Security Brief: CICYBER
Week of 03/22/21 | Issue 16
Team: Alexandros Kouiroukidis, Costanza Pestarino, Priya Venkadesh, Elena Montaña, CICYBER
Acer Victim of High Demanding Ransom
Date: March 19, 2021
Location: Xizhi, New Taipei City
Parties involved: Acer, REvil
The event: A ransomware group by the name of REvil issued the largest ransom in history, demanding $50,000,000 from Acer. One REvil affiliate weaponized a Microsoft Exchange server vulnerability and targeted one of Acer’s Exchange servers on its domain. It is possible that this ransomware attack was executed because of the Microsoft Exchange exploitation but there has not been a confirmation on the matter. The ransomware group shared images containing Acer’s financial spreadsheets, bank balances, and bank communications on a data leak site as proof of their attack. REvil’s ransomware attack only affected Acer’s back-office network, leaving its production systems untouched. The attackers demand that the ransom be paid quickly, as the ransom is set to double if it is not paid by March 28th.
If Acer pays off the biggest ransomware demand in history, which is $50,000,000 or even $100,000,000 if not paid on time, extortion amounts that ransomware groups demand in the future will increase indefinitely. If other hacking groups possess the same power to carry out attacks like this, they will be inclined to demand the outrageous amounts that REvil is asking of Acer, because they are now aware of Acer’s financial status. This will most likely lead to a focus on high-tier companies from hackers and such companies will fall victim to ransomware attacks now more than ever. Acer needs to take a stand and refuse to pay this ludicrous amount because their action will have a long-term impact on how ransomware attacks are done. Ransomware continues to increase every year with the average extortion amount doubling in 2020. It will continue to increase regardless if Acer pays the extortion, but they will accelerate the increase if they do pay it. If demands are met there will be a surge of ransomware attacks over the years to come, as other hacking groups will be motivated by the new demands that companies are willing to pay to keep their systems running and data private.
Screenshots of the conversation between Acer associates and REvil on negotiating the demand of the ransom have been leaked by REvil on their data leak site. This shows that Acer most likely has not found an alternative solution to paying out the ransom. If this attack was carried out because of Microsoft Exchange vulnerabilities, Acer should have taken the effort to increase the security of their data on Exchange servers to withstand incoming threats from threat actors.
What Acer is going through can be a lesson to other tech companies. Cybersecurity continues to increase its importance as more and more companies fall to cyber attacks. Facebook and Apple are the latest big tech companies to fall victim to cyber-attacks, showing that no company is immune to cyber threats. There will never be a guarantee that companies will be safe from cyber attacks, but companies like Acer need to increase cybersecurity efforts to deter potential threats.
The Coors Brewery from Vanover Park
Date: March 11, 2021
Location: Chicago, United States
Parties involved: Molson Coors (Blue Moon, Foster’s, Grolsch, Killian’s, Miller, Peroni), Bulgaria, Canada, Croatia, Czech Republic, Hungary, India, Montenegro, Serbia, United Kingdom, United States.
The event: On March 11, 2021, the multinational brewing company, Molson Coors, reported that the company had been the victim of a cyberattack through a filing with the US Securities and Exchange Commission (SEC). Following the cyberattack, the Chicago-based firm warned that the ransomware attack could cause continued delay or disruption and was unable to access various systems involved in the production and delivery of popular drinks. Molson Coors has further engaged forensic IT firms and legal teams to investigate the incident, protect the company’s business and information and help prevent similar incidents in the future.
The impact of the cyberattacks on Molson Coors' systems in terms of volume of compromised data and severity of the breach is still unknown. Nonetheless, it shall be noted that the crippling cyber attack left the company temporarily unable to access IT systems involved in beverage production and delivery. According to the company’s reports, the consequences of the attack have led both to delays and partial disruptions of the firm's business. This is remarkable considering that Molson Coors is a solid player in the US and foreign markets, representing the fifth largest brewer in the world. Speculation has further suggested that the company was forced to take its systems offline to prevent the ransomware from spreading through its network, but there is no confirmation of this. All that is known is that the company's IT systems were disrupted by a ransomware attack, albeit the precise nature of the ransomware breach has not been specified. No ransomware group has claimed responsibility for the cyberattack or requested ransom.
The ransomware attack on Molson Coors' systems reinforces the notion that cyberattacks are becoming increasingly sophisticated and that no infrastructure is exempt and invulnerable from large-scale cyberattacks and threats. Since the outbreak of the Covid-19 pandemic, there has been an increase in cyberattacks. On December 2, 2020, Interpol issued a global warning, urging European (and non-European) states to consider the emerging link between the health crisis and an unprecedented surge in organized crime, which has adapted to the new 'normal' and engaged in new illegal activities, primarily cyberattacks.
The attack further reminded that the food and beverage supply chain is a critical target for cybersecurity attacks, along with the healthcare sectors. The ransomware attack on Molson Coors' systems was not in fact the first attack targeting the food and beverage industries in recent months. For example, Campari Group, the Italian beverage giant, was hit by a ransomware attack that forced the company to shut down the vast majority of its IT system on November 1, 2020, or the ransomware attack that impacted the Australian and New Zealand beer and milk supplier, Lion, on June 9, 2020.
The attack exhibits inadequate cyber defense when it comes to ransomware attacks. It follows that Molson Coors should conduct proactive defense work to avert comparable incidents in the future. To achieve this, the enterprise shall channel its technical and economic efforts to lessen its potential attack surface, by mapping its network, centralizing the company’s security technology, and developing regular security updates and patches. Molson Coors is advised to introduce a solid and layered approach, that should include firewalls, antivirus software, and data encryption measures. The multinational brewing company requires a cyber defense posture that is ductile and dynamic, and not restricted to pre-established standards, which end up hindering and hampering the execution of countering cyber operations. At the national level, it is expected that national authorities would begin working to promote sound ransomware strategies to prevent, or at least reduce in number and/or impact, ransomware outbreaks on sensitive sectors which include, among others, the health sector, legal firms, and the food and beverage industries.
