CNA’s Network Was Breached Via Fake Browser Update
On March 21st, Phoenix CryptoLocker Encrypted Over 15,000 Systems After Deploying Ransomware Payloads on the US Insurer’s Network.
CNA Financial, one of the largest American insurance companies, provides a broad range of standard and specialized property and casualty insurance products, as well as services for businesses and professionals in the U.S., Canada, Europe, and Asia.
The CNA Financial Ransomware Attack
On March 21st, the insurance giant was affected by a “sophisticated cybersecurity attack” that interrupted the company’s employee and customer services for three days as the firm closed down “out of an abundance of caution” to prevent further damage.
It looks like the threat actors used Phoenix CryptoLocker, a malware that is a variant of Hades ransomware. Just two weeks after the ransomware attack crippled CNA Financial’s networks, a $40 million ransom was paid.
The fact that the company decided to go ahead and pay is viewed as a setback when talking about cybersecurity threats and the right way to handle them as lawmakers and regulators are already unhappy with the fact that U.S. companies are making payouts to cybercriminals.
The Breach Was Caused by A Fake and Malicious Browser Update Delivered Via A Legitimate Website
On March 5th, threat actors breached an employee’s workstation using a fake and malicious browser update delivered via a legitimate website, the US insurer revealed.
A legal notice filed earlier this month with New Hampshire’s Attorney General Office revealed that CNA discovered the exact timeline of the ransomware attack following an investigation conducted with the help of third-party cybersecurity specialists.
Between March 5th and March 20th, 2021, the threat actor conducted reconnaissance within CNA’s IT environment using legitimate tools and legitimate credentials to avoid detection and to establish persistence. On March 20th and into March 21st, 2021, the Threat Actor disabled monitoring and security tools; destroyed and disabled certain CNA back-ups; and deployed ransomware onto certain systems within the environment, leading CNA to proactively disconnect systems globally as an immediate containment measure.
As reported by BleepingComputer, the Phoenix CryptoLocker encrypted over 15,000 systems after deploying ransomware payloads on CNA’s network on March 21st.
Prior to deploying the ransomware, the Threat Actor copied, compressed, and staged unstructured data obtained from file shares found on three CNA virtual servers; and used MEGAsync, a legitimate tool, to copy some of that unstructured data (“Exported Data”) from the CNA environment directly into the threat actor’s cloud-based account (the “Mega Account”) hosted by Mega NZ Limited (“Mega”).
CNA’s investigation revealed that the stolen files included sensitive info such as names, Social Security numbers, birth dates, benefits enrollment, and/or medical information, belonging to employees, former employees and their dependents, and customers.
The company also found that the threat actors only exfiltrated data to the MEGAsync account seized with the help of the FBI and Mega. According to the info provided by the cloud storage platform, the stolen data was not shared outside the attackers’ Mega account.
Fortunately, CNA’s forensic experts, in coordination with the FBI, were able to confirm the Exported Data moved directly from the CNA environment into the threat actor’s Mega Account, without any evidence of it being viewed or otherwise shared. The Exported Data was secured in ‘encrypted form in the Mega Account by the Threat Actor, such that no one, not even Mega, could ‘access the data without the decryption key. Working with the FBI and the Cloud-Storage Platform provider, CNA was able to take control of the account and quickly recover CNA’s data.
Despite this conclusion, earlier this month CNA Financial still decided to notify impacted individuals of a major data breach that happened as a consequence of the ransomware attack. The insurance company has disclosed that 75,349 of its customers were impacted by the breach.