VEC Attack Tries to Steal $36 Million, Ferrari, Dole Hit with Ransomware Attacks
Ferrari says it has no plans to pay the ransom demand.
![Cloaked hacker Cloaked hacker](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blta01bbc7284c2ee29/65240048f091f027452b4682/3-Cloaked-Hacker.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Patrick Harr is CEO of SlashNext, the provider of anti-phishing and incident response (IR) services.
“In this case, the BEC has a URL that was easily identified as malicious given that the ending was .cam,” he said. “Therefore, a trained user should have been able to identify it as malicious. However, there are many times when a BEC email is sent from a trusted domain or a compromised vendor. That’s when you need protection that can identify malicious content from a trusted domain.”
Mike Parkin is senior technical engineer at Vulcan Cyber. He said social engineering attacks like the VEC attack, originating in email, have only been getting worse over the last few years.
“But there are technical methods that can help stop them already,” he said. “Some email security tools are quite good at identifying attacks in this family, and there are domain tools that will quickly flag suspect domains, like the newly registered domains in this attack, when they appear. Though it is hard to imagine that a multimillion-dollar transfer like that wouldn’t have a voice confirmation step, where one organization called their contact at the other to confirm the details.”
Mika Aalto is Hoxhunt‘s co-founder and CEO. He said the target wire fraud attack is particularly sneaky and sophisticated, but it is still basically just a page from the BEC playbook, and provides a textbook example of “preventable catastrophe.”
“From the public information available, there’s nothing new here, just a more effective variation of the type of highly targeted spear phish that robs more businesses of more money each year than any other,” he said. “I call it textbook-preventable because any person who, if compromised, can cause outsized damage should also receive outsized training to defend against such attacks. Always scrutinize the sender’s domain from an out-of-the-ordinary request to take an action. And always feel supported to call the executive supposedly making the request. There’s a culture element involved, as we see certain global offices of a company can be more vulnerable to BEC attack than others, sometimes due to the reluctance to question high authority. Installing simple best practices and processes, such as verifying financial and data requests via secure second channel, can save companies a tremendous amount.”
These attacks are likely to become more sophisticated as attackers adopt artificial intelligence (AI) technology like ChatGPT, Aalto said.
“We conducted an experiment that showed human social engineers are still better at crafting phishing emails, but that gap is closing as hackers improve at prompt engineering to more effectively use ChatGPT to create convincing phishing emails,” he said.
This week, Ferrari announced its wholly-owned Italian subsidiary, Ferrari S.p.A., was recently contacted by a threat actor with a ransom demand related to certain client contact details.
“Upon receipt of the ransom demand, we immediately started an investigation in collaboration with a leading global third-party cybersecurity firm,” it said. “In addition, we informed the relevant authorities and are confident they will investigate to the full extent of the law. As a policy, Ferrari will not be held to ransom as paying such demands funds criminal activity and enables threat actors to perpetuate their attacks. Instead, we believed the best course of action was to inform our clients and thus we have notified our customers of the potential data exposure and the nature of the incident.”
Dror Liwer is co-founder of Coro, an end-to-end cybersecurity platform for midmarket organizations and lean IT teams.
“While most organizations view customer data as an asset, when it’s stored in an unencrypted fashion, it’s actually a liability,” he said. “Beyond the obvious damage such a data leak represents, the reputational damage, especially for a premiere brand, could be quite significant. Organizations facing extorsion post-data leak face three kinds of damages: financial (direct, and indirect as a result of lawsuits, fines and loss of revenue), reputational and regulatory.”
Photo courtesy: yousang/Shutterstock
Javvad Malik is lead awareness advocate at KnowBe4.
“Ransomware is a cyber pandemic that attacks all organizations regardless of size and vertical,” he said. “This is why it’s important that all organizations put the pedal to the metal when it comes to ensuring they have the right cybersecurity controls in place. When it comes to ransomware, most attacks are successful through phishing, taking advantage of poor credentials, or by exploiting unpatched vulnerabilities. So at a bare minimum, organizations should focus on these avenues of attack.”
Andrew Barratt is vice president of Coalfire. He said with a brand as prominent as the car that carries the Cavallino Rampante logo, it’s important to note that the value of the data stolen here is “incredibly high.”
“Ferrari customers are typically very high net-worth individuals, so this data breach is almost the platinum card of data sets compromised,” he said. “The individuals affected will need very specific support to ensure they’re not subjects of highly targeted cybercrime.”
Photo courtesy: Konstantin Egorychev/Shutterstock
Dole has confirmed threat actors behind a February ransomware attack accessed the information of an undisclosed number of employees. In addition, the company was forced to shut down product plants across North America.
Dole employs 38,000 people worldwide, providing fruits and vegetables to customers in more than 75 countries.
“In February of 2023, we were the victim of a sophisticated ransomware attack involving unauthorized access to employee information,” Dole said in its latest annual report filed this week with the U.S. Securities and Exchange Commission (SEC). “Upon detecting the attack, we promptly took steps to contain the attack, retained the services of leading third-party cybersecurity experts and notified law enforcement. The February 2023 attack had a limited impact on our operations.”
As cybersecurity attacks are becoming increasingly sophisticated and more frequent, Dole’s preventative measures and incident response efforts “may not be entirely effective, it said.
