Symantec Security Summary - June 2021

Ransomware payback. Amidst the cascade of fresh ransomware attacks, we finally heard some positive news: A rare recovery of the ransomware paid out to a criminal enterprise.

The U.S. Department of Justice clawed back the majority of the cryptocurrency ransom Colonial Pipeline paid out to hackers after cyber criminals hacked its IT network last month, crippling fuel deliveries up and down the East Coast. The giant East Coast pipeline company, which shut down operations for 11 days after the attack that led to gas shortages and price hikes, confirmed it paid $4.4 million in bitcoin to the DarkSide ransomware gang. DarkSide operates from Eastern Europe under a ransomware-as-a-service model and claims that it’s apolitical and not linked to any nation states.

According to Deputy Attorney General Lisa Monaco, the FBI recovered 63.7 Bitcoins out of the approximately 75 originally paid out by Colonial Pipeline. Investigators, who tracked the ransom payment across multiple Bitcoin addresses, recouped most of the funds after gaining access to the private key or password for one of DarkSide’s Bitcoin wallets, although there were no specifics on tactics. The recovery operation was the first for the Biden Administration’s recently-formed ransomware and digital extortion task force. “Ransomware attacks are always unacceptable, but when they target critical infrastructure, we will spare no effort in our response,” said Monaco. The DOJ has also said it plans to coordinate anti-ransomware efforts with the same set of protocols used for terrorism.

DarkSide has reportedly collected more than $90 million in bitcoin ransoms. But in a twist, the group itself became a victim when it lost access to servers and its cryptocurrency was transferred to an unknown wallet in May. The Washington Post reports the U.S. government was not behind the disruption to DarkSide’s operations.

High-profile targets. Colonial Pipeline isn’t the only big player targeted by the latest spate of ransomware attacks. JBS, a major meat producer, also suffered a ransomware attack that affected IT systems in North America and Australia, prompting it to shut down plants and alert customers and suppliers to possible delayed transactions. In a statement, the FBI attributed the JBS attack to the REvil ransomware gang (aka Leafroller and Sodinokbi) and “pledged to work diligently to bring the threat actors to justice.” It also emphasized the importance of private sector partnerships in ensuring a quick response to the increasing number of cyber intrusions.

Meanwhile, JBS reported “significant progress” in resolving the attack that hit its North American and Australian operations.

REvil, which has been linked to Russia, has taken credit for hacking Taiwanese hardware supplier Quanta Computer and has published secret Apple device blueprints in the past. Now the group appears to be escalating with an alleged representative of the ransomware gang threatening to double focus on U.S. targets. In an interview posted to the Russian OSINT Telegram channel, since deleted, the purported spokesperson made those assertions while also claiming the group is not afraid of being considered a terrorist organization. In response to U.S. actions, the REvil spokesperson said, “since there’s no point in avoiding the U.S. targets anymore, we have lifted all restrictions. From now on, every entity in this country can be targeted.”

A global battlefield. It’s not just the United States struggling with rising ransomware threats. Japanese conglomerate Fujifilm had to shutter part of its network in early June when it became aware of a ransomware attack. The company said it took measures to suspend all affected systems in coordination with its various global entities and was working to assess the extent and scale of the issue. Fujifilm didn’t specify what ransomware group was behind the attack, but BleepingComputer reported that Advanced Intel CEO Vitali Kremez said the company appeared to be infected with the Qbot malware as of May 15, 2021. Qbot works with the REvil ransomware group, Kremez alleged.

In other random ransomware news, the Steamship Authority, which operates ferries to Massachusetts’ Martha’s Vineyard and Nantucket islands, was hit with an attack. The company said the incident impacted its IT systems, not its radar or GPS functionality so the safety of its fleet was not in jeopardy. No word yet on who was responsible for the attack, and while service was not interrupted, ticketing systems were affected.

Internet outage. When many of top web sites went offline briefly earlier this month—Amazon, Reddit, and The New York Times, to name a few—the kneejerk reaction was another cyber attack, this time on Fastly, which operates a content delivery network (CDN). Fastly, which got its network back up in short order, attributed the problem to a software bug that was triggered by a valid customer configuration change. The company is now trying to figure out why the bug didn’t surface during testing.

Gone phishing. Microsoft is warning that the Russia-backed hacking group Nobelium is orchestrating a phishing campaign after wrestling control of the account used by the United States Agency for International Development (USAID) on the email marketing platform Constant Contact. The phishing campaign has targeted approximately 3,000 accounts linked to government agencies, think tanks, consultants, and non-government organizations and is mostly surfacing in the United States. The backdoor could be a vector for a range of nefarious activities, from data theft to infecting other computers on a network.

Like ransomware, phishing should be setting off alarms. A new report from Barracuda Networks found that phishing emails smuggled past security defenses tend to stay in employee inboxes for more than three days, on average. Some good news: Only 3% of employees receiving phishing emails either open the malicious attachment or follow the link.

Against a firestorm of cyber security threats, it’s nice to know we’re making a modicum of progress.