October marked a dubious milestone for cybersecurity. A report from the Identity Theft Research Center confirmed that the number of cyber attacks reported through the first nine months of the year exceeded the total recorded for the entirety of 2020. And not by a small margin either—attacks are up 17% in 2021 compared to last year.
Clearly, hackers have been busy, as have the cybersecurity experts tasked with mitigating the damage.
October’s Most Notable Security Breaches
Local TV Gets Rudely Interrupted by Evil
Media giant Sinclair Broadcast Group found its signals crossed following an October 16 ransomware attack that bears the earmarks of a well-known Russian cybercrime collective.
Sinclair, which owns or operates 185 local TV stations across 86 U.S. markets, reported that internal functions like email, phone systems, and data networks had to be shut down following the breach. The impact was severe: It took much of the company’s programming offline, including broadcasts of some of its 21 regional sports networks.
Although Sinclair has generated considerable controversy due to a perceived right-wing slant in its programming policies, it does not appear as though this attack was politically motivated.
Instead, the use of Macaw ransomware points to an opportunistic attack by the infamous Russian collective known as Evil Corp. That gang and its WastedLocker malware earned a sanction from the U.S. State Department in 2019, and some security experts believe that the Sinclair breach is Evil Corp’s attempt at getting around the sanctions by effectively re-branding—Macaw appears to be a new variant of WastedLocker and made its public debut with the Sinclair attack.
Records Exposed: Emails, phone systems, internal networks
Type of Attack: Ransomware
Industry: Telecommunications and broadcasting
Date of Attack: October 16, 2021
Location: Multiple locations across the United States
Key takeaway: For a company with a nationwide web of business interests, a single attack can set in motion a cross-country domino effect. A ransomware attack may focus on a specific location, but the nature of business networks means that the impact is frequently felt well beyond that point of origin. Security measures that protect systems and data across an entire network are a necessity.
Twitch Secrets Make Their Way to 4chan Boards
The massively popular, Amazon-owned Twitch streaming platform suffered a major data breach in early October, as a threat actor took advantage of information exposed during a server configuration change. While Twitch was quick to reassure users that no personally identifiable information was compromised, the 125GB of stolen data included elements of Twitch’s source code and, most embarrassingly, data on the incomes of the streaming platform’s leading game streamers. Those materials quickly turned up on the notorious 4chan forum, where streamers’ earnings—some in the seven-figure range—quickly became a hot topic among posters.
The unidentified hacker was reportedly motivated not by money, but by a mission to create “disruption” and expose the Twitch community as what they deemed “a disgusting toxic cesspool.” Regardless of the actual information exposed, the fallout for Twitch was swift and damaging.
Reports quickly emerged that the company had ignored a number of security threats in the past in the interest of profits. Online debates erupted about perceived disparities in the platform’s payment structure. Twitch reset all its stream keys as a precaution despite repeated assurances that users’ personal data had not been compromised.
Records Exposed: Proprietary code, financial records
Type of Attack: Server exploit
Industry: Tech and entertainment
Date of Attack: October 6, 2021
Location: San Francisco, CA
Key takeaway: Sometimes money isn’t the issue. For an incredibly high-profile tech industry business with as many active detractors as Twitch has, the embarrassment of public exposure can do more damage than any ransomware attack. Investing in vulnerability management solutions can determine where gaps lie in your environment before attackers exploit them.
Ferrara Candy Gets a Scare from Halloween Ransomware Attack
In what was surely October’s most cruelly timed cybercrime, the Chicago-based candy maker Ferrara suffered a ransomware shutdown at the onset of the busy Halloween season. The company is responsible for a number of iconic Halloween treats, including Brach’s Candy Corn, Laffy Taffy, Sweet Tarts, Nerds, and many others. The ransomware attack forced the company to pause production in several of its manufacturing facilities and distribution centers.
Fortunately, Ferrara said that almost all of its Halloween orders had already been fulfilled at the time of the attack. The company also was apparently well-prepared for this kind of security issue, as they quickly resumed production and distribution at nearly full capacity. In this case, it seems as though even a nasty Halloween trick wasn’t enough to derail the flow of treats.
Records Exposed: Unknown
Type of Attack: Ransomware
Industry: Food manufacturing and distribution
Date of Attack: October 9, 2021
Location: Forest Park, Illinois
Key takeaway: The hook here is obviously the novelty of a candy company getting hacked right before Halloween, but Ferraro’s response to the attack seems to be a solid example of an appropriately prepared organisation.
While it’s unclear whether Ferraro paid the ransom, they acknowledged the attack, contacted the proper authorities, and were able to resume production with minimal interruption. That does not usually happen unless a business has a strong security plan in place and can respond effectively when an incident arises.
The New Remote Access Trojan Just Dropped
Early October brought news reports of a scary new threat focused on some of the world’s most sensitive data. ZDnet reported that an Iranian cybercrime collective known as MalKamak has been waging an online campaign against organisations in the aerospace and telecommunications industries since 2018, or earlier. The cybergang was not identified until this July, and their most potent weapon has only just been discovered.
In what one security expert dubbed “a very, very targeted type of attack,” a remote access trojan (RAT) was used to access computers at around 10 organisations that handle highly sensitive information. Once in a system, the RAT allows a hacker to access computers and scan systems for sensitive information. The nearly undetectable malware appears to have received regular updates since its implementation, making it even more difficult for security tools to detect. This even has proven very disturbing not only to cybersecurity professionals, but national security interests as well.
Records Exposed: Sensitive details about companies’ assets, infrastructure, and technology.
Type of Attack: Remote access trojan
Industry: Telecommunications and aerospace
Date of Attack: 2018 to present
Location: Middle East, Russia, European Union, United States
Key takeaway: While most businesses will never find themselves the subject of a targeted probe by sophisticated espionage malware, this case is a reminder that cyberthreats constantly grow and evolve. An outdated security system that can’t scale to meet the most current threats can provide a false sense of security, which is almost worse than no security at all.
Syniverse Reveals Five-Year Hack
A prominent text messaging business announced earlier this month that they’d recently become aware of a long-term data breach that had unfolded over at least five years. Syniverse, a telecommunications company that helps route text messages for the United States’ big three mobile providers — AT&T, T-Mobile, and Verizon — became aware of the attack this May and went public with it on September 27.
An unknown hacker was apparently able to access databases in Syniverse’s network starting in May 2016 and had done so periodically ever since.
The company claims it “did not observe any evidence of intent to disrupt its operations or those of its customers and there was no attempt to monetise the unauthorised activity.”
Whether or not the intruders made use of that unprecedented level of access, tech industry experts are troubled since the attackers remained in the system undetected for so long. Syniverse has yet to elaborate on what data, if any, was potentially affected, but seeing as the company touches communications for more than 2 million people, the possibilities are unsettling.
Records Exposed: Unknown, but potentially text messages and personal data of millions of mobile phone users.
Type of Attack: Unconfirmed
Industry: Telecommunications
Date of Attack: May 2016 to May 2021
Location: Tampa, Florida
Key takeaway: The very fact that an unknown actor gained access to sensitive information for such an extensive period without detection raises huge concerns about the overall security of systems we rely on every day. It’s unclear whether more frequent or more intensive security scans and detection practices would have caught the intruder in this particular case, but either way it underlines highlights their importance as foundational elements of cybersecurity best practices.