“We have invested in security safeguards to reduce the risks to our networks, systems and data, but there is no assurance that our efforts will prevent cybersecurity attacks or disruptions,” it said. “While we have procedures to assess and manage relationships with third-party service providers, there is similarly no assurance that they will not be subject to a cybersecurity attack or disruption that has an impact on our networks, systems or data. Future cybersecurity attacks or disruptions to us, or our third-party service providers, could result in a material impact to our operations, systems or financial results.”
Avishai Avivi is SafeBreach‘s CISO. He said there’s two interesting aspects to the Dole breach and subsequent action.
“First, although little information is provided about the actual breach, based on Dole’s action to shut down its system across North America, we can deduce that the breach had a lateral movement aspect,” he said. “This action would indicate either poor segmentation of Dole’s networks, or the attack hit a core service shared throughout the North American systems. Considering Dole’s organized response, I would lean toward the latter.”
Next is Dole’s response, Avivi said.
“Organizations must proactively prepare for when, not if, they are targeted by ransomware,” he said. “Companies like Dole that create a formal recovery and remediation plan, and test this plan are much more likely to recover from a ransomware attack without significant business impact.”
Photo courtesy: mokjc/Shutterstock
Dole has confirmed threat actors behind a February ransomware attack accessed the information of an undisclosed number of employees. In addition, the company was forced to shut down product plants across North America.
Dole employs 38,000 people worldwide, providing fruits and vegetables to customers in more than 75 countries.
“In February of 2023, we were the victim of a sophisticated ransomware attack involving unauthorized access to employee information,” Dole said in its latest annual report filed this week with the U.S. Securities and Exchange Commission (SEC). “Upon detecting the attack, we promptly took steps to contain the attack, retained the services of leading third-party cybersecurity experts and notified law enforcement. The February 2023 attack had a limited impact on our operations.”
As cybersecurity attacks are becoming increasingly sophisticated and more frequent, Dole’s preventative measures and incident response efforts “may not be entirely effective, it said.
“We have invested in security safeguards to reduce the risks to our networks, systems and data, but there is no assurance that our efforts will prevent cybersecurity attacks or disruptions,” it said. “While we have procedures to assess and manage relationships with third-party service providers, there is similarly no assurance that they will not be subject to a cybersecurity attack or disruption that has an impact on our networks, systems or data. Future cybersecurity attacks or disruptions to us, or our third-party service providers, could result in a material impact to our operations, systems or financial results.”
Avishai Avivi is SafeBreach‘s CISO. He said there’s two interesting aspects to the Dole breach and subsequent action.
“First, although little information is provided about the actual breach, based on Dole’s action to shut down its system across North America, we can deduce that the breach had a lateral movement aspect,” he said. “This action would indicate either poor segmentation of Dole’s networks, or the attack hit a core service shared throughout the North American systems. Considering Dole’s organized response, I would lean toward the latter.”
Next is Dole’s response, Avivi said.
“Organizations must proactively prepare for when, not if, they are targeted by ransomware,” he said. “Companies like Dole that create a formal recovery and remediation plan, and test this plan are much more likely to recover from a ransomware attack without significant business impact.”
Photo courtesy: mokjc/Shutterstock
A recent vendor email compromise (VEC) attack tried to steal $36 million from a commercial real estate business.
Meanwhile, luxury car manufacturer Ferrari is investigating a cyberattack after a subsidiary received a ransom demand for customer contact information. And produce giant Dole has confirmed a ransomware attack involving unauthorized access to employee information.
It’s all in a day’s work for cybercriminals.
Abnormal Security observed the VEC attack seeking $36 million from the target. The enterprise was cc’d on an email containing an invoice for $36 million. The sender’s domain name, however, ended in .cam instead of .com. The full domain name looked like trusteddomain.cam. It’s almost impossible to notice for anyone but the most perceptive employee. The email included information about a payoff letter, and directed the reader to view the attached letter and payment instructions.
VEC Attack Impersonated Trusted Partner
The threat actor impersonated the senior vice president and general counsel from a trusted partner company with whom the enterprise has a long-term relationship. The attacker sent an invoice and wiring instructions with fraudulent payment details in an attempt to redirect a $36 million loan payment to themselves.
To further bolster their credibility, the attacker cc’d a second well-known real estate investment company on the email, again using a newly created domain that ended in .cam.
There was little reason for the enterprise to be immediately concerned about the validity of the wire transfer request. That’s because the enterprise involved in this attack works in commercial real estate where they often facilitate large-sum loans. In addition, the invoice appeared to be legitimate with legitimate recipients.
VEC Attack Most Dangerous Form of BEC
Mike Britton is Abnormal Security‘s CISO.
Abnormal Security’s Mike Britton
“VEC, the most dangerous type of business email compromise (BEC), is a uniquely dangerous cybersecurity threat that is continuing to grow in both frequency and severity,” he said. “In fact, two-thirds of all organizations are targeted by email attacks that use a compromised or impersonated third-party account each quarter. Unlike traditional BEC that impersonates an executive, a VEC attack occurs when a threat actor either gains control of a vendor email account or impersonates a trusted vendor in an attempt to execute an invoice scam or other financial fraud.”
These attacks are highly successful, Britton said. That’s because they exploit the trust and existing relationships between vendors and customers through personalization and social engineering.
Scroll through our slideshow above for more on these cyberattacks.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like