A Montreal-area defence supplier is one of the latest Canadian firms to be hit by ransomware, the second military-related North American company the AlphV/BlackCat gang has struck in recent days.
On October 1st, the AlphV/BlackCat gang listed Simex Defence Inc. of Pointe-Claire, Que., as one of its victims on its data breach leak site.
In a telephone interview Monday, Fares Hamade, Simex’s director of marketing and business development, wouldn’t say if documents were copied in the attack. However, he did say that any ransomware malware is now gone. “We mitigated it. There is no risk. We haven’t paid a ransom.”
Asked how the incident affected the company’s operations, he said, “We mitigated it. There is no ransomware anymore in our system now. And we are putting more stricter policies in place, obviously, to prevent this happening again. And we reported it as well to the police.”
News of the attack comes after Cybernews reported that Virginia-based NJVC, a provider of IT and software services to civilian, U.S. government agencies, and the Department of Defense, was listed on the AlphV/BlackCat victim list.
Simex, which calls itself “Canada’s #1 trusted defence and military contractor” on its website, was formed 28 years ago. Its website says it is a supplier to the Canadian Forces, the RCMP, NATO, and the Canadian Coast Guard, as well as the manufacturing and energy sectors.
Simex distributes secure digital communications equipment, parts for Canadian air force planes, light ammunition, and portable water purification systems and more.
In 2018 the company said it hit record sales of $36 million.
The gang behind the breach
The AlphV/BlackCat gang offers a ransomware-as-a-service operation in which affiliates often do the hacking of victim organizations and then deploy. In an April background paper on the group, the FBI estimated it had compromised at least 60 organizations worldwide.
A common tactic, according to the FBI, is leveraging previously compromised user credentials to gain initial access to the victim system. After that, attackers try to compromise Active Directory user and administrator accounts. The malware uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware.
In a July backgrounder on the gang, researchers at Sophos emphasized that falling to the gang isn’t just bad luck. Post-incident investigations show the gang or affiliates often exploit vulnerabilities in unpatched or outdated firewall/VPN devices.
In four of the five incidents Sophos investigated, the vulnerabilities allowed the attackers to get VPN credentials from memory on firewall devices, which they could then use to log in to the VPN as if they were an authorized user. None of the targets used multifactor authentication for these VPNs, Sophos said. The one outlier appears to have been a spearphishing attack that revealed an internal user’s VPN login credentials to the attackers.
Once inside the network, Sophos said, the attackers predominantly used Windows’ RDP (remote desktop protocol) to move laterally between computers, conducting brute-force attacks over the VPN connection against the administrator account on machines inside the network.
Another problem: The networks at each of the five organizations Sophos studied were flat, with every machine able to see every other machine in the network – something that made it extremely easy for the attackers to scan for and identify targets of greatest value. Segregating portions of the network from one another using VLANs would have helped.