Cybercriminals continue to penetrate the security system of business enterprises through various techniques. Ransomware—a type of malicious software used to encrypt data until a ransom is paid—is a technique malicious actors use to infiltrate information security systems. For hackers, ransomware is a gift that keeps giving. Annually, hackers receive around $1 billion through ransomware attacks.
In recent times, supply chains have been the subject of ransomware attacks. One of such attacks was aimed at the meat processing company, JBS. It was hit with a ransomware attack that caused the temporary shutdown of its operations in Australia, Canada, and the United States. Colonial Pipeline, the largest fuel pipeline in the United States, was also on the receiving end of a notorious ransomware attack.
Cybercriminals are notorious for exploiting undetected, and sometimes, neglected vulnerabilities to penetrate systems— the JBS & Colonial Pipeline breaches occurred through this pattern. Besides, Russian-speaking ransomware groups were responsible for both cyber breaches. Darkside ransomware group attacked Colonial Pipeline while REvil was responsible for the JBS breach.
JBS and Colonial Pipeline breaches followed textbook ransomware attack tactics. Read on to understand five lessons from these cyberattacks.
From Fuel to Meat: How Colonial and JBS Cyber Breaches Happened
In cybersecurity speak, vulnerabilities are weaknesses in information systems that threat actors can exploit. Weak or compromised passwords are examples of system vulnerabilities. True to the nefarious pattern of threat actors, a compromised password was used to penetrate the internal system of the Colonial Pipeline.
According to Bloomberg, the password of a virtual private network (VPN) belonging to a Colonial Pipeline employee was the intrusion point of the cyberattack. Obtaining the password is one thing; gaining entry to the internal system is another story. However, the intrusion became easy because the compromised VPN account lacked multi-factor authentication (MFA) protection. Without MFA on the VPN network, malicious actors had the unsanctioned green light to penetrate the system of Colonial Pipeline. Shortly after the infiltration, a ransom note demanding payment in cryptocurrency was sent to the control room of Colonial Pipeline.
The JBS attack demonstrated the willingness of hackers to include food industries on the breach menu. According to SecurityScorecard, the intrusion of JBS occurred through compromised credentials of JBS employees that were available on the dark web. The timeline of the JBS attack is listed below:
- Feb 2021: The hackers used stolen credentials from JBS employees to conduct reconnaissance—the act of gathering relevant information about a potential target. The reconnaissance likely began through the cloudless private network, Remote Desktop Protocol (RDP). RDP allows users to use a desktop computer from another computer from a remote location.
- March-May 2021: Exfiltration of sensitive data up to 5 terabytes (TB) through MEGA—a file sharing and cloud storage server—to different locations, including Hong Kong.
- June 2021: Malicious actors demand ransom after encrypting the system of JBS.
5 Lessons from JBS and Colonial Pipeline Breaches
Threat actors continue to invent methods to penetrate security systems. In recent years, ransomware attack has evolved from a “spray and hit” technique to a sophisticated threat with a huge financial payout. Large data businesses such as the financial sector, credit card agencies, and the healthcare sector are constantly on the radar of threat actors.
But in recent times, new supply chains—such as the food industry and oil and gas sector— have joined the list of industries that hackers target. The reason for the shift is simple: most supply chains, especially food and agriculture industries, don’t prioritize cybersecurity. Moreover, Common Vulnerability and Exposure (CVE) is a big worry for the food industry as the recent attack on JBS shows. Below are 5 valuable lessons from the recent JBS and Colonial Pipeline cyber breaches.
1. MFA is Important
MFA provides an extra layer of security. Asides from passwords, MFA requires an additional piece of information, such as one-time passwords (OTP), passcodes, and biometric authentication (e.g., fingerprints, face, and iris/retina) before granting access to a network. One reason you need MFA is because of the high possibility of password theft, as seen in the JBS breach. MFA ensures that only authorized personnel gain access to information networks and accounts.
2. Private Networks Need Protection
Large and small businesses use private connections such as VPN and RDP because of security flexibilities and remote access controls. However, like passwords, private connections are vulnerable, especially unpatched virtual private networks. Safety tips to protect your private connections include:
- Patch your private connections: Unpatched software is a disaster waiting to happen, as it contains bugs that threat actors can exploit. According to the Ponemon Institute Vulnerability Survey, unpatched vulnerabilities caused 60% of data breaches—including the infamous Equifax breach in 2017. Install fixes, also known as “patches”, on your private networks for maximum security.
- Use password managers: Password managers generate and store unique passwords on a secure database. Password managers are a cost-effective way to manage your login credentials. They also offer extra security juices such as MFA and dark web monitoring, notifying you if your data is on the dark web. Common password managers you can use include LastPass, Dashlane, and 1Password.
3. Implement Incident Response Management
Cybersecurity success starts and falls on incident response—the ability to detect, eradicate, and recover from cyber intrusions. Incident response management contains the personnel, policies, and procedures to manage incidents. Without an incident response plan, you risk making unsafe cybersecurity decisions, especially during a cyber breach.
Beyond having a plan, your incident response personnel must have the autonomy to make cybersecurity-safe decisions to protect your system. The decisions to go offline—like in the case of JBS and Pipeline breaches—conduct an audit, or notify the relevant individuals and authorities should be within the jurisdiction of your incident response team, especially during a cyber breach.
4. Train Your Employees
Your employees are your biggest cybersecurity asset. Employee negligence is responsible for over 40% of cyber violations. For instance, compromised employee credentials kickstarted the JBS and Colonial Pipeline attacks. This is why you should train your employees about cybersecurity protocols such as private network and password management, MFA implementation, and phishing techniques.
5. Install a Disaster and Backup Recovery Plan
Data backup is one of the safest ways to protect data. Data backup plans, especially cloud storage options, boost data accessibility and security. Sometimes, a security bypass is inevitable, and that’s why you should implement the 3-2-1 backup rule. In the 3-2-1 rule, you should store your data in this format:
- Store 3 copies of the same file (a primary copy and 2 backups).
- Store your file copies in 2 different storage houses (e.g., local drive, network share, or tape drive).
- Store at least 1 file copy in a remote or offsite location.
One takeaway from the recent cyber attacks is that no sector is off the radar of cybercriminals. Therefore, cybersecurity solutions should be a priority for every organization. However, keeping up-to-date with the recent cybersecurity tools and systems is challenging.
At NW Technologies, we’re here to take off your cybersecurity security burdens. Our professionals will help you manage your information technology (IT) systems with top-of-the-drawer tools, techniques, and expertise. Our services include cloud storage backup, dark web scanning, and vulnerability assessment. Our services are pocket-friendly and tailored to fit the needs of your organization. Reach us now to book a session with us.