[Security Weekly] Worldwide Shipping Giant Shuts Down Service After Ransomware Attack

1st Week of February 2020


1. Australian shipping firm Toll Group shuts down service after ransomware attack


Over the past week, Australian transportation and logistics company Toll Group has paused many of its delivery services as a result of a ransomware attack.

A subsidiary of Japan Post Holdings, Toll Group is a global giant that operates in a network of more than 50 countries spanning five continents, offering a variety of transportation and logistics services to businesses and consumers.

Among all operational areas, Toll’s delivery service seems to be hit the hardest. The attack first happened last Friday, where Toll responded by immediately shutting down many delivery operations across Australia and Southeast Asia. The company announced on Tuesday that they are disabling certain systems to prevent the attack from spreading further, and notified many of its customers that shipping may be delayed indefinitely. Customers are currently unable to send, receive, or track their shipments.

According to IT News Australia, a source has said that over 1000 servers were affected by the attack and that all staff worldwide were told to turn their computers off and disconnect them from the company’s network.

Toll has further announced that they are working with cybersecurity experts around the globe to solve the issue. Currently, it is slowly resuming service with a combination of automated and manual processes as a temporary measure.

Sources: ThreatpostIT News AustraliaZDNetInformation Age


2. Tens of millions of Cisco’s workplace devices at risk due to critical vulnerabilities


On Wednesday, researchers at IoT cybersecurity firm Armis have disclosed five critical flaws of Cisco Discovery Protocol (CDP), codenamed CDPwn.

CDP is a data link layer1 protocol developed by Cisco in 1994, used in a vast majority of its products. It allows Cisco devices to share information with each other inside a local network, but not over the Internet.

According to a report published by Armis, CDP is implemented in almost all Cisco products, including routers, switches, IP phones, IP cameras, and firewalls. CDP does not allow the transfer of data through the Internet, meaning the devices are not directly exposed to outsiders. However, once a hacker breaks entry into the local network, they could attack these Cisco devices and take over sensitive data. What’s worse is that once they gain access to the routers and switches, they could remove network segmentation and move through the internal network freely, posing risk to the whole IT system. [This is why every layer of the web must be protected separately. Learn more at WAPPLES.]

According to ZDNet, Armis had privately informed Cisco about these flaws months ago, given Cisco enough time to work on the patches for CDPwn.

Currently, patches for all five vulnerabilities are made available. All businesses are advised to apply the patches immediately.

Sources: ArmisZDNetWired

1 Data link layer is the protocol layer that transfers data between adjacent nodes in a wide area network (WAN), or between nodes in a local area network (LAN).


3. 1.2 million passengers affected by security breach at Indian airline


Spicejet, a low-cost carrier and the second-largest airline in India, has suffered a massive data breach that compromised the personal information of 1.2 million passengers.

According to TechCrunch, a security researcher has come to them and claimed responsibility for the attack, stating that access into Spicejet’s systems was obtained by a brute-force attack2 where the easy-to-guess passwords allowed easy breakthrough. The database contained unencrypted files disclosing personal information of more than 1.2 million passengers, as well as flight information for a whole month. Each piece of information included the passenger’s name, phone number, email, and date of birth, with some of these passengers being state officials.

The security researcher has described their behavior as “ethical hacking” because the purpose is to alert Spicejet about its vulnerabilities. The airline initially did not respond to the researcher’s claim. The researcher then turned to CERT-In, the cybersecurity agency of the Indian government, to notify them about the situation.

After the government stepped in, an official response from the airline was finally made, admitting suffering the incident and stating that they take passengers’ privacy seriously, without any further details on how to improve their security measures.

Source: TechCrunch

2 A brute-force attack is when an attacker submits many usernames and passwords combinations in hope of guessing it correctly.


4. One after another, defense contractors worldwide disclose cyberattacks


Japan: Thursday this week, Japanese geospatial provider Pasco Corporation and steel manufacturer Kobe Steel, both contractors of Japan Ministry of Defense, disclosed multiple data breaches that occurred between 2015 and 2018. Both companies claimed to have suffered malware infections, leading to unauthorized access to their internal network (Bleeping Computer).

Pasco has announced that no information was leaked from the incidents. However, attacks on Kobe Steel reportedly compromised 250 files of data containing information on military contracts, as well as personal information (Nikkel).

A while back in late January, other military contractors including Mitsubishi Electric and NEC had also confirmed security breaches which happened in 2019 and 2016, respectively.

Canada: A more recent incident was revealed by Canadian military contractor Bird Construction. According to Infosecurity, Bird was targeted by infamous cybercriminal group MAZE back in December 2019, where 60GB of data were stolen. These included information of 48 contracts with Canada’s Department of National Defense between 2006 and 2015, a total worth of $406 million. A portion of the data containing personal information of company employees was published as a threat to demand ransom payments.

United States: A similar case happened in the U.S. in late January, where the Department of Defense contractor Electronic Warfare Associates (EWA) suffered an infection of the Ryuk ransomware. Data in the company’s web server were largely encrypted, leading to several of its websites to be damaged, including those of its subsidiaries (ZDNet).

Sources: Help Net SecurityZDNetInfosecurity