- On April 26, reports of a service disruption affecting a major cold storage and logistics firm surfaced.
- The SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team collected a sample of traffic involving possibly vulnerable company assets to identify behavior that may reflect a compromise.
- Researchers did not observe definitive evidence of compromise but noted activity that may merit attention from personnel with internal visibility into the affected company’s network.
- The observed activity includes communication with remote access services, large data transfers, and an anomalously large amount of traffic over port 22.
On April 26, reports of a service disruption affecting a major cold storage and logistics firm surfaced. A memo issued by the company and quoted in BleepingComputer claims that they detected and contained an intrusion late in the night of April 25 or early in the morning of April 26 but shut down their network to limit and investigate the scope of the incident. Some social media comments responding to these reports reflect the company’s claims: one commenter purporting to be a company employee reported that the disruption was the result of a “targeted cyber attack” that “prompted an entire shutdown as a preventative measure” when the company detected it early. Another specified that the disruption began on April 26 at 3:00 AM US Central Time (8:00 AM UTC).
The event has drawn comparisons to a 2020 incident that disrupted the same company’s operations. Although the company’s disclosure regarding that incident offered little specific information, reports that the disruption resulted from a ransomware attack proliferated. Due to its timing, this earlier attack contributed to concerns over the relationship between ransomware and the fragility of global supply chains that were especially poignant at the height of the COVID-19 pandemic; ransomware was not only acquiring newfound prominence thanks to threat actors’ then-recent adoption of big-game hunting and secondary extortion, but its disruptive potential appeared particularly pronounced when paired with the various other disruptions that accompanied the pandemic. Interruptions to operations were of further concern at the time because the company was under consideration to supply cold storage facilities for the then-nascent rollout of COVID-19 vaccines.
To identify possible evidence of an attack against the company, STRIKE Team researchers collected and analyzed traffic samples involving IP addresses SecurityScorecard attributes to the affected company. Of the 779 IP addresses in its digital footprint, researchers selected the thirty-one where SecurityScorecard’s ratings platform observes issues. These findings suggest that the IP addresses affected by them could be particularly vulnerable to malicious activity. Researchers collected two samples: one of all traffic involving these IP addresses from February 27 to April 27 and one limited to the period in which the shutdown occurred (April 25-26).
To identify traffic that may reflect the specific activity that precipitated the shutdown, researchers limited the April 25-26 results to the traffic specifically in the hours before the shutdown and searched for the resulting IP addresses in public cybersecurity information sharing platform VirusTotal and SecurityScorecard’s internal threat intelligence platform (TIP). These resources contain information regarding previous malicious behavior linked to specific IP addresses. These resources could therefore help identify those IP addresses that communicated with company assets and have a history of malicious activity, which may therefore be more likely to be responsible for the reported malicious activity.
The STRIKE Team next filtered the larger traffic sample’s contents by byte count, isolating its largest data transfers. Large data transfers can represent exfiltration, so threat actors could have used the IP addresses receiving these transfers while stealing data from the affected organizations. Researchers then narrowed these results further by searching for the IP addresses in VirusTotal, focusing on those addresses other cybersecurity vendors have already linked to malicious activity.
Finally, researchers reviewed the traffic metrics furnished by a strategic partner to identify any other seemingly strange activity, such as flows over uncommon ports or communication with IP addresses in unexpected locations.
Researchers identified four IP addresses that communicated with company-attributed IP addresses in the hours immediately surrounding its shutdown (216.219.115[.]64, 216.219.115[.]3, 216.219.115[.]45, and 216.219.115[.]58) and previously appeared in traffic samples SecurityScorecard collected from ransomware victims’ IP addresses during the periods in which those organizations suffered their respective attacks. These IP addresses belong to remote access software company LogMeIn, Inc. (formerly GoToMeeting). While the software has many legitimate uses, attackers have also used legitimate remote access software (TeamViewer is especially common) to acquire control of target devices for malicious purposes ranging from fraud to ransomware deployment.
Upon further review of the traffic in the hours surrounding the shutdown in the early hours of April 26, researchers identified an additional six IP addresses belonging to LogMeIn that communicated with the affected organization’s IP addresses in the same period but did not appear in previous attacks’ traffic samples. All of these IP addresses are available in an appendix below.
Seven IP addresses detected by the vendors contributing to VirusTotal also communicated with company-attributed IP addresses in the hours surrounding the shutdown. Most of this traffic appears to be low-level probing or scanning; a strategic partner identifies many of the IP addresses as scanners, and most of them were involved in brief exchanges of small amounts of data. However, 164.92.162[.]25 received a more significant amount of data (approximately 11.2 MB) from a company IP address at 2:38 AM UTC on April 26 (10:38 PM on April 25 EDT). Two vendors have linked 164.92.162[.]25 to malicious activity; it additionally appears in three feeds that contribute to the malicious reputation data that informs SecurityScorecard’s Attack Surface Intelligence tool, belongs to hosting provider DigitalOcean, and is located in Germany.
Image 1: Attack Surface Intelligence’s data sources have previously linked 164.92.162[.]25 to malicious activity.
