Threat Watch

Maze Ransomware Strikes VT San Antonio Aerospace

VT San Antonio just recently discovered that at least 1.5 terabytes of data had been stolen from them in a breach that was discovered on June 5th. The cybersecurity firm CYFIRMA said the breach may have started as early as March. The campaign involved the use of Maze ransomware and the actors were able to access information including contract details with foreign countries, NASA, and American Airlines, as well as project implementation plans, equipment/parts information, schedules and timelines, and some financial records. From initial investigations, it was suspected that ST engineering did not pay the ransom, and therefore some of the information was made available on a public website operated by the group behind Maze. They did, however, take action by disconnecting certain services from the network, employing a cyber forensics team, and notifying law enforcement contacts. The company also stated they have begun notifying parties that may have been involved.

ANALYST NOTES

While attackers work to keep their intrusions from being detected while they search for sensitive information to steal, there are certain things that can be done to help reduce the chance of a security incident happening. Patching outdated systems, educating employees on how to spot phishing emails and the risks that are associated, and implementing two-factor authentication and auditing for remote access systems are some strong security controls. Having a Security Operations Center (SOC) monitor network and endpoint systems at all times in an effort to find intrusions is also critically important when developing a defense-in-depth strategy. The longer that an intrusion goes undetected, the greater the risk of sensitive information and business-critical servers being affected.

Source: https://www.bloomberg.com/news/articles/2020-06-05/vt-san-antonio-aerospace-hit-with-criminal-ransomware-attack?&web_view=true