DarkSide extracts $4.4m ransom from German chemical distribution company
Earlier this week, when the DarkSide ransomware group forced U.S. pipeline giant Colonial Pipeline to pay $5 million in ransom to restore operations, it also extracted a ransom payment of $4.4 million in Bitcoin from Brenntag, a German chemical distribution company.
According to Bleeping Computer, Brenntag had no choice but
to pay the ransom after the ransomware group targeted the company's North
American division, encrypted corporate devices, and stole up to 150GB of data,
including unencrypted files. The group reportedly gained access to the Brenntag
North America network after purchasing stolen credentials from another entity.
Headquartered in Essen, Germany, Brenntag is among the
world's largest chemical distribution companies, operating in 77 countries and
employing over 17,000 people. The company has more than 190 distribution sites
in the United States and Canada and boasts around 40,000 customers in the region.
It is also the market leader in Latin America and earned a revenue of €12.8
billion in 2019.
After encrypting the company's devices and files, the
DarkSide ransomware group demanded a ransom of 133.65 Bitcoin (£4.58 million)
but after protracted negotiations with the company, finally accepted the
payment of £3.12 million on May 11. The company has, like in most cases, failed
to disclose the incident on its customer-facing sites.
The incident is a textbook case of why it is necessary for
organisations to continuously protect user credentials, reset credentials
regularly, and implement multi-factor authentication to protect devices and
user accounts from unauthorised access. The fact that a ransomware group used
stolen credentials to hack into a global corporation's network so easily
demonstrates that credential management is still not being prioritised by
organisations. Brenntag North America has learned the lesson the hard way.
What's worse is that even cybersecurity companies have
suffered breaches as a result of not being able to detect the theft of user
credentials. In 2019, Czech antivirus service provider Avast admitted that
hackers used stolen VPN credentials and exploited the lack of two-factor
authentication to successfully access its internal network on seven occasions
between May 14 and September 23 that year.
The affected VPN account enjoyed domain admin privileges
even though the user whose credentials were being used did not have domain
admin privileges. The firm found that the hacker, who stole the credentials,
carried out a successful privilege escalation while using a public IP hosted
out of the UK.
In November 2019, a study conducted by ImmuniWeb revealed
that hackers plundered over 21 million login credentials from Fortune 500
companies and over 16 million of them were stolen and posted on Dark Web
platforms in a twelve-month period. 95% of the 21 million stolen credentials
were "unencrypted, or brute-forced and cracked by the attackers, plaintext
passwords".
The study also revealed that only 4.9 million of the 21
million stolen credentials were unique, indicating that the widespread practice
of employees using identical or similar passwords is still in place at the
world's largest organisations.
All these stolen login credentials belonging to Fortune 500
companies were found pasted on resources within the TOR network, across various
web forums, Pastebin, IRC channels, social networks, messenger chats and many
other locations notorious for offering, selling or distributing stolen or
leaked data," ImmuniWeb said.
"These numbers are both frustrating and alarming. The
great wealth of stolen credentials accessible on the Dark Web is a modern-day
Klondike for mushrooming threat actors who don’t even need to invest in
expensive zero-day or time-consuming APTs. With some persistence, they easily
break-in being unnoticed by security systems and grab what they want. Worse,
many such intrusions are technically uninvestigable due to lack of logs or
control over the breached [third-party] systems," said Ilia Kolochenko,
CEO and Founder of ImmuniWeb.
"In the era of cloud, containers and continuous
outsourcing of critical business processes, most organizations have lost
visibility and thus control over their digital assets and data. You cannot
protect what you don’t see, likewise you cannot safeguard the data if you don’t
know where it’s being stored and who can access it. Third-party risks immensely
exacerbate the situation by adding even more perilous unknowns into the game.
"A well-thought, coherent and holistic cyber security
and risk management programme should encompass not just your organisation but
third parties in a continuous and data-driven manner," he added.
Comments
Post a Comment