Ransomware groups rack up victims among corporate America
Earlier this month, the American defense giant Boeing joined one of corporate America’s fastest growing clubs: firms who have been breached by a new generation of increasingly brazen cybercriminals.
Last week, the hacking crew calling itself LockBit posted posted roughly 43 gigabytes of company data belonging to Boeing’s parts and distribution businesses, but that was just one of a string of breaches affecting major U.S. corporations — firms that in theory should have fairly mature defenses — carried out by hackers linked to the cybercriminal underground known as the Com, ALPHV, LockBit and Lapsus$.
Among their victims are Boeing, Clorox, Caesars Entertainment, Microsoft, MGM Resorts, Nvidia, Samsung, Okta and the Industrial and Commercial Bank of China (ICBC).
Claiming victim after victim in the American corporate landscape, these hacking groups are managing to breach well resourced corporations nearly at will, stealing data, extorting victims and shaming them along the way.
“It’s kind of like a lightning strike in the sense that if they want to go after you, they’ll probably have a fair bit of success, for most companies,” said Tom Uren, formerly of the Australian Signals Directorate and a current editor with Seriously Risky Business cybersecurity news. “It’s just whether they happen to have you in their sights.”
On Tuesday, the Cybersecurity and Infrastructure Security Agency, the FBI and Australia’s signals intelligence agency released an advisory drafted with Boeing’s input describing how LockBit was able to penetrate the defense contractor.
According to the advisory, LockBit affiliates exploited a Citrix vulnerability tracked as CVE-2023-4966 and “Citrix Bleed” that was was first exploited in the wild in August, according to Mandiant. That vulnerability has been widely exploited by multiple ransomware groups to target a major law firm, a major Australian shipping company and was used to breach ICBC, according to the researcher Kevin Beaumont.
The breach of ICBC resulted in disruptions of the U.S. Treasury market, a linchpin of the global financial system.
Citrix disclosed the vulnerability on Oct. 10 and issued patches shortly after, but the vulnerability continues to be exploited. CISA has notified nearly 300 organizations that are potentially vulnerable to the exploit, a senior CISA official said Tuesday, although there are likely additional vulnerable organizations.
According to data collected by GreyNoise, a company that tracks malicious activity online, there are nearly 360 active hosts potentially working to exploit the vulnerability as of Tuesday.
The failure to patch widespread vulnerabilities like these have created a lucrative cybercriminal landscape for groups like LockBit, which refers to the collective name for the ransomware variant, the group that develops and maintains it, and their affiliates. The group has carried out more than 1,400 attacks against victims in the U.S. and around the world since January 2020, a senior FBI official said Tuesday, making at least $100 million in ransom demands and collecting ransom payments in the tens of millions from victims.
In the absence of law enforcement actions against these criminal hackers, there is little reason to believe these attacks will let up any time soon. The FBI has taken “some actions to date specifically against LockBit and continue to pursue enforcement opportunities when and where we can take them,” the senior FBI official said.
Cybersecurity experts for years have advised companies to follow basic cybersecurity hygiene protocols, and the situation has improved, experts say. But the major successes of LockBit and others of late show that there’s still a long way to go with the basics — such as patching vulnerable software and systems.
“The controls that most organizations have in place to protect their data, such as [data loss prevention], seem to be failing with serious consequences,” said Allan Liska, an intelligence analyst with Recorded Future. “But, it is not just data within an organization’s network that is of concern. Ransomware groups are able to pull data from your cloud, your vendors’ clouds, your vendors’ vendors’ clouds and so on.”
Organizations need to better improve their monitoring and controlling the entire data supply chain, he said, because “the ransomware groups don’t care where they get your data from they just care that they have it and can use it to extort you.”
Even as companies have improved their defenses, a spate of recent high profile attacks have social engineering attacks that modern security systems are struggling to prevent. These attacks involve calls to things like IT help desks, where individuals who control access to a system or network are convinced over the phone to give up credentials.
A recent report from Coveware, a firm specializing in cyber extortion incident response, noted IT help desks are designed to solve problems for customers quickly and that this is creating an easy way in for attackers.
“In several of the cases we studied, it was clear that the IT support team’s incentives (speed to resolution) abetted the social engineering,” Coveware wrote. “This is not an easy problem to solve, but we commend the enterprises that have mitigated the risks. These fixes meant increased costs and a mild deprecation to the employee stakeholder experience, for the sake of security.”
Jon DiMaggio, the chief security strategist with Analyst1 who has written extensively on the internal workings of LockBit, said that while there are only a few groups with the “skill and talent and creative ability to do some of these more advanced attacks,” these crews, particularly those associated with the AlphV attacks, are becoming much better at social engineering.
Many major companies still have problems with the cybersecurity basics, DiMaggio said, let alone building help desks that are tough to manipulate. “It’s tough, but they have to change,” DiMaggio said. “Trying to focus on helping people and helping your clients can’t always be number one anymore.”
That might slow response times, he noted, but that’s “a lot better than having to lose ungodly amounts of money, having your reputation destroyed and everything else.”