F5 Networks manufacturing BIG-IP servers
Date: March 19, 2021
Location: Multiple Locations
Parties involved: BIG-IP servers, NCC Group, F5 Networks, multiple users
The event: F5 Networks sold BIG-IP server appliances used to manage traffic to and from large networks. These devices had critical vulnerabilities that they disclosed and had a severity rating of 9.8 out of 10. Unattended, the CVE-2021-22986 vulnerability was exploited, which allowed remote hackers to gain complete control of the server without any credentials or passwords. NCC experts explained that the perpetrators did not target anything specifically but added malicious code across the internet, hoping to exploit any vulnerability.
Even after the Microsoft system vulnerabilities were exposed earlier, F5 BIG-IP vulnerabilities were overlooked, even with an alarmingly high severity rating. The CVE-2021-22986 vulnerability was targeted and exploited remotely. The NCC Group detected the exploitation and shared on their blog a piece of exploit code that the hackers had used to access authenticated session tokens, a browser cookie allowing admins to use a web-based interface to gain remote control of the BIG-IP. There wasn't a single target and malicious code simply attempted across the internet to exploit any vulnerabilities. Further, the vulnerability was also targeted by devices that contained the Mirai malware. The extent of the damage is still unknown.
Multiple security firms confirmed CVE-2021-22986 to be exploited and researchers conducted internet-wide scans to locate vulnerable BIG-IP servers. This vulnerability was rated extremely high on the scale because of the ease with which the perpetrators can gain remote access to the entire network. They can cause extensive damage across the network and its devices. The administrators have considered patching the vulnerable servers and looking for exploits as their top priorities.
Hackers launching attacks on technology
Date: February 2020-October 2020
Parties involved: Devices using Windows, Android, iOS. No details on the victims or group responsible for the attacks.
The event: Hackers exploited 11 zero-day vulnerabilities in a nine-month campaign in watering-hole attacks that compromised patched Windows and Android devices initially, and later iOS users as well. This was made possible by infecting websites typically used by the targets and installing different exploits depending on their browsers and devices. The report was published by Google’s Project Zero and Threat Analysis Group and does not provide details on the group responsible for the attacks but it did recognize that a certain level of expertise is required to perform attacks as sophisticated as these.
Depending on the people who could have been targeted (businesses or government agencies employees, for example), and based on previous zero-day exploits, it is possible that the hackers have stolen sensitive data, captured IDs and passwords, encrypted the user’s data to later request a ransom, looked to exploit further vulnerabilities, spied and monitored certain information to target additional organizations and halt their operations. A Remote Code Execution could have passed commands on infected servers.
Without knowing exactly who was targeted and what they were after, we can’t assess precisely the extent of the damage. At least OSes companies’ reputations are expected to be questioned, while there could be an additional financial loss for the direct victims. There could also be legal implications in case of security negligence.
These types of zero-day attacks are likely to increase in future years, as we progressively rely on our phones for all kinds of activities. According to BankinfoSecurity, their potential lies in the fact that mobile users have smaller screens and simplified user experiences, which assures a greater chance of success. It is not easy to identify compromised- yet still legitimate- websites. They are unexpected and no antivirus can protect the visitors, even if users are mindful about updating apps and systems or avoiding suspicious websites. These incidents can only be prevented by big tech companies’ investment in testing their systems and identification of those responsible for the attack. Given the level of expertise of these hackers, it would be reasonable to think that a country can be behind these acts.
 “I like this laptop. I carry it with me every day.” by Jeroen den Otter licensed under Unsplash
 “Ransomware Attacks Soared 150% in 2020,” Infosecurity Magazine, March 2021, https://www.infosecurity-magazine.com/news/ransomware-attacks-soared-150-in/
 “Facebook and Apple are the latest companies to fall victim to cyberattack,” Krypsys, https://www.krypsys.com/news/facebook-and-apple-are-the-latest-companies-to-fall-victim-to-cyberattack/
 INTERPOL Warns of Organized Crime Threat to COVID-19 Vaccines.” INTERPOL, December 2, 2020. https://www.interpol.int/News-and-Events/News/2020/INTERPOL-warns-of-organized-crime-threat-to-COVID-19-vaccines
 Pierluigi Paganini, “Prominent Italian Firms under Attack, Campari Is the Last One,” Security Affairs, November 6, 2020, https://securityaffairs.co/wordpress/110470/cyber-crime/campari-cyberattack.html
 Naveen Goud, “Lion Beverages Hit by a Ransomware Cyber Attack,” Cybersecurity Insiders, June 10, 2020, https://www.cybersecurity-insiders.com/lion-beverages-hit-by-a-ransomware-cyberattack/.
 Sam Roguine, “4 Crucial Strategies for Enterprise Ransomware Protection in 2020,” Arcserve, July 7, 2020, https://info.arcserve.com/blog/4-crucial-strategies-for-enterprise-ransomware-protection-in-2020
 Marisa Midler, “3 Ransomware Defense Strategies,”Carnegie Mellon University, November 2020, https://insights.sei.cmu.edu/sei_blog/2020/11/3-ransomware-defense-strategies.html
 “Detecta si tienes Malware o si tu Iphone ha sido Hackeado” by iphonedigital licensed under Creative Commons
 Akshaya Asokan, “Watering Hole Operation Leveraged Zero-Day Exploits”, BankInfoSecurity, January 2021 https://www.bankinfosecurity.com/watering-hole-operation-leveraged-zero-day-exploits-a-15757