[BreachExchange] Molson Coors Cracks Open a Cyberattack Investigation

[Destry Winant]

https://threatpost.com/molson-coors-cyberattack-investigation/164722/

The multinational brewing company did not say what type of incident
caused a ‘systems outage,’ but it’s investigating and working to get
networks back online.

Another high-profile company has been hit with a cyber attack that’s
causing a major disruption to its business. Brewing company Molson
Coors acknowledged on Thursday that it has “experienced a systems
outage that was caused by a cybersecurity incident,” according to a
Form 8-K filed with the SEC.

The company did not say which type of attack has caused widespread
issues across its entire business — including its brewery operations,
production and shipments — but given recent major attacks on other
mainstream companies, security experts are speculating that it could
have been a ransomware attack.

Molson Coors has employed forensic IT firms and legal counsel to
investigate and “is working around the clock to get its systems back
up as quickly as possible,” according to the filing.

The company operates seven breweries and packaging plants in the
United States, as well as three in Canada and 10 in Europe. It
produces several brands of beer in addition to its namesake, including
Blue Moon, Miller Lite and Pilsner Urquell.

Potential Ransomware Attack

“High-profile attacks are becoming all too common, as attackers have
realized they are immensely more profitable when they target large
organizations and disrupt their critical business operations — in this
case, the brewing operations of the world’s biggest, well-known beer
brands,” observed Edgard Capdevielle, CEO at Nozomi Networks, in an
email to Threatpost.

Although the company hasn’t released specific details of the incident,
given the seriousness of the disruption and recent cyberattack
activity, “it could be ransomware,” he said.

Tony Lambert, intelligence analyst at Red Canary, noted that the
impact of ransomware of operations like Molson Coors can be much more
damaging than it would be for other kinds of enterprises.

“For manufacturing organizations, ransomware poses a major threat to
data and system availability,” he said via email. “Not only do
corporate systems lose access to data, systems managing the
manufacturing process may come to a halt as well, preventing the
successful production and even delivery of products. This obviously
presents a huge problem for companies that sell the products: Every
hour their lines are down can mean major profit losses.”

This type of situation should be factored into an organization’s
incident response and business-continuity plans, Capdevielle added:
“Beyond a technical response, decision-makers need to be prepared to
weigh the risks and consequences of alternate actions.”

Those actions could be both on the part of Molson itself — i.e.,
paying the ransom, which security experts tend to discourage — or
further nefarious activity by attackers, such as dumping information
obtained from the attack online or maintaining a persistent presence
on a system.

Ransomware Attacks Ramp Up in 2021

Indeed, a number of ransomware groups have been active recently, with
several large organizations falling victim and suffering disruption
due to attack activity.

Several of these ransomware attacks have happened just within the last
month. For instance, the Spanish State Employment Service (SEPE) was
recently hit by a Ryuk ransomware attack, suspending its
communications systems across hundreds of offices and delaying
thousands of appointments. And, Kia Motors was disrupted by a
ransomware attack in February for which known attackers DoppelPaymer
took credit.

Meanwhile, WestRock – the second-largest packaging company in the U.S,
that counts General Motors, Heinz and Home Depot as customers – also
had its business disrupted by a ransomware attack in February. And
Finnish IT giant TietoEVRY also was a victim of a ransomware attack
last month.

Known ransomware groups that have been linked to recent attacks
include the aforementioned DoppelPaymer and Ryuk; the Clop ransomware
gang, which was tied to recent global zero-day attacks on users of the
Accellion legacy File Transfer Appliance product; and HelloKitty,
which is suspected to be behind the attack of CD Projekt Red — the
videogame-development company behind Cyberpunk 2077 — which also
happened in February.

Another potential culprit for the Molson Coors attack could be related
to an onslaught of attacks by Chinese and other advanced persistent
threat (APT) groups on recently patched Microsoft Exchange
vulnerabilities. The flaws are under fire from at least 10 different
APTs, all focused on compromising email servers around the world, with
researchers observing a snowball of exploitation activity.

To avoid cyberattacks from taking down entire operations and causing
significant business disruptions, Capdevielle made a number of
cybersecurity best-practice suggestions, including strong
segmentation, user training, proactive cyber-hygiene programs,
multifactor authentication and the use of continuously updated threat
intelligence, he said.