Another month, another round of new challenges for cybersecurity teams everywhere. Ransomware was the name of the game in March, with a variety of sophisticated attacks focused on everyone from small businesses to journalists to manufacturers.
The range and volume of attacks so far in 2021 should concern anyone who conducts business online. As always, the breadth of these threats underscores the need for reliable, up-to-date cybersecurity measures across your entire organization.
March's Most Notable Cyberattacks
A Multitude of Firms Exposed in Massive Microsoft Email Breach
A wide-ranging breach of the Microsoft Exchange Server exploited four key flaws in the software, enabling hackers access to the email of more than 30,000 organizations across the United States. Apparently launched by an elite Chinese hacking collective known as “Hafnium,” this attack compromised email communications for small businesses and municipalities across the U.S. and around the world. Worse yet, infected devices were seeded with password-protected tools that allow the hackers complete remote access to those systems.
Ironically, the attack may have escalated by Microsoft attempting to prevent exactly this kind of cybercrime. On March 2, the company issued patches to address four known security gaps. Security observers say this kicked off a massive wave of activity for Hafnium as the hackers scrambled to attack as many still-unprotected systems as possible.
While much of the damage is already done, authorities recommend that businesses or government offices yet to install Microsoft’s security update do so immediately to prevent the installation of further backdoor exploits.
The ultimate fallout of the Hafnium attack is uncertain, but a hack of this breadth and scale is likely to be felt for years to come. The backdoors installed by the attackers could be used to steal valuable data or install ransomware, and many affected organizations likely don’t even know they have been hacked. As one expert asked rhetorically in a Wired interview, "When was the last time someone was so bold as to just hit everyone?"
- Records Exposed: Email data
- Type of Attack: Remote access hijack, ransomware
- Industry: Small businesses, municipalities, public services
- Date of Attack: March 2-4, 2021
- Location: Worldwide, likely originating in China
- Keeping on top of security patches and upgrades is crucial to prevent breaches. The swiftness with which Hafnium acted to leverage Microsoft’s security gaps shows that bad actors keep tabs on every possible opportunity. Your security system needs to do the same.
Hackers Cancel the Morning News
A major Australian broadcaster canceled its morning news program while battling a late March ransomware attack. Nine Entertainment was unable to air its Sunday Weekend Today show following a March 27 intrusion that ground operations to a halt across the company’s many media holdings. A spokesperson confirmed later in the day that the interruption was a malicious act that impacted not only the Channel Nine television system, but also the Sydney Morning Herald, Australian Financial Review, and various publishing operations.
Nine CEO Mike Sneesby told journalists the attack “was significant in scale with high potential to disrupt our business.” Evidence suggests that the shutdown was related to MedusaLocker, a well-known ransomware strain that infects and locks down entire computer systems, as well as individual devices. The silver lining, if there is one, is that MedusaLocker is generally used by ransom-seekers looking for payouts. That could rule out the possibility this was a state-sponsored attack by foreign agents, as some in the media had speculated after noting that Nine was slated to air an unflattering report about Russian leader Vladimir Putin.
As of this writing, Nine has not reported receiving any ransom demands. Tech teams are working to mitigate and undo the damage as quickly as possible.
- Records Exposed: Unknown
- Type of Attack: Ransomware
- Industry: Journalism and publishing
- Date of Attack: March 27, 2021
- Location: Sydney, Australia
Organizations with multiple holdings in the same industry may wish to employ a one-size-fits all security solution, but this case illustrates how quickly a threat can escalate when criminals access one arm of a business. Keeping security measures for different branches of your organization separate may entail more work, but it can go a long way insofar as keeping threats contained.
Phishers Get a Look at California’s Finances
The California State Controller’s Office handles approximately $100 billion of the state’s public funds each year. On March 20, the office announced that cyberattackers gained access to a large volume of personally identifiable information from its databases, including the social security numbers of thousands of state employees.
The attack was apparently launched on March 18, after an employee of the state’s Unclaimed Property Division unwittingly entered their email ID and password after clicking on a phishing link. The phishers gained access to the Controller’s system for around 24 hours, in which time they pilfered data and sent further phishing emails across the system using the phished employee’s account.
It does not appear the criminals accessed any state funds, and the immediate damage seems minimal, although employees are being advised to update all passwords and IDs and carefully monitor their own financial accounts. Even so, this stands as yet another reminder of how quickly and easily a major computer system can be compromised due to a single person’s careless action.
- Records Exposed: Personal information, including social security numbers
- Type of Attack: Phishing
- Industry: State government
- Date of Attack: March 18, 2021
- Location: California
In this case a single unsafe action by a single employee jeopardized the security of thousands of state employees in a branch of government that handles massive amounts of taxpayer money. No matter how thoroughly you feel you’ve educated employees about basic cybersecurity protections, it is almost always worthwhile to schedule regular refreshers on safe online conduct.
Internet of Thieves Targets Internet of Things
Leading Internet of Things (IoT) vendor Sierra Wireless paused operations after a March 20 ransomware attack. The Vancouver-based company is a leading seller of cellular-based machine-to-machine communications products and, as such, maintains a high standard of cybersecurity.
Nevertheless, this breach was robust enough to force Sierra Wireless to temporarily take its website offline, shut down production at the company’s manufacturing facilities, and disrupt a number of internal system functions. The company has not yet divulged what kind of ransomware is suspected nor what attackers may have demanded.
The bright side for Sierra is that, aside from the website interruption, their customer experience appears to have been unaffected. That’s due in part to Sierra’s policy of separating its internal IT system from its commercial processes. A statement from Sierra suggested that the company’s internal functions were always the intended target. “We believe the impact of the attack was limited to Sierra Wireless’ internal IT systems and corporate website, as we maintain a clear separation between our internal IT systems and customer facing products and services.” This should serve as a reminder to other large operations that keeping those sectors separated can be the difference between a crisis that can be handled internally and one that impacts your customers and public image.
- Records Exposed: Unknown
- Type of Attack: Ransomware
- Industry: Manufacturing and retail
- Date of Attack: March 20, 2021
- Location: Vancouver, British Columbia
In contrast to the hack of Australia’s Nine Entertainment mentioned earlier, Sierra Wireless appears to have mitigated potential damage by separating security measures for two distinct functions of its business. Maintaining dedicated cybersecurity systems for internal and external operations likely saved the company from a much bigger security and PR issue.
This month’s breaches run the gamut from reckless acts by individuals to security gaps in one of the world’s largest tech platforms, and the perpetrators range from common thieves to possible state-sponsored saboteurs. The sheer variety of threats in today’s cybersphere makes Arctic Wolf’s versatile security solutions and services a necessity.
Learn more about how Arctic Wolf can meet the specific online safety needs of your organization.