Hackers Hit The IT Industry: 12 Companies Targeted In 2023
Solution providers such as CDW and vendors with a large partner base such as Barracuda and Cisco have been targeted by cybercriminals this year.
Hackers Strike The IT Industry
Even for the IT industry companies dedicated to helping protect customers from hackers, cyberthreats such as ransomware and data breaches are a major issue. True, cyberattacks have struck an array of solution and service providers — as well as channel-focused cybersecurity vendors — in recent years. But 2023 has seen a spate of data breaches that have impacted the IT channel, particularly in connection with the string of MOVEit attacks from earlier this year. Those attacks exploited a vulnerability in Progress’ MOVEit file transfer software, and Russian-speaking hacker group Clop has targeted a number of IT industry companies, including IBM, Cognizant and Deloitte, with data extortion attempts this year. Those IT solution and service providers are among the more than 2,000 organizations that are believed to have been compromised in the MOVEit attacks.
Meanwhile, other major cyberattacks that have affected top IT channel players have included the recent LockBit attack against CDW and the ransomware attack that took down ScanSource’s website for weeks earlier this year. And vendors with large partner bases such as Barracuda and Cisco have also been impacted, with major attacks launched exploiting vulnerabilities in some of their most widely used products.
[Related: LockBit’s $80M Ransom Demand To CDW Is Third Largest Ever: Expert]
The attacks by malicious hackers serve as another reminder that even the businesses that make their living from technology products and services — including in cybersecurity — are in no way immune to the massive threat posed by cybercriminals. Prior incidents have included the malware attack that struck SHI in July 2022 and the LockBit ransomware attack against Accenture in mid-2021. Looking even further back, major solution providers that were struck by ransomware incidents during 2020 included Cognizant, Conduent, DXC Technology and Tyler Technologies.
And while attacks against MSPs tend to be more under-the-radar, given the fact that many MSPs are on the smaller end of the spectrum, these frequent attacks are another example of channel companies facing impacts from hacker activity. MSPs continue to be a massive target for hackers seeking to compromise their systems — such as remote monitoring and management (RMM) — in order to acquire access to their end customers. Earlier this year, the Cybersecurity and Infrastructure Security Agency warned that the malicious use of RMM tools continued to pose a major threat, including to MSPs — pointing to a “widespread” cyberattack campaign from last fall that leveraged the RMM platforms ScreenConnect (now known as ConnectWise Control) and AnyDesk. More recently, in August, CrowdStrike threat hunters reported a 312-percent jump in abuse of RMM platforms by attackers, year-over-year.
Solution and service providers have also been grappling with indirect impacts from cyberattacks in 2023, with key products from Barracuda, Cisco and other channel-focused vendors falling victim to exploits by threat actors. The attacks against Cisco IOS XE customers, first disclosed on Monday, have already impacted tens of thousands of customers and Cisco partners, according to security researchers.
As cyberattacks continue to impact the IT industry, what follows are the key details on 12 companies targeted in 2023.
CDW
Solution provider giant CDW confirmed Oct. 12 it was investigating a security incident after the cybercriminal gang LockBit claimed to leak stolen data belonging to the company. The purported leak followed LockBit’s demand for an $80 million extortion payment from CDW, which has ranked as the largest ransom demand to date for the Russian-speaking group, and the third largest ever.
In a statement provided to CRN on Oct. 12, a CDW spokesperson said the company was “addressing an isolated IT security matter associated with data on a few servers dedicated solely to the internal support of Sirius Federal, a small U.S. subsidiary of CDW-G.” CDW added in the statement that it was also “aware that a third party has made [Sirius Federal] data available on the dark web.”
An update to LockBit’s darkweb leak site said that “all available data” allegedly belonging to CDW, No. 4 on CRN’s 2023 Solution Provider 500, had been published. The page appeared to provide a link to download a 94.7 GB archive of data.
In its statement to CRN, CDW said that the affected servers are “non-customer-facing” and are “isolated from our CDW network and other CDW-G systems.”
