Summary of Findings
- A major fuel pipeline in the United States shuts down after a ransomware attack.
- CaptureRX, a healthcare administrative company based in the United States, suffers a ransomware attack.
- Microsoft investigates a business email compromise (BEC) campaign that targeted organizations using a gift card scam.
- Pirated software downloaded by a university student opens the door to a Ryuk ransomware attack on a life sciences research institute.
Ransomware Attack Shuts Down Colonial Pipeline, Causing Fuel Shortages
A ransomware attack disrupted the largest refined gasoline and jet fuel pipelines in the United States [1]. The Colonial Pipeline was shut down as a precautionary measure after it was discovered that the company operating the pipeline’s corporate network was compromised. Part of the nation’s critical infrastructure, the Colonial Pipeline extends approximately 8850 kilometers (5,500 miles) [2] and carries 45 percent of the U.S. East Coast’s fuel supplies.
The U.S. Federal Bureau of investigation (FBI) identified the ransomware used as DarkSide [3]. This new ransomware-as-a-service (RaaS) platform is advertised on the Russian-language forums exploit.in and xss.is [4].
Various incidents of fuel shortages have been reported after the incident [5] [6]. The operator of the pipeline stated that it had initiated an operational restart but supply restoration would take several days [7]. Colonial Pipeline reportedly paid a $5 million ransom to the threat actors [8].
CaptureRx Suffers Ransomware Attack Leading to Theft of Patient Data
Texas-based CaptureRx, an administrative services provider to healthcare organizations such as hospitals and health centers, suffered a ransomware attack that led the theft of confidential information for thousands of patients [9]. The data acquired by the threat actors included names, dates of birth, prescription information and, for a limited number of patients, medical record numbers.
The incident occurred in February 2021, and CaptureRx assessed the scope of the information theft throughout February and March. The company started notifying the affected healthcare providers at the end of March[10].
It is not currently known which ransomware variant was used in the attack, but historically the Ryuk ransomware has been deployed [11] to target the healthcare sector.
Business Email Compromise Campaign Is Complex, According to Microsoft
Microsoft published research [12] detailing a business email compromise (BEC) campaign that used attacker-created email infrastructure to facilitate gift card theft. The threat actors used typo-squatted domains to make the emails appear as if they were originating from valid senders. Tailored email messages coaxed the target into buying gift cards for a supposed legitimate business reason, such as a reward for a team member. The gift card codes were sent by the unsuspecting target to the attacker, who could cash out the funds or resell the codes.
As Microsoft noted, this seemingly simple attack was actually quite complicated, involving reconnaissance and targeting, social engineering, and delivery infrastructure. In this instance, the threat actors registered over 120 typo-squatted domains to impersonate actual businesses. They targeted organizations in the consumer goods, process manufacturing and agriculture, real estate, and professional services sectors.
“Cracked” Software Creates Opening for Ransomware Attack on Research Institute
A European biomolecular research institute with university partnerships was the victim of a Ryuk ransomware attack [13]. The institute, which is involved with COVID-19-related research, lost a week’s worth of vital data because it failed to back up its most recent work.
It was determined that a student who was allowed to access the institute's network without two-factor authentication inadvertently downloaded a trojan to his personal computer. The trojan was embedded in a “cracked” version of a data visualization software tool that the student installed. The trojan was used to create a remote desktop protocol (RDP) account on the institute's network. This account was then used to launch the ransomware attack.
References
1.https://www.nytimes.com/2021/05/08/us/politics/cyberattack-colonial-pipeline.html
2. https://en.wikipedia.org/wiki/Colonial_Pipeline
3. https://www.fbi.gov/news/pressrel/press-releases/fbi-statement-on-network-disruption-at-colonial-pipeline
4. https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
5. https://www.washingtonpost.com/business/2021/05/12/faq-gas-shortages/
6. https://alexandrialivingmagazine.com/news/fuel-shortage-hits-alexandria-gas-stations/
7. https://www.nytimes.com/2021/05/12/business/energy-environment/pipeline-shutdown-latest-news.html
8. https://www.cnbc.com/2021/05/13/colonial-pipeline-paid-ransom-to-hackers-source-says.html
9. https://www.hipaajournal.com/capturerx-ransomware-attack-affects-multiple-healthcare-provider-clients/
10. https://www.zdnet.com/article/ransomware-attack-on-healthcare-admin-company-capturerx-exposes-multiple-providers-across-united-states/#ftag=RSSbaffb68
11. https://www.lexology.com/library/detail.aspx?g=1bf1f11c-12be-4dba-8cdf-c9bd54225db1
12. https://www.microsoft.com/security/blog/2021/05/06/business-email-compromise-campaign-targets-wide-range-of-orgs-with-gift-card-scam/
13. https://news.sophos.com/en-us/2021/05/06/mtr-in-real-time-pirates-pave-way-for-ryuk-ransomware/
