When malware found its way into the network of Bakker Logistiek, a company specializing in the transport and warehousing of food and other products, on the night of 4 to 5 April, its IT systems ground to a halt. And, along with them, the reception of orders from clients, and the delivery of goods to branches of Albert Heijn, the largest supermarket chain in the Netherlands. With systems down, companies affected have resorted to using pen and paper for the time being.
Thankfully, all systems are back online now, according to Bakker Logistiek’s CEO Toon Verhoeven who gave an interview to local news organization, Nederlandse Omroep Stichting (NOS). The company is now in the process of contacting customers so they can begin deliveries as normal.
Verhoeven also confirmed with De Telegraaf, a Dutch morning newspaper, that the malware in question is ransomware, but the variant is yet to be disclosed by the company. “We have filed a complaint and it is now with the judicial authorities,” Verhoeven said in the NOS interview, which we have translated using Google Translate. “We are not making any further statements about that. We have worked very hard over the past six days to get our information systems up and running again.”
One of the foodstuffs most affected by the attack is packaged cheese. Albert Heijn said in a statement that they, too, are working hard to get the availability of cheese both in shops and online, although the latter is still a bit difficult to achieve in terms of ordering. Although headline writers have had some fun with the attacks affect on cheese supplies, the plain fact is that a gang of criminals has successfully disrupted a food supply chain, and that’s no laughing matter.
The CEO suspects that the compromise had something to do with the ProxyLogon vulnerability affecting Microsoft Exchange Servers. You may recall, Microsoft issued patches for four Microsoft Exchange zero-day exploits last month. The flaws were being taken advantage of by an attack group called Hafnium. After news of the patches broke, criminals were quick to reverse engineer the patches and use the vulnerabilities to attack servers, deploy web shells and drop ransomware payloads like Black KingDom and DearCry, knowing that many organizations would be slow to apply the patches.
The attack on Bakker Logistiek is yet another real-world example in the lengthening list of malware attacks affecting vital organizations with major consequences that go beyond the targeted businesses. We’re not even going to take a look back at what happened to Maersk in 2018 when NotPetya struck them hard. Or when EKANS disrupted industrial control systems (ICS) of Honda, GE, and Honeywell.
And it isn’t just businesses. The number of schools and hospitals that have experienced downtime because of ransomware is staggering, with some of them paying the ransom not only to get their systems up and running as quickly as possible but also to get their precious time back. In turn, those ransom payments fund the boom in ransomware.
In all honesty, although we don’t endorse ransom payments, it is not difficult to see why people make the calculation that they should pay, and we wouldn’t have been surprised if Bakker Logistiek had done the same.
As the sophistication of ransomware grows, organizations must continue to take this threat seriously, act swiftly in auditing their security posture as a whole, and plan accordingly. Preparing for ransomware doesn’t just mean beefing up security, it also means having a realistic plan in place for how to recover if the worst does happen, and keeping off-site, air-gapped backups that will be out of any attackers’ reach.
Every organization is a target, and the victims are everyone that relies on that organization. Your organization must be better prepared than ever. You can start by reading our guide to ransomware.
The post Ransomware disrupts food supply chain, Exchange exploitation suspected appeared first on Malwarebytes Labs.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.