Tag Archive for: claims

Boeing Breached by Ransomware, LockBit Gang Claims

/in


In a post on its leak site, prolific ransomware threat group LockBit claims that it breached Boeing, and said that it will start releasing sensitive data it purportedly stole from the company’s systems if ransom demands aren’t met by Nov. 2.

“A tremendous amount of sensitive data was exfiltrated and ready to be published if Boeing do (sic) not contact within deadline!” the LockBit post shared by cybersecurity analyst Dominic Alvieri read. “For now we will not send lists or samples to protect the company BUT we will not keep it like that until the deadline.”

The post included a countdown clock to the deadline.

A Boeing spokesperson told Dark Reading, “We are assessing this claim.”

LockBit boasted it accessed Boeing’s systems with a zero-day vulnerability.

If this turns out to be true, James Dyer, threat intelligence lead at Egress, predicts a long recovery road ahead for the sprawling multinational aviation and aerospace organization.

“This incident is not only worrying because of its immediate threat but also in terms of the fallout,” Dyer said in a statement. “Ultimately, the company and customers could now be at greater risk from increased phishing attacks using credentials compromised in the other initial attack — otherwise known as business email compromise (BEC).”

LockBit has been the most active ransomware threat group over the past year, according to Black Kite’s head of research, Ferhat Dikbiyik, but he added in a statement that the group doesn’t traditionally target organizations as large as Boeing.

LockBit appears to be proceeding cautiously by not immediately publishing any sample data,” he noted.

This seems to be a departure from previous operations. Last August, LockBit breached a UK defense contractor, Zaun Ltd., and leaked sensitive data on the physical security surrounding several agencies in the UK Ministry of Defence.

Source…

Boeing Investigates LockBit Ransomware Breach Claims

/in


Aerospace giant Boeing says it is “assessing” claims by a notorious ransomware group that it has stolen a “tremendous amount” of sensitive data from the firm, according to reports.

The US aircraft and defense manufacturer was forced to respond after a new entry appeared on the leak site of LockBit, one of the most prolific ransomware-as-a-service (RaaS) groups operating today.

“Sensitive data was exfiltrated and ready to be published if Boeing do not contact within the deadline!” it noted. “For now we will not send lists or samples to protect the company but we will not keep it like that until the deadline.”

Boeing has until November 2 to pay an undisclosed ransom, or it will risk this data ending up in the public domain.

 “We are assessing this claim,” a Boeing spokeswoman told Reuters.

Read more on LockBit: LockBit Dominates Ransomware Campaigns in 2022: Deep Instinct

LockBit is one of the most successful RaaS groups around. An alert from allied security agencies in June claimed it was the most deployed ransomware variant of 2022 and accounted for around 1700 attacks in the US since 2020.

The agencies claimed LockBit had made an estimated $91m from US victims alone since January 2020.

Picus Security researcher, Hüseyin Can Yuceel, argued that the quality of the exfiltrated data will determine Boeing’s response in the coming days – whether it negotiates with LockBit or dismisses its demands.

“LockBit is a financially motivated ransomware group that is well known to provide the decryption key after the ransom is paid. Were that not the case, they could not operate their ransomware business,” he added.

“However, organizations should know that they are dealing with criminals, and there is always a risk that they may not recover their files even if the ransom is paid. Paying ransom to ransomware gangs is also illegal in many countries. The best option for organizations infected with ransomware is to contact their countries’ cybersecurity agencies, such as CISA, NCSC, and JPCERT.”

Source…

Silent cyber coverage here to stay? New Jersey Appellate Court rejects insurers’ attempt to expand scope of the war exclusions to cyber claims

/in


The War and Hostile Action Exclusions have been standard exclusions in property and general liability policies for decades. With the rise of cyber claims, insurers have turned to these exclusions to deny coverage where the bad actor may have governmental roots. In a win for policyholders, the New Jersey Appellate Division rejected the insurers’ attempt to deny coverage and held that the hostile/warlike action exclusion did not apply to non-military, cyber-attack claims. See Merck & Co. v. ACE American Insurance Co.1 This ruling affirms the traditional scope of these exclusions and establishes that coverage under a commercial property policy for property damage caused by cyber-related incidents, colloquially known as “silent cyber” coverage, persists.

Merck & Co. v. ACE American Insurance Co.

On June 27, 2017, New Jersey pharmaceutical company, Merck & Co. (“Merck”), suffered a cyber-attack that left thousands of Merck’s computers damaged and encrypted by the malware known as NotPetya. The malware caused large-scale disruption to Merck’s business, resulting in $699,475,000 in losses. Although the exact origin of the malware was unknown, it was believed to have originated from the Russian Federation.

Merck tendered the claim to its all-risk property insurance carriers. The insurers reserved their right to deny coverage pursuant to hostile/warlike action exclusions and then subsequently denied coverage. Specifically, these exclusions exclude coverage for “loss or damage caused by hostile or warlike action” which was caused by “any government or sovereign power . . . or by military, naval or air forces . . . or by an agent of such government . . . .”2 The insurers argued that the word “hostile” should be broadly read to mean any antagonistic, unfriendly, or adverse action by a government or sovereign power, including the Russian Federation. Rejecting the insurers’ argument, the trial court held that the hostile/warlike action exclusions were inapplicable to the NotPetya related claims. The insurers appealed.

The New Jersey Court of Appeals Narrowly Construed the Hostile/Warlike Action Exclusion

On appeal, the Court looked to the plain and ordinary…

Source…

Hacker Claims to Have Published St. Louis Transit Data

/in


(TNS) — An anonymous hacker group says it has published data it stole from a regional transportation agency here.

It was not immediately clear what data was published or whether it included sensitive personal information. The hackers earlier this week demanded a ransom be paid or they would release stolen information from the regional transportation system Metro Transit, including passports, Social Security numbers and tax information.

Taulby Roach, the CEO and president of Bi-State Development, which operates Metro Transit, said Thursday the agency did not pay the ransom but did not release more details about the demand.


A union that represents many of Metro Transit’s 1,800 employees said no employees have reported instances of identity theft or other malicious activity stemming from the hack.

Roach said no customer data was stolen, and any impacted employees will be notified.

Employees were told of the data breach earlier this week and offered free credit monitoring through TransUnion, a credit reporting agency.

“We are unaware of any instances where sensitive employee information has been used maliciously,” Roach said in a statement. “However, we encouraged employees to register as soon as possible for the free credit monitoring services and heightened vigilance by our employees for suspicious links or suspicious credit activity.

Brett Callow, an analyst with the New Zealand-based cybersecurity firm Emsisoft, shared a screenshot with the Post-Dispatch that showed files containing what the hackers claimed late Wednesday was stolen Metro data.

Callow said it’s impossible to know exactly what’s in the files without downloading and viewing them, which he said he wouldn’t do because he sees it as an invasion of privacy.

The screenshot was published on an unregulated part of the Internet called the dark web, which hackers often use to publish ransom threats and cybersecurity researchers track to study ransomware activity.

It appeared to show the publication of 10 files, each 500 megabytes, and a tracker noting the download link had been viewed more than 700 times.

The cyber attack began on Oct. 2, and phone and computer…

Source…