These findings suggest that this transfer may reflect suspicious activity, especially when considered alongside its timing; not only have external data sources previously deemed 164.92.162[.]25 malicious, but large data transfers can represent exfiltration, especially when the destination is located in a different jurisdiction (164.92.162[.]25 is in Germany while the company IP address is in the US).
Researchers identified an additional ninety-five IP addresses involved in transfers of 10 MB or more in the two months leading up to the shutdown. A vendor has linked one of these, 198.61.137[.]174, to previous malicious activity, and an additional forty-four appeared in traffic samples collected during previous STRIKE Team investigations, mainly into ransomware incidents. All of these IP addresses belong to Rackspace, and transfers to them could therefore represent expected behavior, such as transfers to cloud backups. However, given the overlap with previous ransomware victims’ traffic, these transfers may merit closer attention from personnel with visibility into the company’s network to verify that they represent expected behavior.
Finally, when reviewing the traffic metrics provided by a strategic partner, researchers observed a larger-than-expected amount of traffic over Port 22. In most samples, ports 443 and 80 are the ports that see the most traffic, but in this one, more flows occurred over port 22 than port 80. This is not necessarily malicious, but it is at least uncommon.
Image 2: The traffic sample contained a notably large amount of activity over port 22.
Most flows over port 22 (8,089 of 9,642 between February 27 and April 27) occurred between a company-attributed IP address located in Portugal and 85.158.120[.]203, an IP address located in France. This traffic may be benign: warehouse management system (WMS) solution provider Generix Group is the registrant organization of 85.158.120[.]203. Given that the affected organization operates a large network of storage facilities, this traffic may reflect their use of a Generix Group solution to manage such facilities. However, this traffic may merit review by personnel with internal visibility to confirm that it represents expected behavior.
Another large portion of the traffic over port 22 (755 flows between March 11 and April 23) involved 12.150.107[.]161, a company-attributed IP address where Attack Surface Intelligence indicates that port 22 is open and running FTP (file transfer protocol). This is somewhat uncommon: FTP typically runs over port 21, and SSH runs over port 22. But in this case, both ports 21 and 22 were running FTP.
Image 3: Attack Surface Intelligence indicates that port 22 is exposed and running FTP at a company IP address
The use of FTP may represent additional cause for concern. FTP offers access to files stored on servers, allowing users to upload, download, and delete files. Many FTP servers are used by automated processes and are neglected or poorly configured (the use of FTP at an unexpected port could further indicate a configuration issue). File-sharing services are attractive targets to attackers due to the data they may contain. An attacker that gains access to the files on an FTP server may sell the files within, use them for blackmail, or employ the information when launching further attacks. Attackers could target the service with authentication bypass attacks (e.g., brute-forcing, buffer overflows, blank passwords) to gain control of the host or exfiltrate its databases. A compromised host may allow an attacker to penetrate further into the host’s associated infrastructure.
These communications over port 22 do not appear to reflect exfiltration, as they featured relatively small amounts of data, but may reflect attempts to mount authentication-bypass attacks; all of the non-company IP addresses involved repeatedly communicated in relatively short timeframes, which may suggest attempts at credential-stuffing or brute force attacks. Previous research has linked all of the IP addresses involved to brute-force attacks against SSH services (which normally run at port 22). The IP addresses involved in this activity are available in an appendix below.
The previous breach affecting this business occurred in a context of particularly acute awareness of the fragility of the global supply chain and the vulnerability of key links in it to malicious cyber activity. As some comments regarding the more recent incident reflect, however, these concerns have persisted alongside efforts by both national and transnational bodies to enhance critical industries’ cyber resilience.
Indeed, if the claims that the company detected this recent incident early and shut down its network out of an abundance of caution are accurate, then this event may in fact reflect improvements in the firm’s security, as they would suggest that the company was able to intervene early enough to limit the scope of an incident that could have proven more disruptive if the victim organization had detected it later. If that is the case, reports that the resulting disruptions persisted for days and led to financial losses for customers may illustrate that malicious cyber activity can have costs even when the attacks are ultimately unsuccessful.
While the available traffic data may not offer definitive conclusions regarding the activity that culminated in the disruption to the company’s operations, some of the observed behavior may be related to it. Communication with a remote access tool in the hours surrounding the shutdown could reflect a threat actor’s use of such a tool. The large data transfers may suggest exfiltration, and some of the traffic to port 22 of a company-attributed IP address could reflect attempts to compromise services in use there.
STRIKE Team researchers gathered and analyzed this information to provide a brief preview of some of SecurityScorecard’s threat intelligence and investigation capabilities. Researchers were only able to query and contextualize some of the available data sources. Therefore, this is not an exhaustive list of issues related to the target organization’s overall cyber risk exposure. This investigation should be considered trustworthy but preliminary. Our team can conduct further research upon request. Researchers could, for example, analyze traffic involving a larger group of company IP addresses in addition to those where our ratings platform observes issues.
LogMeIn IP Addresses that Communicated in the Hours Surrounding the Shutdown
IP Addresses Involved in Large Transfers and Previous Investigations
Vendor-Detected IP Addresses Observed Communicating Over Port 22