During the holiday season, people tend to become so wrapped up with spending time with loved ones and spreading good cheer, that they get lax with making sure their cyber environments are safe. CISA recently reported an observed increase in ransomware attacks during the holidays and weekends. The attacks on Kaseya and SolarWinds happened during holidays, and experts warn that there will be no shortage of attacking during the 2021/2022 holiday season.
As of now, CISA has not seen an attack, but they want to provide awareness and advise businesses to be diligent with network defense best practices during the season. Let’s look at why your organization should make sure to use the best cyber security practices during the holiday season.
At the end of August 2021, the weekend just before Labor Day, CISA issued a warning regarding ransomware awareness during the holiday weekend. They observed an increase in ransomware attacks occurring during a time when most people are off from work. Threat actors know that holidays mean limited staff and resources, making it a prime time for an attack.
Researchers at Infosecurity Magazine recently reported that over 57% of attacks targeting retail websites in 2021 were carried out by sophisticated bots. The bots tried to hijack customers’ accounts and steal personal and financial information. The bots are actually capable of mimicking human mouse movements and clicks to confuse any retailers’ cyber security defenses. Bot driven cyber attacks have the potential to worsen existing supply-chain issues, threatening stock availability. It’s expected that these kinds of attacks will continue into the holiday season.
During the Fourth of July weekend, the IT management software company, Kaseya, experienced a massive supply-chain cyber attack. The attack, orchestrated by ransomware gang REvil, impacted 1,000 businesses in 17 countries. After realizing the breach, Kaseya instructed customers by way of a security advisory on their website, to shut down their VSA servers to stop the spread of the attack while it was being investigated. Researchers reported that REvil intentionally waited until the Fourth of July weekend to strike.
REvil successfully orchestrated the largest ransomware attack in history by exploiting multiple zero-day vulnerabilities in Kaseya’s on-premises VSA product. Because of these vulnerabilities, REvil was able to deploy a ransomware encryptor to connected endpoints. The gang demanded a ransom of $70 million for a universal decryptor key (later dropping to $50 million).
During May 2021, leading into Mother’s Day weekend, DarkSide deployed ransomware against the Colonial Pipeline. This attack took down the largest fuel pipeline in the United States and resulted in a week-long suspension of operations across the East Coast. There were gas outages in Georgia, Alabama, Tennessee, Florida, Virginia, Maryland, North Carolina, and South Carolina.
Darkside gained entry into the Colonial Pipeline Company’s network through a virtual private network account. The virtual private network allowed employees to remotely access the company’s computer network. While the account was no longer being used when the attack happened, DarkSide was still able to access it. It was later discovered that the password for the account was discovered on the dark web, which means a Colonial Pipeline employee more than likely used the same password on another account that was previously hacked. Additionally, the VPN account didn’t use multifactor authentication, which allowed DarkSide to breach the Colonial Pipeline network by using a stolen username and password.
United States based food processing company, JBS, is another organization that was compromised during a holiday weekend. On May 30, 2021, right before Memorial Day weekend, JBS announced that they were the target of an organized cyber attack by REvil, affecting servers supporting North American and Australian IT systems. REvil infected the company’s systems with malware and demanded a ransom for decryption.
As a result, JBS had to take portions of their systems offline and paid REvil $11 million in bitcoin to avoid further disruption of their business. The company was able to continue operations through their backups, but they lost $11 million by paying the demanded ransom. Even though JBS paid the ransom to prevent the malware from spreading or returning, there is no guarantee that REvil won’t target them again. Threat actors seek one thing, money, and paying large ransoms can lead to double extortion.
Supply-chain cyber attacks are the most prominent during the Christmas shopping season and retailers often struggle with prevention. In 2017, an exploit called NotPetya attacked large electric utilities and stalled the operation of many retailers. NotPetya infected computers, as well as data and wired machines globally – extracting data and demanding massive amounts of money in the form of Bitcoins. The attack occurred during the Christmas season and although it was intended to cripple the Ukraine, the attack was felt around the world.
Not only did the NotPetya attack disrupt utility operations, but it also affected shipping companies like FedEx and Maersk who deliver orders for retailers. Things became so bad that FedEx had to resort to manual processes for pick-up, sorting, and delivery. Some of Maersk’s corporate network systems for its container business were paralyzed, which prevented retail customers from booking ships and from receiving quotes. The NotPetya attack caused more than $10 billion total loss in damages, making it the most devastating cyber attack in history.
A supply-chain disruption like NotPetya can cause catastrophic harm to a brand’s reputation and financial performance. Couple the disruption with the holiday season and you are looking at devastation beyond what most retailers can fathom.
Unfortunately, threat actors know that most organizations operate on a skeleton crew during the holidays. It’s no coincidence that Target’s massive breach in 2013 happened a day before Thanksgiving, and SolarWinds was breached just before Christmas in 2020. Attackers look forward to employees being out of town during U.S. holidays and they plan accordingly.
Major U.S. holidays mean that there’s less staff keeping an eye out for threats, which means more opportunities for attackers to make their move. If employees are out of town or enjoying time off with family, it’s more difficult to react and to react quickly to an attack making its way through a company’s network. This extra time gives threat actors leverage and the chance to try various passwords and usernames, as well as extend their reach to more devices.
During these vulnerable moments, companies have been known to call a third party to deal with an attack or pay a large ransom before the holiday weekend or season ends. According to a report by security firm, BlackFog, Ransomware attacks grew by 150% in 2020 and the damages of cybercrime may reach $6 Trillion this year (up from $3 Trillion in 2015). Protecting your company and employing monitoring tools while employees are away or during an influx in customers is imperative.
Social Engineering is also an enormous threat and serves as one of the primary techniques for initiating a cyber attack. The holiday season presents a particular vulnerability, as traveling employees usually set automatic out-of-office (OOO) replies directing people to another employee who can assist them.
An attacker can use these OOO messages to target the working employee with phishing-emails, pretending to be the OOO employee. Generally, the attacker will request special access to proprietary systems while masquerading. If your company has people working (even while out of the office) during the holidays, this vulnerability is likely to be exploited.
DarkSide
REvil
Revil
DarkSide
Ransomware Awareness for Holidays and Weekends | CISA
Why company hacks like the REvil ransomware attack tend to happen over holiday weekends | Fortune
FBI, CISA warn of potential cyberattacks over holiday weekends | ZDNet
Why company hacks like the REvil ransomware attack tend to happen over holiday weekends | Fortune
Colonial Pipeline Cyber Attack: Hackers Used Compromised Password - Bloomberg
Colonial Pipeline attack: Everything you need to know | ZDNet
JBS USA cyber attack affecting North American and Australian systems | ZDNet
The State of Ransomware in 2021 | BlackFog
EDR vs. MDR: Which Threat Detection is Right for You? (avertium.com)
How the Cyber Grinch Stole Christmas: Managing Retailer Supply Chain Cyber Risk - Security Boulevard
JBS paid hackers $11M ransom to avoid further disruption | Cybersecurity Dive
Holiday Cybersecurity Tips | NCDIT
Ransomware Awareness for Holidays and Weekends | CISA
Attack Surface Management vs. Vulnerability Management (avertium.com)
This document and its contents do not constitute and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of the Client's compliance with any law, regulation, or standard.