Posted on Jun 8, 2021
SecurityScorecard also found that 1 in 5 of the world’s food processing, production, and distribution companies rated have a known vulnerability in their exposed Internet assets
Using SecurityScorecard’s proprietary tools, our Investigations & Analysis (I&A) team observed the following:
The SecurityScorecard Investigations & Analysis team (I&A) investigated reports of the ransomware breach on JBS, one of the world’s largest meat processors. The scope of our investigation is focused on understanding the attack and the adversary was behind it to help others respond and better protect themselves from ransomware threats. Further, we wanted to understand if data exfiltrated out of the environment could further be used to leak sensitive data on the dark web.
Our investigation was primarily centered around understanding the scope of the breach, potential attribution, and any other findings that might provide insight into what occurred. Further, the attack has been reported to have been carried out with the Sodinokibi Ransomware, a variant of ransomware used by the REvil ransomware group, suspected to be attributed to Russia.
The U.S Government confirmed on June 3, 2021, that the REvil / Sodinokibi group was responsible for the attack.
CVEs (Common Vulnerabilities and Exposures) are known problems in software that could lead to system compromise. Some are relatively benign (representing a small risk) while others are very serious and leave a system open to takeover. The skillset required to exploit these vulnerabilities varies from basic to extremely advanced. The risk a vulnerability poses is a combination of the vulnerability itself and the skill needed to exploit it.
One outstanding question is what the potential initial intrusion vector was. There are multiple plausible theories ranging from using leaked credentials to accessing the environment from RDP. Furthermore, one of the most common methods of intrusions for ransomware intrusions is via remote access protocols such as Remote Desktop Protocol (RDP), Virtual Network Connection (VNC), and VPN. In our analysis, SecurityScorecard observed failed connection attempts using an RDP connection to the JBS Australia IP address space (the same IP address that data was exfiltrated from) on February 28, 2021, right before the data exfiltration took place. The source IP address of the attempted RDP connection to JBS is not associated with any known digital footprint of JBS, instead, it is historically listed as a malicious source. This indicates that the threat actor checked whether there is an RDP service running on the system by making an RDP request but did not receive any response from the server since it is not running an RDP service. This checking of vulnerable services running on the system can be an indication of a reconnaissance performed by the attacker.
In our research, we discovered leaked credentials belonging to employees in JBS Australia from early March 2021. Such credentials appeared right before data exfiltration began. The fact that JBS employee credentials are on the dark web confirms a breach occurred sometime in February 2021. The extent of the leaked credentials discovered extends to a half dozen employees from JBS Australia as part of various leak lists.
An individual representing REvil (a ransomware gang of suspected Russian origin) was found discussing the JBS attack on a telegram Dark Web channel known as RUSSIAN OSINT. The below was posted on June 3, 2021, after the attack was publically noted. The following is a translation from Russian to English of some of the interviews that transpired in regards to the motivations of this attack. According to the translation, the threat actor intended to target Brazil in an effort for revenge.
During our investigation, SecurityScorecard observed TeamViewer traffic destined to an IP address in India. This might mean that the threat actor installed TeamViewer within JBS Australia’s network environment. This activity occurred during the same timeframe as the data exfiltration. The connection could have been used to maintain access to the environment. Since TeamViewer supports file transfers, some data might have been exfiltrated in this way too.
A particularly notable connection was one observed between May 18, 2021, and May 24, 2021, with a server from India. What makes it unusual is that being established through a TeamViewer server, it was left open for 5 days, and we were able to make a correlation with the same time period right before and after the data exfiltration to Mega.
As with all ransomware operations, the attackers are likely interested in exfiltrating data and potentially leaking it on the dark web if victims do not pay. Typically, the threat actor exfiltrates data before encrypting files, then uses the data to extort the victim for financial gain. Using our unique global insights, which includes Netflow, we have uncovered multiple exfiltration operations from the JBS environment since March 2021. For example, we observed exfiltration (a common method used in ransomware attacks) to the file-sharing site Mega between March 1 and May 30, 2021, in excess of 45GB. In addition, this data exfiltration is broken up into multiple smaller transfers (over a dozen) during the course of three months.
Further, we discovered that a total of 5TB of data had been potentially exfiltrated between March 1, 2021, and May 29, 2021, to assets in Hong Kong. Our research indicates that multiple exfiltration methods have been used in addition to data transfer via Mega.
It’s not just JBS that has problems, unfortunately, the food industry as a whole suffers from cybersecurity hygiene issues. SecurityScorecard rates the outside-in cybersecurity of over 55,000 food industry companies, across factors including data breaches, software vulnerabilities (CVEs), and malware infections. On the whole, the results are poor:
SecurityScorecard’s method of analysis includes evaluating multiple sources both public and private. Further, the analysis is not solely based on information in open source that can be obtained by anyone (i.e unverifiable data/sources), while open source is an element to our analysis and a data point in itself, it is not the sole determining factor. This analysis is focused on looking at the characteristics of the attack, partly using OSINT and vetted intelligence data we have obtained through private partnerships, confidential sources, in order to make our conclusions.
We believe JBS suffered data exfiltration and a ransomware attack, a common approach from threat actors. We can also identify a reconnaissance prior to the data exfiltration. What is remarkable about this attack is how unremarkable it was in both execution and occurrence; it illustrates just how common ransomware attacks have become. These kinds of attacks have a financial impact on the victim that goes beyond the payment of a ransom; they may need to be disclosed to customers, business partners, and likely to regulators and via the company’s written disclosures.
Any organization with Internet assets must now consider themselves a potential ransomware victim. Organizations must consider their own security and the security of their vendors and third-party suppliers.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You can’t manage what you can’t measure. Check out our list of the top 20 cybersecurity KPIs to track in 2021.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.