espite the San Francisco 49ers not making it to the big game this year, they still made Superbowl headlines. On Sunday, February 13th, the 49ers front office confirmed that they were the latest victim of a Blackbyte Ransomware Attack.
While not confirmed by the football club until February 13th, the cyber-attack reportedly took place one day prior based on BlackByte’s online postings. On February 12th, BlackByte took to underground (Darknet) Ransomware Forums claiming to have stolen financial data from the team’s servers. The group posted what appeared to be approximately 300 MB of team documents from a folder called ‘2020 Invoices’.
Author: Greg Tomchick, Managing Partner, CCISO & Jeff White, Chief Security Officer, CMMC-RP
Ransomware groups, like BlackByte, typically post some evidence of the successful compromise. It should be noted however, that this advertised data may not represent the true extent of the attack, in terms of the amount of data theft.
Since the incident, neither the 49ers nor the perpetrators have made any public mention of a ransom payment. Following the attack, the 49ers did disclose that they incurred a temporary disruption to parts of their network, however mentioned that the threat actors failed to impact stadium, ticket operations, and ticket holder information.
Some security experts believe that the attack was a means for BlackByte to attain mainstream credibility, pulling off an attack to make headline news.
The 49ers have yet to release an updated statement regarding the full impact of the Ransomware. The incident remains under investigation by external support parties and law enforcement. We will update this article as we learn more.
Blackbyte Analysis and Potential Motivators
This attack came to surface just two days after the FBI and U.S. Secret Service issued a joint cyber advisory on the BlackByte Ransomware Group. Law enforcement sources alerted that BlackByte had “compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors” since November 2021.
Ransomware gangs have continued to cause widespread havoc to a variety of businesses over the last year. High-profile attacks ranging from the world’s largest meat-packing company to the biggest U.S. fuel pipeline, have led to significant financial impacts, supply chain and operational disruptions. Despite Western Governments pledging to crack down on cyber criminals, their efforts have yet to fully disrupt the activities of Ransomware actors.
Like similar Ransomware Gangs, Blackbyte operates under a subscription model known as ‘Ransomware as a Service’ (RaaS). RaaS allows affiliates to enter into an agreement with ransomware operators to use their prebuilt tools and platforms to launch attacks against targets, typically in return for a profit share of the ransom. The presence of Blackbyte first became known in approximately July of 2021. The group typically operates in a ‘Double Extortion’ fashion where compromised data is encrypted, and unless a defined ransom is paid (typically in a form of cryptocurrency), the organization’s data is offered to the highest bidder. Ransom notes are left by the threat actor, in the encrypted directory, identifying what necessary steps must be taken to unencrypt the businesses data. Interestingly enough, Blackbyte and other notable ransomware groups offer email support and calling hotlines to support and expedite their victim’s payment. Blackbyte’s typical attack methodology is to exploit vulnerabilities in Microsoft Exchange known as ‘ProxyShells’.
For technical reference, the three vulnerabilities successfully used by Blackbyte to gain internal access, have been listed below along with their assigned ‘CVE’ (Common Vulnerabilities and Exposures) number. Links to patch information has been provided for each vulnerability with accompanying ‘KB’ (Knowledge Base) number.
- CVE-2021-34473 – Pre-auth Path Confusion leads to ACL Bypass (KB5001779)
- CVE-2021-34523 – Elevation of Privilege on Exchange PowerShell Backend (KB5001779)
- CVE-2021-31207 – Post-auth Arbitrary-File-Write leads to RCE (KB5003435)
Steps to protect your business
To minimize your business’s exposure to Ransomware Attacks, general security guidance has been provided below:
- Patch Management: Keep systems and applications patched with the latest security updates, with a prioritized focus on those critical to business operations.
- Critical Data System Protection: Restrict sensitive organizational data to specific servers/systems, with enhanced security controls/monitoring around these systems. Ensure that these systems are remotely accessible. When possible, restrict local system downloads of any sensitive organizational information. For example, users are able to download employee rosters to their local machines from Microsoft 365.
- Network Segmentation: Create separate communication networks for internal and external devices (to include any guest devices). This practice is commonly referred to as ‘network segmentation’. Ensure that critical data systems and those systems accessing them are assigned to a specified network segment(s). Closely restrict access and monitor activities on these systems.
- Access Control: Enforce the principle of least privilege security, by providing all users the least amount of access to systems/applications necessary to perform their job duties. Ensure Multi-Factor (MFA) authentication is turned on for all applications. In alignment with best practice, remove any local administrative accounts, where applicable.
- Protection of Virtual Machines: In alignment with security best practice, do not expose any corporate virtual machine (such as Citrix), directly to the internet.
- Perform Regular Back-ups: Ensure regular data backups are performed, with a prioritized focus on critical data systems/applications. Backups should be tested, once a month to ensure backups operate as intended. the backup plan is in place and tested periodically.
- Establish Backup and Recovery Plan: Document procedures to execute backup/recovery efforts, and any lessons learned from previous backup test exercises. Ensure that all key stakeholders (internal and external) involved in backup activities are identified along with corresponding roles/responsibilities and contact information.
- User Awareness Training: Establish a formalized cybersecurity education and awareness program. Provide all users with training modules to educate them on what cyber threats may look like, and steps they can take to protect your organization. Continue to engage in discussions with team members, on why cybersecurity is important for the growth and success of everyone.
- Phishing Exercises: In concert with formal training modules, users should be tested on lessons learned through phishing simulation exercises. This will allow the organization to have a better understanding of the effectiveness of training content, and to further prevent malicious activities from occurring. It is important to note that any follow-up training from these exercises, should be non-punitive when possible. This will enable the organization to continue to have security advocates now and into the future.
The Valor Team looks forward to providing additional updates on this incident. We look forward to helping you and your organization avoid being a victim of cybercrime. Stay tuned!
For other tips and tricks in staying cyber informed, please visit our additional Valor Insights at Insights – Valor Cybersecurity