CDW’s security protocols detected suspicious activity related to the Sirius Federal servers and contained the activity, and the company “immediately” began an investigation that includes help from external cybersecurity experts, according to the statement. “Our systems remain fully operational and at no time did we identify evidence of any risk to other CDW systems or any external systems,” the company said.
“As part of the ongoing investigation, we are reviewing this data and will take appropriate action in response – including directly notifying anyone affected, as appropriate,” CDW said in the statement. CRN has reached out to CDW to ask about any updates on the investigation.
LockBit, among the most prolific cybercriminal groups, claimed on its darkweb site that CDW offered to pay $1.1 million out of the $80 million demand.
Cisco
The ongoing campaign against Cisco IOS XE customers is proving to be one of the most widespread edge attacks ever, experts told CRN. Nearly 42,000 Cisco devices have been compromised so far through exploits of a critical IOS XE vulnerability discovered Oct. 16, according to Censys researchers.
Cisco said in an advisory that day that the zero-day vulnerability in IOS XE has been seeing “active exploitation” by attackers. The privilege escalation vulnerability has received the maximum severity rating, 10.0 out of 10.0, from Cisco. Exploitation of the critical vulnerability can allow a malicious actor to acquire “full control” of the compromised device, Cisco’s Talos threat intelligence team said.
The IOS XE networking software platform is utilized by a multitude of Cisco devices, many of which are commonly deployed in edge environments. Those include branch routers, industrial routers and aggregation routers, as well as Catalyst 9100 access points and “IoT-ready” Catalyst 9800 wireless controllers.
“Of edge attacks, this is one of if not the most significant,” said John Gallagher, vice president of Viakoo Labs at IoT security firm Viakoo.
A patch for the vulnerability (tracked as CVE-2023-20198) was not available as of this writing. In a statement provided to CRN on Oct. 16, the tech giant said it is addressing the critical security issue “as a matter of top priority” and has been “working non-stop to provide a software fix.”
Cisco said in an update to its advisory Oct. 17 that an access restriction measure it has shared is effective at stopping exploits of the vulnerability in IOS XE. In response to a CRN inquiry Oct. 18, Cisco said it did not have any new information to share.
ScanSource
IT and telecom distributor ScanSource said in mid-May it had become the victim of a ransomware attack. The attack was discovered by ScanSource May 14 and had a major impact on ScanSource systems for nearly two weeks, crippling key systems including much of its website. The impacts affected customers and suppliers in geographies including North America.
After discovering the attack, ScanSource said it “immediately” began investigating while also implementing the company’s incident response plan. The company declined to provide details on which systems were affected and what data may have been impacted, but said in an Aug. 22 news release that the attack “impacted the company’s core systems for its hardware business.”
By May 26, ScanSource’s core systems were restored and its operations were able to resume, and the company’s operations were “fully” restored by June 13, a month after the attack was discovered.
ScanSource’s revenue declined 1.6 percent to $947.1 million during its fiscal fourth quarter, ended June 30, compared to a 4.7-percent gain during its fiscal third quarter. Net sales for Specialty Technology Solutions dropped 3.3 percent, year-over-year, the company said. However, “strength in networking and security partially offset the lost sales from the cyberattack” as well as a slowdown in its mobility and barcoding business, ScanSource said in the Aug. 22 news release.
Barracuda
A wave of attacks against customers of Barracuda’s Email Security Gateway (ESG) were initially disclosed by the company in late May. The attacks, which since then have been linked to China, leveraged a critical vulnerability in the ESG on-premises appliances. Further investigation from the company and Mandiant found that the vulnerability had been exploited as far back as October 2022.
The attacks prompted the unusual recommendation from Barracuda that affected customers should actually replace their Email Security Gateway devices. Barracuda did not disclose how many customers were impacted, but said in June that it believed 5 percent of active ESG appliances were compromised by attackers.
