze it produced was the first famous instance of meme speculation.