Pierluigi Paganini
January 03, 2022
CNA Financial (March 2021) – CNA Financial, one of the largest insurance companies in the US, reportedly paid a $40 million ransom to restore access to its files following a ransomware attack that took place in March.
According to Bloomberg, CNA Financial opted to pay the ransom two weeks after the security breach because it was not able to restore its operations. Bloomberg was informed about the payment by two people familiar with the attack.
The systems at the company were infected with the Phoenix Locker, a variant of ransomware tracked as Hades that was part of the arsenal of the cybercrime group known as Evil Corp.
Microsoft Exchange Server massive attacks (March 2021) – At least tens of thousands of Microsoft customers may have been hacked by allegedly the China-linked APT groups since January, including business and government agencies.
At least one China-linked APT group tracked as HAFNIUM, chained these vulnerabilities to access on-premises Exchange servers to access email accounts, and install backdoors to maintain access to victim environments.
The attacks started in January, but the attackers’ activity intensified in recent weeks, according to the experts at security firm Volexity. Volexity experts were investigating the compromise of Microsoft Exchange servers belonging to its customers when discovered that the attackers exploited a zero-day server-side request forgery (SSRF) vulnerability in Microsoft Exchange (CVE-2021-26855).
Microsoft confirmed the attacks against the Exchange servers that aimed at stealing emails and install malware to gain persistence in the target networks.
The IT giant released emergency out-of-band security updates that address four zero-day issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in all supported MS Exchange versions that were actively exploited in the wild.
The US Cybersecurity and Infrastructure Security Agency (CISA) also issued the Emergency Directive 21-02 in response to the disclosure of zero-day vulnerabilities in Microsoft Exchange.
Colonial Pipeline (May 2021) – The Colonial Pipeline facility in Pelham, Alabama, was hit by a cybersecurity attack in May and its operators were forced to shut down its systems. The pipeline allows carrying 2.5 million barrels of refined gasoline and jet fuel each day up the East Coast from Texas to New York, it covers 45 percent of the East Coast’s fuel supplies. The U.S. Federal Bureau of Investigation confirmed that the Colonial Pipeline was shut down due to a cyber attack carried out by the Darkside ransomware gang.
Multiple media, citing people familiar with the matter, reported that the company had initially refused to pay the ransom. However, the quick restoration of the operations is suspicious and suggests that the operators of the Colonial Pipeline have paid the ransom.
The New York Times reported that Colonial Pipeline paid the hackers almost $5 million worth of cryptocurrency to receive a decryption key that allowed it to restore the encrypted files. Because the tool was too slow, the company used its backups to restore the systems.
JBS USA – (May 2021) – On May 30, the American food processing giant JBS Foods, the world’s largest processor of fresh beef, was forced to shut down production at multiple sites worldwide following a cyberattack.
The cyberattack impacted multiple production plants of the company worldwide, including facilities located in the United States, Australia, and Canada. JBS USA disclosed the cyberattack, according to a press release published by the company the attack had a severe impact on infrastructure located in Australia and North America.
Early July, the US FBI announced that REvil ransomware gang (also known as Sodinokibi) was behind the attack and a week later JBS admitted the payment of an $11 million ransom to the criminal group after it initially demanded $22.5 million.
Kaseya (June 2021) – In June, REvil ransomware gang hit the Kaseya cloud-based MSP platfor software provider Kaseya and announced that fewer than 60 of its customers and less than 1,500 businesses have been impacted by the recent supply-chain ransomware attack.
The REvil ransomware operators initially compromised the Kaseya VSA’s infrastructure, then pushed out malicious updates for VSA on-premise servers to deploy ransomware on enterprise networks.
The ransomware gang exploited a zero-day vulnerability in Kaseya VSA servers, tracked as CVE-2021-30116, that was discovered by The Dutch Institute for Vulnerability Disclosure (DIVD) and reported to the company.
Kaseya was validating the patch before they rolled it out to customers but REvil ransomware operators exploited the flaw in the massive supply chain ransomware attack. REvil ransomware initially asked $70 million worth of Bitcoin for decrypting all systems impacted in the Kaseya supply-chain ransomware attack.
At the end of July, Kaseya provided a universal decryptor to its customers, experts speculate the company paid the gang to obtain it.
Log4j (December 2021) – Since the public disclosure of an exploit for the Log4Shell vulnerability (CVE-2021-44228) in the Apache Log4J library threat actors started exploiting it along with other Log4J flaws (CVE-2021-45046, CVE2021-4104, and CVE-2021-42550) in attacks in the wild.
The vulnerabilities can allow threat actors to execute arbitrary code on the target systems, trigger a Denial of Service condition, or disclose confidential information.
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, cyber attacks)
[adrotate banner=”5″]
[adrotate banner=”13″]