Researchers at Mandiant disclosed further details on the Barracuda ESG attacks in August, saying that government agencies were “disproportionately” targeted with a particular focus on the U.S. Nearly one-third of the impacted organizations in the ESG attacks were government agencies, said researchers at Mandiant, which was hired by Barracuda to investigate the incident.
Mandiant has attributed the attacks to a group it tracks as UNC4841, which is believed to work in support of China’s government.
Barracuda’s Email Security Gateway is a product used by on-premises customers for filtering of all email traffic, both inbound and outbound. The appliance, which is cloud-connected, is often used to protect Microsoft Exchange environments.
3CX
In March, the software supply chain compromise of communications software maker 3CX raised major concerns due to the widespread use of its products. The company’s customer base totals more than 600,000 organizations, with sales exclusively through its network of 25,000 partners.
However, the 3CX compromise was caught in weeks rather than months — as had been the case with the SolarWinds attack — which limited the impact from the breach on 3CX and its end customers.
The 3CX campaign was made possible by an earlier supply chain attack, according to Mandiant. In the earlier compromise, attackers had tampered with a software package distributed by a financial software firm, Trading Technologies, Mandiant researchers disclosed. “This is the first time Mandiant has seen a software supply chain attack lead to another software supply chain attack,” researchers said in a post.
The 3CX attack was attributed by CrowdStrike, and later by Mandiant, to North Korea.
Cognizant
Global IT solution provider Cognizant has been among the major companies in the tech and IT services industry to be listed on Clop’s darkweb site in connection with the MOVEit attacks. The company, No. 6 on CRN’s Solution Provider 500 for 2023, was listed on the Clop site on June 27, according to the Curated Intelligence GitHub page tracking the MOVEit campaign.
Clop later claimed to post stolen Cognizant data on its darkweb site, and subsequently also made the data available as a torrent download.
Cognizant has not responded to multiple requests for comment from CRN.
Previously, Cognizant was among the victims of the high-profile Maze ransomware campaign in 2020. The company said at the time that it expected to spend up to $70 million remediating the damage from the attack. Among other impacts, the attackers exfiltrated Cognizant employee data including corporate credit cards and personal data such as Social Security numbers, tax IDs, financial account information and driver’s license and passport details, the company disclosed at the time.
Compucom
CompuCom, No. 53 on CRN’s Solution Provider 500, likewise was added to Clop’s darkweb site for MOVEit breaches earlier this year. Clop went on to claim it had posted stolen CompuCom data on its darkweb site, and later made the purported CompuCom data available as a torrent download.
CompuCom has not responded to multiple requests for comment from CRN.
IBM
IBM’s use of MOVEit is believed to have resulted in the unauthorized access of millions of people’s health care information held by state agencies in Colorado and Missouri. In a statement to CRN, an IBM spokesperson said that the vendor “has worked closely with the Colorado Department of Health Care Policy and Financing (HCPF) and the Missouri Department of Social Services to determine and minimize the impact of the breach of MOVEit Transfer, a non-IBM data transfer program provided by Progress Software.”
“Upon receiving notification of the breach from Progress, we moved quickly to isolate potentially impacted systems and have implemented a thorough mitigation plan,” according to the statement. “There has been no impact to IBM systems.”
A notice from the Colorado Department of Health Care Policy & Financing (HCPF) puts the total number of people affected by the breach at 4 million and included people who don’t live in the state. The agency issued written notifications about the breach on Friday.
HCPF posted a statement to its website that says the agency contracts with IBM as a third-party vendor. In May, IBM used MOVEit to move HCPF data files in the normal course of business.
IBM told the agency of the MOVEit incident and the agency investigated. During the investigation, HCPF saw an “unauthorized actor” accessed “certain HCPF files on the MOVEit application used by IBM” on May 28. HCPF discovered the breach on June 13.
The files included information for members of Health First Colorado – the state’s Medicaid program – and Child Health Plan Plus.
