It is foreseeable that the SolarWinds hack will dominate headlines sometime. As more information emerges, headlines will follow. One trap that the public should not fall into is to assume other hackers take a break while the limelight is not on them. Ransomware gangs are a case in point, they will still operate even though they are not in the headlines, at least briefly. The gang behind Nefilim has managed to steal a headline or two by adding another large organization to their victim list. The victim this time is home appliance giant Whirlpool.
The manufacturer is one of the world's largest home application makers with appliances under its name and KitchenAid, Maytag, Brastemp, Consul, Hotpoint, Indesit, and Bauknecht. Whirlpool employs 77,000 people at 59 manufacturing and technology research centers worldwide and generated approximately 20 billion USD in revenue for 2019. Over the weekend the gang published data that had supposedly been stolen for Whirlpool on the gang's “leak site”.
The leaked data included documents related to employee benefits, accommodation requests, medical information requests, background checks, and more. In an article published by Bleeping Computer told the publication that Whirlpool suffered the ransomware attack in early December. Whirlpool has since confirmed the attack but has stated that they have recovered from the attack. The company stated in an email to the publication,
“We live in a time when Illegal cyber crimes are all too prevalent across every industry. Data privacy is a top priority at Whirlpool Corporation and we invest in the technology and processes to help protect our people, our data and our operations. Last month Whirlpool Corporation discovered ransomware in our environment. The malware was detected and contained quickly. We are unaware of any consumer information that was exposed. There is no operational impact at this time,”
The attack by Nefilim may prove to be the gang ramping up operations as the gang has not been active for some months. While not incredibly active for some time, they have already notched up an impressive list of victims.
One of the biggest attacks to date was against the Toll Group. The logistics company had just suffered a ransomware attack when it fell victim to an attack conducted by those behind Nefilim. In a statement at the time the company announced that,
“Toll took the precautionary step yesterday of shutting down certain IT systems after we detected unusual activity on some of our servers. As a result of investigations undertaken so far, we can confirm that this activity is the result of a ransomware attack. Working with IT security experts, we have identified the variant to be a relatively new form of ransomware known as Nefilim. This is unrelated to the ransomware incident we experienced earlier this year. Toll has no intention of engaging with any ransom demands, and there is no evidence at this stage to suggest that any data has been extracted from our network. We are in regular contact with the Australian Cyber Security Centre (ACSC) on the progress of the incident.”
An Incomplete Picture
Other victims of the gang include Orange S.A., Dussman Group, and Luxottica. Of the victims, the public knows little information as to how the ransomware is distributed, its infection chain, and encryption protocols are hard to come by. In June 2020, security firm Trend Micro published details about the ransomware that was previously unknown to the general public. The research was published just as the double extortion tactic was becoming popular amongst ransomware gangs and covers how the gang has successfully adopted the tactic. The tactic involves not only the encryption of data, often resulting in organizations having to shut down systems and suffer increased periods of downtime, but victims will have data leaked if the ransom is not paid.
The June research built on research the security firm had published in March shortly after the ransomware was discovered. Even at this point, the gang was proved to be capable of stealing data before the ransomware began its encryption routine. By June, these tactics seemed to have been refined somewhat. Summarizing the initial infection chain researchers noted,
“…the ransomware was deployed over a few weeks after the attackers first infiltrated the system, which means that the security has long been breached before exhibiting more apparent signs (such as data encryption) that the system has been compromised. The threat actors use a Citrix vulnerability as the point of entry, as discussed in our report, or an RDP vulnerability, as first observed upon the ransomware’s discovery. The attackers then used a local exploit to escalate privilege. They then utilized the Mimikatz tool to harvest credentials, and the AdFind tool to explore Active Directory. As we earlier suspected, they also deployed the CobaltStrike tool on the control environment. They then used a port scanner to scan open ports and available services on the network.”
The attacker then spread laterally across the network as is typical of modern ransomware attacks. Data that was shared across the network would then be copied, compressed, then exfiltrated to servers under the attacker’s control. Once exfiltration is complete, the attacker is free to execute the ransomware’s main function of encryption and dropping the ransom note. In cases seen conducted by other ransomware gangs, the encryption of data is typically done over the weekend or after business hours.
Picus Security wrote a comprehensive guide on how to defend against Nefilim attacks. The guide should be considered a must-read for anyone tasked with defending a large corporate network. Like with other human-operated ransomware gangs it is not an impossible task as more often than not those tasked with compromising the network will rely on known vulnerabilities or phishing tactics to initially compromise the victim’s network. This means that the education of staff and ensuring all software packages are up to date is vital.