Foxconn, FireEye, and SolarWinds: Key takeaways from high-profile breaches
The cybersecurity landscape changed dramatically in 2020. As organizations scrambled to keep employees connected in a world of remote everything, threat actors capitalized on the chaos.
Between January and October, 36 billion records were exposed in data breaches. Here’s an overview of some of the latest high-profile cyberattacks.
Foxconn: Ransomware Attack
Electronics giant Foxconn — which manufactures Apple’s iPhone and many other popular devices — fell victim to a ransomware attack on one of its factories in Mexico on Nov. 29. The attack, which was carried out by the DoppelPaymer ransomware gang, resulted in the encryption of 1,200 servers, the theft of 100GB of data, and the deletion of 20-30TB of backups.
DoppelPaymer left a ransom note on Foxconn servers demanding $34.7 million in Bitcoin and contact from the company within three business days in return for an encryption key and a promise not to release the stolen data.
Foxconn reportedly hasn’t paid. Some of its business documents and reports were published on DoppelPaymer’s ransomware data leak site on Dec. 7.
Why it matters
This breach highlights the new modus operandi for ransomware gangs: Break in, steal data to use for extortion, and then deploy the ransomware. The hope is victims will pay to prevent the public exposure of data and avoid crippling business systems.
The attack also emphasizes a growing trend toward “big-game hunting.” Cybercriminals are choosing high-value targets that are sensitive to downtime — such as healthcare, manufacturing, and government organizations — because they are more likely to pay a ransom, regardless of how costly it is.
Attacks that use these methods will continue well into and beyond 2021. Organizations should take proactive steps to prevent, detect, and respond to ransomware.
FireEye: Red Team Tool Breach
FireEye recently disclosed a breach involving access to its internal network and the theft of red-team tools used to test the defenses of its customers.
What’s a Red Team?
Teaming is a cybersecurity exercise that actively simulates a cyberattack to measure how well an organization can withstand it. The red team consists of ethical hackers that take on the role of the “bad guys.” They use the same techniques and tools as malicious hackers to evade detection and test the defense readiness of the internal security staff on the blue team, who use their skills to defend against the attack.
Per FireEye, the stolen tools range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as Cobalt Strike and Metasploit. Some are open source tools modified to evade basic security detection mechanisms. Others were developed internally.
Reports suggest the attack was part of a global espionage campaign carried out by a highly sophisticated, state-sponsored attacker associated with the Russian government. In a blog post, FireEye CEO Kevin Mandia noted that there is no evidence that the tools have been used, and client data does not appear to have been stolen.
None of the 16 vulnerabilities the stolen tools target are zero-day flaws; all have patches available. FireEye has released a set of more than 300 countermeasures via GitHub.
Why it matters
FireEye is one of the world’s top providers of network security and forensics, making this a worrying development that underlines the difficulty in stopping determined hackers. Everyone is a target, and threat actors are steadily advancing their capabilities.
FireEye has been praised for its transparency in coming forward; it’s a great example of how sharing intelligence can contribute to collective cyber resilience.
SolarWinds: Supply Chain Attack
Russian hackers known by the nicknames APT29 and Cozy Bear have breached network management provider SolarWinds and deployed a malware-tainted update for its Orion software to infect at least 18,000 government and private networks.
This supply chain attack is how hackers gained access to FireEye’s network.
The attackers were able to add malicious code to SolarWinds Orion update versions 2019.4 through 2020.2.1, released between March 2020 and June 2020. FireEye named the malware SUNBURST; Microsoft calls it Solorigate.
Why it matters
As the U.S. Cybersecurity Infrastructure and Security Agency (CISA) put it, this hack poses a “grave risk,” and the more we learn about it, the worse it looks. It is a frightening reminder that many of us depend on software that can be weaponized. The malicious code added to the Orion updates creates a backdoor that can be used to gain a foothold in victim networks, steal credentials, and move laterally to access critical data.
Reported victims include government, consulting, technology, telecom, and oil and gas organizations in North America, Europe, Asia, and the Middle East. In the U.S., the Treasury, Commerce, State, Energy, and Homeland Security departments were impacted along with other government agencies, prompting CISA to issue an emergency directive urging all federal agencies to disconnect from SolarWinds systems.
Given SolarWinds’ client list, which includes the vast majority of the Fortune 500 and all five branches of the U.S. military, the ramifications could be devastating.
Software supply chain attacks are some of the hardest to prevent because they stem from trusted relationships and software update mechanisms. There’s no easy solution, but sharpening our focus on threat detection, protecting code integrity, and following application security best practices is a good start.
The SolarWinds advisory, the CISA emergency directive, and FireEye’s GitHub page contain additional information and countermeasures.
Strengthening Your Cyber Defenses
Despite a clear need to strengthen cyber defenses, the pandemic has left many security teams facing slimmed-down budgets in 2021.
Optimizing investments has never been more important. Vendor-independent security services can help you investigate your technology stack to uncover weaknesses and misconfigurations, identify opportunities for consolidation, and target security dollars to solutions that will better enable you to defend against these types of attacks.
Contact us to learn more.
Anne Grahn contributed to this post.