It’s been a wild summer in the virtual world, and the hacks just kept on coming in July. The month opened with a slightly more subdued reprise of the year’s most notorious cyber attack, then continued with hacks against everyone from restaurant chains to vaccination sites to national transit systems— sometimes with a little added social commentary for good measure.
Let’s look at a few of these July incidents that made our world a little less secure.
July 2021’s Top Cyberattacks
Kaseya Hack Creates a Global Ransomware Crisis
With a swath of Memorial Day data breaches still resonating in cybersecurity circles, hackers again took advantage of a major American holiday to victimize organizations across the U.S. and the world. A Fourth of July weekend ransomware attack on Florida-based software provider Kaseya impacted businesses on five continents, shutting down public schools in New Zealand, closing a major grocery chain in Sweden, and disrupting operations for hundreds of businesses across the U.S.
Although Kaseya has said the attack impacted only 1% of its client base, those clients are largely managed service providers (MSPs), which means their clients were impacted in turn. That made for a vicious ripple effect, as up to 1,500 small to mid-sized businesses found their operations offline in the middle of a holiday weekend, taxing tech support teams to the hilt.
That wrinkle may have magnified the problem considerably, since the threat actors targeted a management tool called a VSA Server. Kaseya contacted clients promptly and advised them to shut off their VSAs, but with many IT support staffers difficult to reach on a day off, the problem spread more widely than it otherwise might have.
The Kaseya attack appears to be another product of the infamous REvil collective, which demanded a $70 million payment in bitcoin. Kaseya has since patched the vulnerability that led to the breach.
Records Exposed: VSA server data
Type of Attack: Third-party software exploit
Industry: Managed service providers
Date of Attack: July 2, 2021
Location: Originating in Florida, spanning five continents
Takeaway:
The internet is like a delicate house of cards. In this case, a business that provides services for businesses that provide services was attacked, leaving clients further down the supply chain—who may not have even heard of Kaseya— to pay the price. While it’s nearly impossible to do business online without relying on third parties to some extent, responsibility for your own site’s security ultimately falls on you.
Malware Group Trolls Iran’s Train System and Government
A July 9 cyberattack on Iran’s national train system employed an apparently new form of “wiper” malware designed to erase data from infected computers before rendering the machines themselves unusable. Trains were delayed or cancelled outright as IT teams scrambled to get systems back online.
Investigators have traced the attack to a previously unknown group dubbed MeteorExpress, whom they believe developed the malware within the past three years. They note that while the malware itself is distressingly functional, the coding is quite sloppy and riddled with clues to the hackers’ identity. In the world of cybercrime, you don’t always have to be elegant to be effective.
Those behind MeteorExpress appear to have both a dark sense of humor and an ax to grind against Iranian leadership. The hackers programmed screens at impacted train stations to display a number for passengers to call for further information. That number turned out to belong to the offices of the Supreme Leader of Iran, which was predictably flooded with phone calls from confused and frustrated travelers. In the meantime, Iranian officials have had a lot of work to do restoring the deleted information and getting the trains back to running on time.
Records Exposed: Partial data wipe
Type of Attack: Wiper malware
Industry: Public transportation
Date of Attack: July 9, 2021
Location: Iran
Key takeaway:
If investigators’ analyses are accurate, the Iranian train hack is evidence that even an unsophisticated or inexperienced hacker can have a major impact on an entire country’s infrastructure. Government organizations remain both highly vulnerable to cybercrime and highly appealing to potential attackers and need to invest in security accordingly.
Chipotle Hack Leads to Some Unappetizing Emails
Internet foodies usually love a “Chipotle hack,” but a mid-July cyberattack proved considerably less appealing than a sneaky way to double your burrito fillings. Cybercriminals were able to access a marketing email account used by the fast-casual dining giant and use it to launch phishing emails to a number of Chipotle fans. The compromised account is affiliated with the mass-marketing company Mailgun and it was used to phish subscribers with malware attachments. While it is unclear to what extent the phishing attempts were successful, the fact that they were sent from an apparently legitimate address associated with a trusted brand raised their potential “success” rate.
While it appears the targeted audience in this case was extremely limited—possibly only 120 malicious emails were sent out—it is troubling that the phishing techniques used here bear a striking similarity to those used by the Russian hacking group Nobelium as a precursor to May’s devastating SolarWinds hack. Only time will tell whether this Chipotle compromise is an appetizer for something much worse.
Records Exposed: Email addresses
Type of Attack: Phishing
Industry: Food service
Date of Attack: July 13-16, 2021
Location: United States
Key Takeaway:
There’s no rest for the wicked. Whether this phishing attempt turns out to be the work of Nobelium or a copycat, it’s a reminder of the relentless nature of cybercriminals and the way large problems can begin with small oversights. Third-party service providers must step up their cybersecurity game and consumers should always remain vigilant and aware to avoid potential email attacks.
Bad Actors Create Phony COVID Credentials in Germany
Germany is among the countries that require “COVID passports” for certain public activities—certificates of fully vaccinated status issued by pharmacists and vaccination centers that entitle holders wider privileges than those who have not yet been vaccinated. That public safety effort hit a snag on July 22, when hackers accessed the German Pharmacists’ Association’s portal and created credentials for at least two non-existent pharmacists. Using those false identities, bad actors could theoretically sell any number of bogus vaccination certifications on the dark web.
A pair of security researchers were able to replicate the hack with remarkable ease using digitally manipulated licensing documents, false addresses, and randomly generated ID numbers. The Pharmacist’s Association has since suspended its certification process until a more secure system can be formulated. In the meantime, the extent of fraudulent vaccine activity in Germany remains unknown.
Records Exposed: None
Type of Attack: False identity scam
Industry: Public health
Date of Attack: July 22, 2021
Location: Germany
Key Takeaway:
Public health organizations have notoriously insufficient cybersecurity measures, a problem that is only compounded by quick-turnaround tech projects that don’t allocate time to fill in gaps. Despite the best of intentions, a hastily developed security system often creates more problems than it solves.
From seasoned professionals like REvil to upstart hackers like MeteorExpress, the internet continues to be a high-stakes playground for bad actors of every experience level—all of them dangerous. Businesses have no way of knowing who might come for their data, so it pays to trust your security needs to the experts.
Additional Resources
- Join the conversation with Arctic Wolf on Facebook, Twitter, LinkedIn, and YouTube
- Visit arcticwolf.com to learn more about our security operations solutions
- If you’re ready to get started, request a demo or get a quote today
