REvil Brings Down JBS - the World’s Largest Meat Packer
Posted on Jun 16, 2021 | By Sumeetha Manikandan
REvil Ransomware uses six vulnerabilities to target their victims and if these had been remediated and patched on priority, JBS - the world’s largest meat packer could have escaped this attack.
CSW warned about these vulnerabilities in its Ransomware Spotlight Report published in February 2021.
On May 30, 2021, JBS, the world’s largest meat producer, fell victim to a REvil Ransomware attack forcing them to shut down their operations, not just in the US, but also in Canada and Australia. This disruption to the food and meat industry halted cattle slaughter and resulted in increased meat prices during the Memorial Day weekend in the US. It also stopped beef production in Canada and Australia and it took around a week for them to restore operations.
Sources indicate that an APT group named Pinchy Spider (from Russia) might be behind this attack.
We know that attackers are going after critical sectors such as food, manufacturing, energy, oil & gas to create maximum disruption and collect millions of dollars as ransom. Colonial Pipeline paid over $5 Million to its attackers to restore gasoline supply. CNA Financial paid a whopping $40 Million - one of the largest ransomware payments till date. The FBI recovered $ 2.3 Million - about half of the ransom paid by Colonial Pipeline - after gaining access to the bitcoin account where the money was deposited. Most recently, JBS paid an $11 Million ransom to the attackers to protect its customers and to resume operations.
Most ransomware gangs like REvil are going after organizations whose supply chain, if affected, can cause widespread panic and chaos.
REvil has so far attacked the Telecom website of Sri Lanka, Fujifilm in Japan, and Sol Oriens, a nuclear weapons subcontractor to the US Department of Energy, just in the month of May 2021, and it will continue to go after critical entities that wouldn’t hesitate to pay the ransom. The latest in the spate of attacks by REvil is a cyberattack on Invenergy, a renewable energy company based in the US, and on Grupo Fleury, the largest medical diagnostics company in Brazil. A $5 Million ransom has been supposedly demanded in the latter.
CSW analysts delved deep into the vulnerabilities they go after and provide actionable insights that would help organizations stay safe from these types of attacks.
All about REvil
REvil ransomware gangs typically target six vulnerabilities and incidentally, all of them featured in CSW’s Ransomware report published in February 2021.
REvil Cheat Sheet
Here are a few quick facts about these vulnerabilities -
REvil typically targets its victims through Software Vulnerabilities, Remote Desktop Protocol (RDP) Sessions and Phishing.
Out of the six vulnerabilities in the list, five are Remote Code Execution (RCE), and the sixth CVE-2018-8453 enables Privilege Escalation (PE).
CVE-2019-19781 - a Citrix vulnerability - is a favorite of ransomware gangs and is exploited the most. To date, this vulnerability is found associated with at least ten ransomware families apart from REvil.
An excerpt from CSW’s Cyber Risk in Remote Desktop report published in June 2020
- CVE-2019-11510 - a Pulse Secure vulnerability - is yet another favorite of ransomware gangs as it creates a pivot through the VPN endpoint, allowing for easy access to internal systems. This vulnerability is associated with five ransomware families.
An excerpt from Cyber Risk in VPNs published in May 2020
Our analysts have found that all six vulnerabilities have been trending in the past few months in hacker channels and the dark web.
The REvil ransomware is associated with Russian APT Group named Pinchy Spider and an uncategorized group called UNC2628.
Sectors and industries that REvil typically targets includes - Manufacturing, Telecommunications, Information Technology , Law, Computer Hardware, Tourism, Pharmaceuticals And Biotechnology, Banking, Insurance, Agriculture, Construction, Education, Healthcare, Media And Entertainment, Finance, Food And Beverage, Hospitals and Ecommerce.
CWEs that enabled these vulnerabilities are CWE-404, CWE-22, CWE-74, CWE-399 and CWE-119.
IOCs & MITRE ATT&CK
T1027 - Obfuscated Files or Information
T1036 - Masquerading
T1054 - Indicator Blocking
T1059 - Command and Scripting Interpreter
T1076 - Remote Desktop Protocol
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public-Facing Application
T1193 - Spearphishing Attachment
T1195 - Supply Chain Compromise
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
Global Exposure Analysis
The exposure for CVE-2012-0507 outnumbers the other two CVEs with over 600,000 products with the vulnerability being used around the world.
|CVE-2019-11510 (Pulse secure Vulnerability)|
|CVE-2019-19781 (Citrix Vulnerability)|
|CVE-2012-0507 (SUN & Oracle)|
The Way Forward
Our research shows that there has been a 17% increase in the number of vulnerabilities associated with Ransomware and a 6.5% increase in the number of trending exploits. To date, 260 vulnerabilities have been associated with ransomware.
With Ransomware going after critical sectors and industries, organizations and governments should adopt a risk-based approach to prioritize vulnerabilities based on weaponization and threat associations.
CSW’s in-depth research has helped many organizations become resilient against ransomware. Our recommendation to organizations is to get a Ransomware Assessment to know the gaps, understand the exposure to ransomware and become resilient to it.
Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!