Zitec Blog

2021 under the microscope: When cybercriminals play hide-and-seek - Part 2 - Zitec

Written by Simona Negru | May 15, 2022 9:00:00 PM

In the first part of our 2021 retrospective, we tried to solve the equation of security incidents. For this, we analyzed what types of fraud are impacting the industry the most. We delved into cybercriminals’ motives and lastly, we discovered where the bad actors are staging their acts. 

However, one variable in this “mathematical” problem is still missing: the industries that hackers are targeting and how they actually do it. In the following paragraphs we will learn the DOs and DON’Ts when it comes to protection and prevention against malicious attacks.  

The “how”: Industries and sectors hit

Following IT Governance’s study for Q3 2021, the healthcare sector was the most targeted, with 66 security incidents, thus surpassing the public sector, which in Q1 and Q2 had been the most vulnerable. The technology and media sector together with the education sector, with 37 security incidents and 35 respectively, ranked in number 2 and 3, followed by retail with 18 incidents compared to 41 security issues in Q2. 

Health and lifecare

While most information moved to the cloud, personal information like PII, healthcare records, patient and employee credentials, financial details, and health insurance-related data are especially valuable. Hackers and savvy bad actors knew that in the volatile and emotional context, stealing healthcare data by planting malicious scripts was a great way for ransoms to get paid.

Healthcare stands out as the fastest growing sector, with attacks increasing over 2021. In July, Madrid’s health system suffered a data breach. It exposed 100,000 people’s COVID-19 vaccination data, their ID and telephone numbers, social security numbers and home address. Among those compromised, King Filipe VI and Prime Minister Pedro Sánchez were on the list, TeleMadrid reports. 

Retail

Imperva’s research found that 57% of attacks on eCommerce websites were carried out by bot activity. Bots have many use cases ranging from user account takeover, price and content scraping by competitors and third-parties, inventory abuse, credit card fraud, and more. For instance, online retailers experienced a 200% spike in DDoS attacks, a higher volume of ATO logins compared to the average logins across all other industries, and a slight surge in data leakage. Also, website attacks on the retail industry from Q4 2020 through H1 of 2021 were higher than all other industries.

For instance, Moncler, the Italian luxury fashion brand, suffered a major ransomware attack in late December. The company rejected the USD 3 million demand. As a result, the hackers published the stolen data (e.g. earning statements, spreadsheets with customer information, and invoices) on the dark web. The leak involved details regarding Moncler’s current and former employees, its suppliers, consultants, business partners and registered customers. But, the company stated that no information regarding credit cards or other form of payment had been exfiltrated. The logistic system and eCommerce shipment stopped for ten days. Still, the fashion brand confirmed that this interruption did not majorly affect its profits. Allegedly, the group behind the ransomware attack is AlphV/BlackCat – a new Ransomware-as-a-Service (RaaS) operation entrant that launched in early December 2021.

French Connection (FCUK), the UK-based clothing retailer, marked the list of ransomware victims of 2021. The cyberattack is reportedly linked with the notorious hacking group REvil. Tech Times wrote that the gang used scans of employee passports and other identification cards. However, FCUK confirmed that its front-end servers, especially those connected to online payments, were not affected by the incident. In March, REvil struck again, this time in France. REvil demanded a USD 24 million ransom after it attacked Asteelflash, the French electronics manufacturing services (EMS) company. At the time, Asteelflash had not publicly disclosed the attack. However, BleepingComputer found a REvil ransomware sample that allowed access to the Tor negotiation page for their cyberattack. BleepingComputer contacted the company for further details, however they were unresponsive. Later in April, Asteelflash released a statement mentioning they had not been in contact with the hackers. Instead, they had taken defensive measures to limit the impact of the incident and to isolate the affected servers.

In addition, we have seen an increase in requests to help our clients integrate security solutions. One of the required tools is the Web Application Firewalls (WAFs) that blocks automated attacks and manual intrusion techniques. Thus, we managed to configure and deliver them a strong shield against web threats, while keeping false-positive detections at minimum.

Banks and financial sector

Some financial threats seen in 2020 remained major issues in 2021. The ongoing digital transformation and the growing cloud reliance increased the levels of cyberthreat activity. As such, banks and financial institutions of all sizes experienced a higher number of ransomware attacks than in previous years. In addition, over 80% respondents from a survey conducted on the banking and finance sector answered that social engineering was the greatest threat in 2021, with targeted phishing being at the top of the list. Credential theft was the type of data mostly searched for and the fastest to compromise. 

In December, HR management platform Ultimate Kronos Group (UKG) became the victim of  a ransomware infringement. The attack targeted Kronos Private Cloud, a service that runs application including Banking Scheduling Solutions, Healthcare Extensions, UKG TeleStaff, and UKG Workforce Central. However, the incident involved 6,632 personal information stolen from PUMA employees. These were obtained via the company’s connection with the services provided by UKG.

Our clients have constantly asked us how to better protect themselves and the user data from potential threats. To minimize risks and prevent data breaches, an effective cyber security method is the classic Penetration Testing exercise. This is a type of testing that allows our Security & Data Protection team to simulate real attacks against the client’s web infrastructure. Often, the tested web applications have a solid backbone in cloud environments. This allows us to perform more in-depth analysis; thus not only discovering critical vulnerabilities, but also fixing security weaknesses that can be explored. 

Logistics and distribution/transportation

It is important to mention that attacks to the global supply chain are twofold. Firstly, various threats aim to disrupt actual supply chain logistics. Secondly, supply chains are used as a channel to attack connected partners and suppliers.

Personal data of about 4.5 million Air India passengers were compromised following a SITA cyber attack. SITA is a multinational information tech company that provides IT and telecommunication services to the air transport industry. According to TechCrunch, the stolen data revealed passengers’ names, credit card details, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data. This is not the first cyberattack that SITA suffered in 2021. 

German logistics giant Hellmann Worldwide Logistics came under a cyber attack in December. This forced the company to temporarily disconnect all links to the main data center. Hellmann stated that this incident had “material impact on [their] business operations”, as the company offers its airfreight, seafreight, road & rail, and contract logistics services to 489 offices in 173 countries.

The main issue observed in supply chain security is the cyberattack, although risks can also occur via bots that attack a software system. Industry giants usually invest in emerging technologies such as automated fulfillment, chatbots for support services or innovations that augment the shopping experience (e.g. checkout features, geolocation or universal search, 3D rendering, delivery notifications etc.). But if these are not properly protected, once a bot penetrates the security wall, the hacker grants access to specific individual passwords, sensitive information and so on. 

As previously seen, no industry gets a free pass from security incidents. Any flaw is exploited and these faults drag along further consequences and damage to one’s business. To emphasize this idea, in Part 3 of this article, we will discuss some learnings of the organizations that encountered security issues. We will also analyze the harsh GDPR penalties that resulted from non-compliance. Nonetheless, a robust data-centric security can help mitigate the incident if ill-intentioned actors get ahold of your sensitive data elements. Zitec’s security experts are constantly abreast of the latest cyber threats to better protect our clients. For any details on how to shield your business and be a cut above the hackers, our team is at your convenience. Contact us for more valuable insights!