Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Cyber safety on Cyber Monday
Cyber Monday is one of the busiest online shopping days of the year. Today, and as the holidays approach, make sure you stay cyber safe by observing ISA Cybersecurity’s list of the top ten tips for protecting your online personal and financial information online.
IKEA facing reply-chain email attacks
Furniture and home accessory giant IKEA is working to manage an ongoing cyberattack within its email infrastructure. On November 26, IKEA’s IT team identified that threat actors had compromised the company’s Microsoft Exchange servers and were targeting staff with internal phishing attacks, using a “reply-chain” email attack technique.
Reply-chain email attacks occur when a threat actor takes over a legitimate email account, then uses it as a springboard to send impersonation emails as part of an ongoing email thread. The threat actor counts on the trust of the recipients to click links or open attachments, which actually can malware payloads. “Our email filters can identify some of the malicious emails and quarantine them. Due to that the email could be a reply to an ongoing conversation, it’s easy to think that the email filter made a mistake and release the email from quarantine. We are therefore until further notice disabling the possibility for everyone to release emails from quarantine,” according to internal correspondence from IKEA to staff.
The scope of the current incident is still being evaluated, but one message from the IT team warned that the reply-chain attack is not only coming from internal mailboxes, but from “other compromised IKEA organizations and business partners” as well. IKEA has not made any official statement about the incident on its Canadian or international websites or social media channels.
Research by security news outlet Bleeping Computer suggests that the payloads involved in the attack bear the hallmarks of Qbot trojan and Emotet compromises.
The incident serves as a reminder that people need to be vigilant in handling email and opening attachments, even from trusted sources.
Swire Pacific Offshore suffers cyber attack
On November 25, marine services provider Swire Pacific Offshore (SPO), confirmed that it had been the victim of a cyber attack. “The unauthorised access has resulted in the loss of some confidential proprietary commercial information and has resulted in the loss of some personal data. The cyberattack has not materially affected SPO’s global operations,” according to the statement.
According to a report in Bleeping Computer, the Clop ransomware gang has claimed responsibility for the attack. Screenshots from the threat actor group’s dark web site suggests that the gang has stolen passport details, payroll information, ID numbers, bank account details, email addresses, and internal correspondence from the SPO staff. SPO employs 2,500 seafaring and onshore personnel in 18 countries, any of whom may have been exposed in the data breach.
SPO, a wholly-owned subsidiary of Swire Pacific, owns and operates a diverse fleet of more than 50 vessels, providing services including anchor-handling; towing and supply support for offshore drilling and production campaigns; pipelay and construction support; and windfarm installation, transportation and decommissioning services.
GoDaddy breach affects reseller network
GoDaddy has confirmed that a data breach disclosed on November 22 has affected its half dozen managed WordPress service resellers as well.
“The GoDaddy brands that resell GoDaddy Managed WordPress are 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple and tsoHost… A small number of active and inactive Managed WordPress users at those brands were impacted by the security incident. No other brands are impacted. Those brands have already contacted their respective customers with specific detail and recommended action,” according to a statement by GoDaddy’s Vice-President of Corporate Communications, Dan Rice.
GoDaddy, one of world’s largest domain registrar and website hosting companies, discovered a data breach on November 17 affecting up to 1.2 million current and former customers of their managed WordPress service. Exposed data includes the email address and customer number associated with the WordPress accounts; the default WordPress admin password set when the account was first provisioned; and SFTP and database username and passwords. A undisclosed – but thought to be significant – number of SSL keys belonging to a subset of the affected customers was also exposed, according to GoDaddy’s regulatory statement filed with the Securities and Exchange Commission (SEC) on November 22.
The breach reportedly occurred when a threat actor used a compromised password to access the provisioning system in GoDaddy’s legacy code base for Managed WordPress. The compromise appears to have gone remained undetected for more than 70 days, as the statement reveals that the threat actor gained initial access to the GoDaddy systems environment on September 6.
GoDaddy says that they have reset all affected passwords and was in the process of issuing and implementing new certificates for customers whose SSL keys were exposed.