A ransomware attack on supply chain software firm Blue Yonder in turn hit a dozen big names in food and retail with business disruptions, Starbucks and Walgreens among them. The software is widely used by a range of Fortune 500 companies, and the full list of potentially impacted victims remains unclear. Companies such as grocery giant Kroger (and its recently acquired subsidiary Albertsons), Anheuser-Busch and Ford are known to use the software but have not confirmed any impact as of yet. Several big names have, however: Starbucks, Walgreens, Tesco, and UK grocery giants Morrisons and Sainsbury’s among them.
The Blue Yonder ransomware attack is another case of an upstream breach of a managed services provider causing issues for downstream clients, though it does not appear that the clients were directly breached in this case. They instead suffered a variety of disruptions from the software outage, ranging from having to switch to manual backup inventory systems to delaying employee payments.[1]
Starbucks was one of the biggest names indirectly impacted by the ransomware attack in this way, reporting that it temporarily lost the ability to view and edit employee schedules and that payments to its staff may have been delayed due to inability to view how many hours employees had worked in the current pay period. Similar back-end supply chain issues have hit other retailers and retail product manufacturers, though Blue Yonder offers a variety of services and not all may have had the same problems. Some of the other names that have reported having to implement backup systems and recover from the loss of software access include Walgreens, Wegmans, GAP, DHL, Carlsberg and Mitsubishi. The total list may be much larger than this, however, as Blue Yonder has many big-name clients and they would not necessarily fall into data breach reporting requirements simply by losing access to software.
In total Blue Yonder has over 3,000 customers spanning 76 countries. The ransomware attack on the company took place on 21 November. A 24 November statement from the company confirmed the incident and indicated that it is working “around the clock” with external cybersecurity firms to handle the issue, but that there is presently no timeline for full restoration of services. The company did say that it is monitoring its Blue Yonder Azure public cloud environment and sees no threats or impact there.
The CISO at Trustwave, expands on how the impact from this ransomware attack may continue to be felt, “This attack highlights the fragility of our connected supply chains, particularly within the intricate networks in retail that have a heavy reliance on third-party relationships. However, every vendor relationship introduces an expansion of the attack surface. As we are seeing in some of the ripple effects of this breach, the downtime caused by ransomware attacks can halt sales, disrupt inventory management, and negatively impact customer service, affecting everything from in-store transactions to e-commerce operations, which is particularly impactful ahead of the holidays. Organizations must take proactive steps to identify, mitigate, and continuously monitor these risks before they lead to widespread disruption.”
Supply chain attacks continue to be preferential targets for hackers - While most of the disruption from the supply chain attack is being felt by employers that have to temporarily switch to manual or alternate processes to get things done, in some cases consumers may feel some impact. UK grocery chain Morrisons, which has over 500 locations across the country, said that the “smooth flow of goods” had been interrupted by the Blue Yonder ransomware attack and that some items might not make it onto shelves on their normal schedule.
The attack has yet to be claimed by any known ransomware group and Blue Yonder has yet to comment on this aspect. But the retail and food production industries are on higher alert than usual during the Thanksgiving and Christmas holiday seasons, when both food demand is higher than usual and shopping for presents is in full swing. Hackers believe retailers will feel more pressure to pay ransoms quickly during this busy season.
VP of Semperis said that on the stats that back up increased holiday activity by hackers (and what organizations can do about it), “The cyberattack on Blue Yonder is yet another reminder that retailers are at risk in the US, UK and in other global locations and they should brace for cyberattacks during the holiday season. This attack was likely calculated as the hackers are aware that the Thanksgiving Holiday is approaching and disruptions in the supply chain will leave many grocery stores in the US with empty shelves at the worst possible time. While details on the specifics of the Blue Yonder attack are scant, it is yet another reminder how damaging supply chain disruptions become when suppliers are taken offline. Kudos to Blue Yonder for dealing with this cyberattack head on but we still don’t know how far reaching the business disruptions will be in the UK, US and other countries. Now is the time for organizations to fight back against threat actors. Deciding whether or not to pay a ransom is a personal decision that each company has to make, but paying emboldens threat actors and throws more fuel onto an already burning inferno.”
“Today, to increase operational resiliency, organizations should assess their most critical network assets and harden them against failure. For instance, in nearly all ransomware attacks, threat actors compromise organizations’ identity systems, most often Active Directory. This can lead to entire networks being taken offline. To improve operational resiliency, businesses should deploy a robust backup and recovery plan, that ensures Active Directory, Entra ID, Okta and other identity systems are recoverable,” added Lattimer.
The Vice President at Dispersive, encourages reasonable network segregation measures as an added security element, “One benefit of isolation of systems is that companies can readily avoid many negative effects such as lateral movement (often part of ransomware attacks). In the past these have been called DMZs, today micro-segmentation is popular for reducing the risks of lateral movement, along with living off the land detection in EDR tools. But the best way to protect from lateral movement is to isolate systems and enhance authentication with MFA.”
Though the fallout from the Blue Yonder incident will almost certainly be nowhere near as great, any supply chain attack involving lots of big businesses calls to mind uncomfortable attacks of the recent past such as MoveIT, SolarWinds and Kaseya. The approach is on-trend for both state-backed and profit-seeking criminal hackers, for whom a breach of just one target could potentially yield access to hundreds or thousands of others that are high value. The Blue Yonder incident differs in that the hackers appear to have gone no further than breaching the company’s own internal network, but the timing of it putting extra pressure on retailers and restaurants during their biggest season is certainly not a coincidence.
Threat Intel at Outpost24, notes the incident as yet another reminder to review supply chain security and ensure that updated ransomware attack response plans are in place, “This attack highlights the critical importance of keeping safe the supply chain and any related operational systems. This year has been rife with similar incidents such as the Change HealthCare ransom attack at the beginning of the year. These incidents emphasize the need for robust risk management and contingency planning to minimize operational disruptions. Your suppliers are a critical part of the security of your company, so organizations must prioritize investment in advanced cybersecurity measures and collaborative incident response procedures to mitigate such risks.”
A security awareness advocate at KnowBe4, also believes that regulators should be prompted to review supply chain requirements and standards by this incident, “Reverting back to pen and paper for scheduling and timekeeping is not a welcome challenge, one can imagine. The incident is a timely reminder that supply chain attacks can have far-reaching consequences. As certain technologies are the backbone of large parts of our industry, the need for regulation like NIS2 is becoming very evident. Attackers also know that there is no time like the present. They target key organizations across supply chains specifically. Everyone must prepare themselves and their supply chain for the increase in cyber threats that we are facing.”
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://www.cpomagazine.com/cyber-security/blue-yonder-ransomware-attack-ripples-through-supply-chain-to-impact-big-names-in-retail/
Comments