Information the unauthorized actor may have accessed includes: Full names; Social Security numbers; Medicaid identification (ID) numbers; Medicare ID number; date of birth; home address and contact information; demographic or income information; clinical and medical information such as diagnosis, condition, lab results, medication or other treatment information); and health insurance information.
IBM informed the Missouri Department of Social Services on June 13 that the agency “should presume at that time that certain files saved in the MOVEit software application were accessed by an unauthorized user,” according to a statement the agency issued Aug. 8. IBM’s Consulting wing used MOVEit as part of its work with the agency.
IBM told the agency that it “applied any recommended MOVEit software fixes and had stopped using the MOVEit Transfer application,” according to the statement.
The files may have contained Medicaid participant protected health information, but the agency continues to analyze the contents of the files. “No DSS systems have been found to have been impacted by this incident,” according to the statement.
Iron Bow Technologies
Iron Bow Technologies, No. 44 on CRN’s Solution Provider 500, was listed on Clop’s darkweb site in connection with the MOVEit attacks on June 29, according to the Curated Intelligence GitHub page tracking the MOVEit campaign. The group later published data purportedly stolen from Iron Bow on the site.
While Iron Bow initially believed none of its data was actually impacted in the MOVEit attacks, the company subsequently provided an updated statement to CRN. “In July 2023, our investigation identified unauthorized access to a limited amount of data,” the statement from Iron Bow CISO Brad Giese said. “We took immediate action by notifying appropriate local, state, and federal agencies, as well as our vendors and customers.”
PricewaterhouseCoopers
PwC—which offers IT and cybersecurity consulting as well as other tech-related services, in addition to being one of the “Big Four” accounting firms—acknowledged June 22 that it has joined the list of victims impacted by the MOVEit attacks. The company confirmed to CRN that it has used Progress’ MOVEit product and that it has been affected by the attacks, but characterized the impacts on the company and its clients as “limited.”
“Our investigation has shown that PwC’s own IT network has not been compromised and that MOVEit’s vulnerability had a limited impact on PwC,” the company said in a statement provided to CRN. PwC said it has notified the “small number of clients whose files were impacted” in the incident. The company said it had utilized MOVEit “with a limited number of client engagements.”
PwC added in its statement that it had halted use of MOVEit “as soon as we learned of this incident.” The disclosure came after Clop posted on its darkweb site that it had obtained PwC data. Subsequently, PwC became the first victim to see its purportedly stolen data posted by Clop on the clearweb — i.e. the open internet — on a dedicated domain set up for the purpose. Clop later began offering torrents of stolen data when the clearweb sites turned out to be easily taken down.
Ernst & Young
Another one of the “Big Four” accounting firms that also has a major IT consulting arm, Ernst & Young, has been among the victims of the MOVEit attacks, as well. Ernst & Young told the BBC on June 12 that it was a victim of the attacks. In a statement provided to media outlets including CRN, Ernst & Young said it is “thoroughly investigating systems where data may have been accessed.”
“We have verified that the vast majority of systems which use this transfer service across our global organization were not compromised,” Ernst & Young said in the statement. “Our priority is to communicate to those impacted, as well as the relevant authorities and our investigation is ongoing.”
In response to an email from CRN, inquiring about any updates on impacts from the incident, Ernst & Young said it “will not be commenting further” beyond the previously released statement.
Deloitte
In July, Deloitte became the third of the “Big Four” accounting firms to join the list of victims purportedly impacted in Clop’s MOVEit campaign. The company, which is also a major player in IT consulting, said in a statement that there was limited impact from the attack.
“Immediately upon becoming aware of this zero-day vulnerability, Deloitte applied the vendor’s security updates and performed mitigating actions in accordance with the vendor’s guidance,” Deloitte said in a statement provided to media outlets at the time.
Deloitte’s analysis “determined that our global network use of the vulnerable MOVEit Transfer software is limited,” the company said in the statement from July. “Having conducted our analysis, we have seen no evidence of impact on client data.”