LookingGlass Findings in Recent JBS Ransomware Attack
In late May 2021, JBS Foods, the world’s largest meat supplier, was targeted with a ransomware attack. JBS learned of the attack on May 30th when technology staff members reported inconsistencies in regards to the functioning of some servers. The attack forced JBS to temporarily close all of its beef processing plants in the United States.
As a result of the attack, JBS paid $11 million to hackers. The chief executive of the company’s United States division, Andre Nogueira, indicated that JBS had paid the ransom primarily to prevent future attacks as the company was actually able to restore the majority of its systems by accessing the JBS backup system.
According to the FBI, the attack was likely carried out by the Russian hacking group known as REvil/Sodinokibi. REvil has been linked with multiple recent cyberattacks in the US and elsewhere.
The JBS attack comes on the heels of other high-profile attacks on critical infrastructure. Just prior to the JBS attack, Colonial Pipeline, a major US gas pipeline, paid $4.5 million to hackers in another ransomware attack. There have also been attacks on the insurance and transportation sectors.
FINDINGS ON REvil/SODINOKIBI
Our team at LookingGlass was able to analyze the JBS attack by using information gathered from LookingGlass Cyber Solutions proprietary platforms and data and open-source/publicly available information. Based on this analysis, we were able to find multiple vulnerabilities that coincide with common attack vectors used by similar actors.
By using scoutPRIME’s capabilities, we were able to determine that JBS networks presented four different vulnerabilities, the two largest being Citrix and RDP. Both vulnerabilities are common attack vectors used by ransomware groups, including REvil. It was found that JBS USA had a vulnerable port, which is also a common attack vector.
It is common practice for affiliate members of ransomware groups to move from one ransomware group to another and create their own ransomware to increase their profits. After the massive Colonial Pipeline attack that took place in 2020, multiple sources reported links between REevil groups and DarkSide. Taking into account the increased media interest in the role of nation-state actors in ransomware operations, our analysis team found nothing substantial to report on ties between REvil and Russian Security Services. However, in general, there is substantial evidence that supports the collaboration between the two.
Threat intelligence complements internal security controls, which is exactly what organizations need to ensure that their ever-expanding external attack surface is protected. When done correctly and properly applied, an enterprise that leverages threat intelligence is better equipped to handle and mitigate risks.
These attacks highlight the growing threat to organizations of all sizes posed by these determined threat actors. On June 3, Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger notified US companies about the extreme risks associated with the most recent spate of cyber-attacks.
The question for security professionals is, of course, how to respond to these types of attacks. Unfortunately, there is no perfect solution. Our team at LookingGlass recommends making sure that you have foundational tools to see what your adversaries can see of your digital infrastructure.
It is critical to continually monitor one’s attack surface. Given the vulnerabilities that were present in the JBS network and system when it was hacked, it would also be beneficial for an enterprise to conduct deeper vulnerability scans to gain more insight into potential attack vectors.
To that end, our customers benefit from having LookingGlass tools in their security stack. LookingGlass’s scoutPRIME provides our customers with an “outside-in” view of their current attack surface and risk exposure. By seeing what threat actors see, our customers can view the vulnerabilities on their own internet infrastructure as well as their third-party vendor and supply chain. For organizations interested in better understanding ransomware, including actor groups, tactics, and risks and vulnerabilities, contact us at firstname.lastname@example.org.