June cyber news round-up

Multi-factor authentication being bypassed by hackers, $2.3m of Colonial Pipeline's ransom payment recovered, and more

Article 6 min Thu, Jun 24, 2021

It’s been another busy month in the world of cyber risk and security. While ransomware continues to be a main concern, bypassed multi-factor authentication (MFA) is an issue worth examining. Here’s our June recap of recent news in the world of cyber.

 

  1. Scammers bypass Microsoft’s Office 365 MFA in BEC attacks

Microsoft 365 Defender researchers have disrupted the cloud-based infrastructure used by scammers behind a recent large-scale business email compromise (BEC) campaign. The attackers compromised their targets' mailboxes through phishing attacks and exfiltrated sensitive info in emails matching forwarding rules, allowing them to gain access to messages relating to financial transactions.

To evade detection and blend in communications, the scammers set up DNS records that almost matched those of their victims and performed different activities for different IPs and timeframes, making it harder to correlate activities.

The cloud-based infrastructure allowed attackers to automate operations at scale, including adding inbox and forwarding rules, monitoring compromised mailboxes, finding high value victims, and dealing with forwarded emails.

BEC attacks have been behind record-breaking financial losses every year since 2018. The FBI 2020 annual report on cybercrime for 2020 listed a record number of more than $1.8 billion adjusted losses reported last year.

 

  1. JBS operations restored after ransomware attack

JBS, the world's largest beef producer, has confirmed that all of its global facilities are fully operational and operating at normal capacity after the REvil ransomware attack that recently hit its systems.

On May 31, JBS was forced to shut down production after REvil ransomware operators breached and encrypted some of its North American and Australian IT systems. JBS have facilities and operations in the United States, Australia, Canada, and the United Kingdom. It has over 245,000 employees worldwide and an extensive portfolio of brands sold to customers from roughly 190 countries on six continents.

JBS was able to get its systems back online sooner than expected since its backup servers were not impacted during the incident. The restoration of critical production systems was prioritised to reduce the impact on the food supply chain, producers, and consumers.

JBS received support from the US, Australian and Canadian governments as the FBI and CISA offered technical support to recover. "The company's swift response, robust IT systems and encrypted backup servers allowed for a rapid recovery," JBS USA said in a press release on Thursday. "As a result, JBS USA and Pilgrim's were able to limit the loss of food produced during the attack to less than one days' worth of production."

 

  1. Fujifilm confirms ransomware attack, restores from backups

Japanese multinational conglomerate Fujifilm said it has refused to pay a ransom demand to the ransomware group that attacked its network in Japan last week and is instead relying on backups to restore operations.

The company’s computer systems in the US, Europe, the Middle East and Africa are now “fully operational and back to business as usual”, a Fujifilm spokesperson told Verdict.

Fujifilm – once known for selling photographic film but now produces biotechnology, chemical and other digital imaging products – detected unauthorised access to its servers on June 1. On June 4, it confirmed a ransomware attack was affecting a specific network in Japan and that it shut down “all networks and server systems” while it investigated the extent and scale of the attack.

Fujifilm said it would not comment on the amount demanded by the ransomware gang.

 

  1. FBI recovers $2.3 million of colonial pipeline ransom

The US has recovered most of the $4.4m (£3.1m) ransom paid to a cyber criminal gang responsible for taking the Colonial Pipeline offline last month.

DarkSide, which US authorities said operates from eastern Europe and possibly Russia, infiltrated the pipeline last month, causing supply disruption and fuel shortages. According to the firm, the pipeline carries 45% of the East Coast's supply of diesel, petrol and jet fuel.

Deputy Attorney-General Lisa Monaco said investigators had found and recaptured 63.7 Bitcoin worth $2.3m - the majority of the ransom paid. Since the ransom was paid the value of Bitcoin has fallen sharply.

In a statement, Joseph Blount, Chief Executive of the Colonial Pipeline Company, said his firm was grateful for the "swift work and professionalism" of the FBI, which helped to recover the ransom. "Holding cyber criminals accountable and disrupting the ecosystem that allows them to operate is the best way to deter and defend against future attacks," he added.

 

Want to learn more about CFC’s cyber policy? Visit our product page or check out our other great cyber-related resources.