Thought leadership. Threat analysis. Cybersecurity news and alerts.
Canada Post Becomes the Latest Victim of Supply Chain Attack
Canada Post recently announced that it fell victim to a supply chain attack, resulting in a data breach relating to nearly a million receiving customers.
A supply chain attack, also known as a third-party attack, happens when an attacker infiltrates your organization’s system through an outside partner or supplier with access to your organization’s system.
In a press statement released last May 26th, Canada Post said that it was informed last May 19th by one of its suppliers, Commport Communications, that this supplier suffered a ransomware attack and that said ransomware attack compromised Canada Post customers.
Commport Communications’ electronic data interchange (EDI) solution is used by Canada Post to manage the shipping manifest data of large parcel business customers. Shipping manifests typically include sender and receiver contact information such as the names and addresses of the business sending the item and the customer receiving it.
“In all, the impacted shipping manifests for the 44 commercial customers contained information relating to just over 950 thousand receiving customers,” Canada Post said.
Canada Post added that the impacted shipping manifests were from July 2016 to March 2019 and that the vast majority (97%) contained the name and address of the receiving customer, while the remainder (3%) contained an email address and/or phone number.
“We are now working closely with Commport Communications and have engaged external cyber security experts to fully investigate and take action,” Canada Post said. “We are proactively informing the impacted business customers and providing the information and support necessary to help them determine their next steps. As well, the Office of the Privacy Commissioner has been notified.”
According to Canada Post, in November 2020, Commport Communications notified Innovapost, Canada Post's IT subsidiary, of a potential ransomware issue. Canada Post said that Commport Communications advised at that time that there was no evidence to suggest any customer data had been compromised.
In December 2020, the group behind the ransomware called “Lorenz” posted on its data leak site that they had breached Commport Communications during a ransomware attack.
Lorenz ransomware is a relatively new actor in the ransomware field. Similar to other ransomware, Lorenz encrypts victims’ files and demands from victims ransom for the decryption tool that would unlock the encrypted files. Michael Gillespie of ID Ransomware told BleepingComputer that the Lorenz ransomware and older ransomware known as “ThunderCrypt” have the same encryptor. It isn’t clear whether Lorenz and ThunderCrypt are operated by the same group or if the newer ransomware purchased the source code of the older ransomware to create its own variant.
Similar to other ransomware, Lorenz ransomware steals victims’ files. And similar to other ransomware groups, the group behind Lorenz ransomware maintains a website in which password-protected archives of stolen files are published.
According to BleepingComputer, the group behind Lorenz ransomware is different from other ransomware groups as this group first sells the stolen data to other threat actors or possible competitors. In case no one buys the stolen data and the victim refuses to pay, the group behind Lorenz ransomware releases the password for the password-protected data leak archive in order to make the stolen data available to anyone who downloads the files.
Another peculiar characteristic of the group behind Lorenz ransomware is that the group also sells access to the victim's internal network along with the data. Access to the victim's internal network, for some threat actors, is more valuable than the data.
“Like other human-operated ransomware attacks, Lorenz will breach a network and spread laterally to other devices until they gain access to Windows domain administrator credentials,” BleepingComputer said. “While spreading throughout the system, they will harvest unencrypted files from victims' servers, which they upload to remote servers under their control.”
Cybersecurity Best Practices
Many human-operated ransomware attacks gain initial access to their victims’ networks by brute-forcing RDP (Remote Desktop Protocol) – a network communications protocol developed by Microsoft that allows users to remotely connect to another computer.
RDP servers that use weak username and password combination, without multi-factor authentication (MFA), without virtual private networks (VPNs), and without other security protections are easily accessed by attackers through brute force attack – the trial and error method of guessing the correct username and password combination. Threat actors have also been known to use RDP for lateral movement. With RDP, attackers can move laterally through the network without the need for credentials.
RDP servers can be protected from brute force attacks by using a strong username and password combination, MFA, and VPN. Attackers easily scan for internet-exposed RDP through the default RDP port: TCP 3389. Changing the RDP default RDP port essentially hides your organization’s RDP server from the attackers’ scanning efforts.
In the blog post "Human-operated ransomware attacks: A preventable disaster," Microsoft 365 Defender Threat Intelligence Team recommends practicing the principle of least privilege and maintaining credential hygiene. “Avoid the use of domain-wide, admin-level service accounts,” Microsoft 365 Defender Threat Intelligence Team said. “Enforce strong randomized, just-in-time local administrator passwords. Use tools like LAPS.”
Steve E. Driz, I.S.P., ITCP