Threat Watch

Australian Shipping Company Toll Suffers Second Cyber-Attack in Three Months

Nefilim: The Australian logistics firm Toll has been hit with its second cyber-attack in three months, this time by the threat actors behind the Nefilim ransomware. Early this morning, Toll announced that they suffered the attack last week. Toll shut down their corporate networks as soon as they detected the presence of ransomware on their computer systems. According to a company spokesman, the ransomware used in the attack was Nefilim. However, as of this morning, there was no announcement on Nefilim’s site about the attack on Toll. The spokesman from Toll did confirm that at least one corporate server was affected by the attack and that the server housed information on past and present employees, as well as details of commercial agreements with current and former enterprise customers. Toll acknowledged that the investigation so far indicates that attackers stole data from that server before encrypting files, which means the attackers may threaten to release private records about employees or other sensitive information to the public in the future.

ANALYST NOTES

Toll had to shut down servers in early February because of a different unspecified “cyber incident.” It is unknown at this time whether the two incidents are related or not. Given that Toll has been so open and public about this current incident and that they are not engaging with Nefilim’s ransom demands, it is possible that Nefilim will not wait much longer before posting any stolen data to their “Corporate Leaks” site. When dealing with ransomware attacks two of the most important aspects are the speed with which the victim is able to shut down and segregate affected devices to keep it from spreading across the network, and the infrastructure in place for recovery. Endpoint Detection and Response (EDR) is the most important tool for detecting attacks quickly and responding effectively to isolate infected computers, but it only provides value if a security operations center is monitoring alerts 24 hours a day, every day to respond at the first signs of attack. When putting backups in place for recovery it is important not only to make backups at regular intervals but also to utilize the 3-2-1 rule. Have at least three copies of your data, store the copies on at least two different devices, and keep at least one copy offsite. More information on this incident can be found at https://www.fullyloaded.com.au/industry-news/2005/toll-concedes-company-data-stolen-in-cyber-attack