Ransomware gang breached CNA network via fake browser update

Ransomware gang breached CNA network via fake browser update

Picture: Josh calabrese, CNA

Leading US insurance company CNA Financial has provided a glimpse into how Phoenix CryptoLocker operators breached their network, stole data, and deployed ransomware payloads in a ransomware attack that hit their network in March 2021.

Two months ago, on May 13, CNA said it began operating “in a fully restored state” after restoring systems affected by the attack.

As revealed in a legal notice filed earlier this month, CNA discovered the exact timeline of the ransomware attack following an investigation conducted with the help of hired third-party security experts immediately after discovering the incident.

Network breached via fake browser update

As the US insurer revealed, the attackers first breached an employee’s workstation on March 5 using a malicious and bogus browser update delivered through a legitimate website.

The ransomware operator gained elevated privileges on the system through “additional malicious activity” and then moved laterally through the CNA network, breaching and establishing persistence on more devices.

“Between March 5 and 20, 2021, threat actors conducted a reconnaissance within the CNA IT environment using legitimate tools and credentials to avoid detection and establish persistence,” he said legal warning filed with the New Hampshire Attorney General’s Office reveals.

“On March 20 and through March 21, 2021, Threat Actor disabled monitoring and security tools; destroyed and disabled certain CNA backups; and deployed ransomware on certain systems within the environment, leading CNA to proactively shutting down systems globally as immediate containment measure. “

Sources familiar with the attack told BleepingComputer that Phoenix CryptoLocker encrypted more than 15,000 systems after deploying ransomware payloads to the CNA network on March 21.

BleepingComputer also learned that ransomware operators encrypted remote workers’ devices connected to the company’s VPN during the attack.

“Before implementing the ransomware, Threat Actor copied, compressed and organized unstructured data obtained from shared files found on three virtual CNA servers, and used MEGAsync, a legitimate tool, to copy some of that unstructured data from the CNA environment directly on the cloud-based account of the threat actor hosted by Mega NZ Limited, “the company added.

Stolen data not sold or exchanged with others

As the CNA discovered, the stolen files included confidential information (names, social security numbers, dates of birth, benefits enrollment, and / or medical information) pertaining to employees, former employees, and their dependents and, in approximately 10% of the cases, clients.

The investigation also found that the attackers only exfiltrated data to the seized MEGAsync account with the help of the FBI and Mega. According to information provided by the cloud storage platform, the stolen CNA data was not shared outside of the attackers’ Mega account.

Considering the results of the investigation of the ransomware attack, CNA says that “there is no evidence that the exported data was seen, retained or shared by the threat actor and therefore there is no risk of harm to people arising out of the incident. “

Despite this conclusion, CNA still decided to notify affected individuals earlier this month of a potential data breach following the March Phoenix CryptoLocker ransomware attack.

According to the breach information filed by CNA with the Maine Attorney General’s office, this data breach affected 75,349 people.

Possible links to a sanctioned cybercrime group

Based on source code similarities, Phoenix Locker is believed to be a new strain of ransomware developed by hacking group Evil Corp to prevent action after WastedLocker ransomware victims no longer paid ransoms to avoid fines or legal action.

When asked by Bleeping Computer about a possible connection between the sanctioned Evil Corp and Phoenix Locker, CNA said there was no confirmed link.

“The group of threat actors, Phoenix, responsible for this attack, is not a sanctioned entity and no US government agency has confirmed a relationship between the group that attacked CNA and any sanctioned entity,” the company said.

CNA is considered the seventh largest commercial insurance company in the US, according to statistics from the Insurance Information Institute.

The insurer offers a wide range of insurance products, including cyber insurance policies, to individuals and businesses in the US, Canada, Europe, and Asia.