Cybersecurity news headlines for June 2021

In June’s edition of cybersecurity news headlines, we discuss two data leaks, a ransomware attack, and an update on the Colonial Pipeline ransomware attack. Data of 3.3 million Volkswagen/Audi customers and 700 million LinkedIn users exposed in separate data leaks, meat provider JBS suffers a ransomware attack, and part of the ransomware paid by Colonial Pipeline retrieved by authorities. These are the stories that made the biggest headlines in June 2021.

 

 

Audi and Volkswagen data leak exposes 3.3 million user records

Motor vehicle manufacturer Volkswagen has revealed a data leak impacting over 3.3 million of its customers. According to the manufacturer, the leak originated from an unsecured compilation of data that was exposed online between August 2019 and May 221. An unnamed associate vendor has been identified as the source of the breach as it left the data unsecured online.

In a website created specifically to address this incident, Volkswagen and Audi said that on March 10, 2021, they were alerted about an unauthorized third party potentially obtaining certain customer information. An immediate investigation showed that “a third party obtained limited personal information received from or about customers and interested buyers from a vendor used by Audi, Volkswagen, and some authorized dealers in the United States and Canada”. Among the information was also data gathered for sales and marketing purposes between 2014 and 2019.

Approximately 3.3 million individual customers and potential buyers are believed to be affected, around 163,000 of whom are located in Canada. Full names, personal and business mailing addresses, email addresses, and phone numbers were among the information potentially exposed. In some cases, however, information about purchased, leased, or inquired about vehicles was also leaked.

For 90,000 of those affected, the data appears to also include information about eligibility for purchase, loan, or lease. 95% of the 90,000 also had their driver’s license numbers exposed, and for a small number of those impacted, dates of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers were also part of the breach.

The website containing information about the incident also informs those affected that Audi of America is offering IDX identity theft protection services. Users whose driver’s license number, date of birth, or Social Security number were exposed are eligible for a 2-years credit monitoring service that would alert them about any changes to their credit reports. They can also make use of CyberScan, a monitoring service that looks for users’ personal information being sold on criminal websites, chat rooms, bulletin boards, etc., as well as ID Theft Insurance, and dedicated experts who would help with resolving identity theft issues. Affected customers should have already received notifications about the incident.

Meat provider JBS suffers a ransomware attack

One of the world’s largest meat providers JBS was revealed to have suffered a ransomware attack on May 30, 2021, which forced the company to shut down production at multiple locations. The attack was revealed in a statement by JBS on May 31, 2021, with the company calling the incident “an organized cybersecurity attack”. Reportedly, the company took immediate action as soon as it became clear what was happening and suspended all affected systems. The company reassured that no customer, supplier, or employee data was compromised during the attack. Authorities were notified soon after the attack, and third-party experts, as well as IT professionals, were contacted to help resolve the situation.

The FBI has identified the attackers as the REvil (also known as Sodinokibi) gang, one of the most notorious currently active ransomware groups of cybercriminals. In a short statement, the Federal Bureau of Investigation said they “working diligently to bring the threat actors to justice”. However, their efforts may be hindered by the fact that REvil, along with many other ransomware gangs, is operating from Russia, making it difficult for US authorities to apprehend them, even if their identities were known.

It was later revealed that the meat provider paid $11 million in ransom to the REvil operators, despite the fact that the majority of their facilities were operational. The decision to pay the ransom was made in consultation with internal IT professionals and third-party cybersecurity experts in order to avoid any unforeseen issues related to the incident.

“JBS USA has maintained constant communications with government officials throughout the incident. Third-party forensic investigations are still ongoing, and no final determinations have been made. Preliminary investigation results confirm that no company, customer or employee data was compromised,” JBS’s press release statement reads.

Data of 700 million LinkedIn users sold on a hacker forum

On June 22, 2021, a user by the name TomLiner posted on a hacker forum that they are selling a database containing records of 700 million LinkedIn users. Included in the post is a sample with 1 million records. Researchers from PrivacySharks, who was the first to report the leak, have confirmed that the sample does include user information, including full names, email addresses, physical addresses, gender, phone numbers, and details related to employment. LinkedIn has approximately 756 million users in total, meaning information of 92% of their users is currently being sold.

In a statement sent to various media outlets, LinkedIn acknowledged the issue but said the data was scraped rather than breached.

“While we’re still investigating this issue, our initial analysis indicates that the dataset includes information scraped from LinkedIn as well as information obtained from other sources. This was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed. Scraping data from LinkedIn is a violation of our Terms of Service and we are constantly working to ensure our members’ privacy is protected,” LinkedIn’s Leonna Spilman said in a statement sent to PrivacySharks.

This is not the first time LinkedIn has dealt with a leak of this size. A mere two months before this incident, a database containing information of 500 million users was put up for sale.

While passwords do not appear to be part of the breach, LinkedIn users are recommended to change their passwords. Furthermore, because email addresses, full names, and phone numbers have been leaked, users are at increased risk of being targeted by scammers, thus should be extra cautious.

Most of the ransom paid by Colonial Pipeline returned

The US Department of Justice (DOJ) has revealed that it was able to seize 63.7 bitcoins (valued at $2.3 million at the time of the press release) that are allegedly a portion of the ransom paid to DarkSide ransomware group by Colonial Pipeline, an American oil pipeline company. The oil giant suffered a ransomware attack on May 7, 2021, and ended up paying 75 bitcoin (valued at $4.4 million at the time of the attack) in exchange for a decryption key. While only the billing systems were compromised by the attack directly, Colonial Pipeline shut down the pipeline temporarily as concerns were raised hackers may have been able to carry out further attacks on vulnerable pipeline parts. The attackers, quickly identified as DarkSide, also stole approximately 100 GB of information, which they threatened to release on the Internet if the ransom was not paid. After Colonial Pipeline agreed to pay and transferred the bitcoins, they received a decryption program but were ultimately forced to use their own backups to recover their systems as the decryptor was operating very slowly. For a little over a week, Colonial Pipeline experienced problems, which resulted in fuel shortages, panic buying, and a significant increase in fuel prices all over the US.

Because the attack caused consequences felt by many all around the US, the perpetrator DarkSide received a lot of government and media attention. The group initially attempted to distance itself from the situation and claimed to be “apolitical”, though it later announced a complete shutdown of operations. It’s not yet clear whether that means they will only regroup or actually stop their criminal activities.

In a statement released on June 7, 2021, the DOJ revealed that they were able to track multiple bitcoin transfers and recover approximately 63.7 bitcoins of the paid ransom. According to the statement, they were able to track the ransom transfers to a specific address, which the FBI was able to access because they had the private key in their possession.

“As alleged in the supporting affidavit, by reviewing the Bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim’s ransom payment, had been transferred to a specific address, for which the FBI has the “private key,” or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address,” the DOJ statement reads.

Lisa Monaco, the US Deputy Attorney General, warned during a press conference that ransomware poses a threat to both corporations and communities, and urged them to start investing resources before they become a victim. However, she also highlighted the importance of reporting ransomware and other cyber attacks to the authorities.

“The message we are sending today is that if you come forward and work with law enforcement, we may be able to take the type of action that we took today to deprive the criminal actors of what they’re going after here, which is the proceeds of their criminal scheme,” Monaco said while also emphasizing that they cannot guarantee the wanted outcome in all cases.

References

• FBI Statement on JBS Cyberattack. FBI Press Releases.
• Madeleine Hodson. Exclusive: 700 Million LinkedIn Records For Sale on Hacker Forum, June 22nd 2021. PrivacySharks.
• Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to the Ransomware Extortionists Darkside. The United States Department of Justice.