[BreachExchange] Logistics giant Toll Group hit by ransomware for the second time in three months

Destry Winant destry at riskbasedsecurity.com
Wed May 6 10:24:34 EDT 2020


https://www.zdnet.com/article/transport-logistics-firm-toll-group-hit-by-ransomware-for-the-second-time-in-three-months/

For the second time in three months, Toll Group has become the victim
of a ransomware attack that has led to the suspension of IT systems.

SECURITY 101

How to protect your privacy from hackers, spies, and the government

Simple steps can make the difference between losing your online
accounts or maintaining what is now a precious commodity: Your
privacy.

Melbourne, Australia-based Toll Group is a global logistics company
that offers freight, warehouse, and distribution services. Toll has
roughly 40,000 employees and operates a distribution network across
over 50 countries.

On February 3, Toll said that IT systems had been disabled due to a
malware infection, which later emerged to be the MailTo ransomware.

MailTo, also known as Netwalker, is typical ransomware and does not
even attempt to be stealthy, encrypting files at the moment of
infection, according to Carbon Black researchers.

Ransomware remains a thorn in the side of businesses worldwide. Over
the past 12 months in the United States, over 1000 companies have
mentioned ransomware as a forward-looking risk factor in their SEC
filings.

After resolving the first ransomware infection and returning to normal
operations, now, in May, the Australian logistics firm has been struck
again -- this time with a Nefilim variant.

Discovered in March by Vitali Kremez, Nefilim is a new form of
ransomware that has evolved from Nemty and is likely distributed
through exposed Remote Desktop Protocol (RDP) setups.

Trend Micro says that the malware uses AES-128 encryption to lock
files and blackmail payments are made via email rather than the Tor
network, a firm favorite among cybercriminals.

On May 5, Toll posted an advisory that said certain IT systems had
been shut down after "unusual activity" was spotted on the company's
servers.

While believed to be unrelated to the previous MailTo security
incident, the latest ransomware infection has resulted in a rebuild of
core systems, the need to scrub infected servers clean, and the use of
backups to restore files -- rather than give in to demands for
payment.

"Toll has no intention of engaging with any ransom demands, and there
is no evidence at this stage to suggest that any data has been
extracted from our network," Toll says.

A day later, Toll said in an update that some customers have been
impacted, and as the MyToll portal is still offline, it is not
possible to track or trace parcels. However, freight and deliveries
are "largely unaffected."

The company has been forced to fall back to contingency plans and
manual processes, a disruption expected to last for at least the
remainder of this week.

TechRepublic: Cybercriminals timed attacks to spike during peak
uncertainty about the coronavirus

Toll is working with the Australian Cyber Security Centre (ACSC) to
investigate the incident.

In other security news this week, Wordfence warned of a hacking group
that has attempted to hijack close to one million WordPress websites
over the past week. The threat actors have been harnessing cross-site
scripting (XSS) vulnerabilities in a bid to deploy JavaScript on
compromised websites to redirect visitors to malicious domains.


More information about the BreachExchange mailing list