Organizations globally encountered a series of high-profile ransomware attacks this year. From the U.S. fuel supplier Colonial Pipeline, laptop maker Acer to affecting Irish health services, ransomware attacks continue to loom over cyberspace.
The latest victim of a ransomware-fueled data leak is Bose Corporation. In an official breach notification to New Hampshire’s Office of the Attorney General, the premier audio equipment manufacturer admitted that it has sustained a data breach due to a ransomware attack in March. The threat actors behind the attack are yet unknown, however, Bose claimed that they accessed some of its employee information including employee names, social security numbers, and compensation-related data.
“Immediately upon discovering the attack on March 7, Bose initiated incident response protocols, activated its technical team to contain the incident, and hardened its defenses against unauthorized activity. In conjunction with expert third-party forensics providers, Bose further initiated a comprehensive process to investigate the incident. Given the sophistication of the attack, Bose carefully, and methodically, worked with its cyber experts to bring its systems back online in a safe manner. As the systems have been restored, Bose has worked with its forensics experts to determine the data that may have been accessed and/or exfiltrated,” Bose said in a statement.
Bose found that data related to six of its former New Hampshire employees was accessed and potentially exfiltrated in the incident. “The forensics evidence at our disposal demonstrates that the threat actor interacted with a limited set of folders within these files. However, we do not have evidence to confirm that the data contained in these files were successfully exfiltrated, but we are also unable to confirm that it was not,” Bose added.
While there is no indication of misuse of impacted employee data, Bose has reported the incident to the FBI and engaged security experts to monitor for any signs of exploitation of leaked data.
As a precautionary measure, Bose has also implemented certain mitigation strategies. These include:
- Enhanced malware/ransomware protection on endpoints and servers to further enhance our protection against future malware/ransomware attacks.
- Performed detailed forensics analysis on the impacted server to analyze the impact of the malware/ransomware.
- Blocked the malicious files used during the attack on endpoints to prevent further spread of the malware or data exfiltration attempt.
- Enhanced monitoring and logging to identify any future actions by the threat actor or similar types of attacks.
- Blocked newly identified malicious sites and IPs linked to this threat actor on external firewalls to prevent potential exfiltration.
- Changed passwords for all end-users and privileged users.
- Changed access keys for all service accounts.
In addition, Bose informed that it would be providing free identity protection services to the affected individuals for 12 months.
Talking to CISO MAG, Adam Laub, General Manager, Stealthbits (now part of Netwrix), said, “Assuming the information Bose has shared is true, it would appear the organization was reasonably well-prepared for what many would consider the inevitable. As ransomware preys and thrives on lax foundation-level controls, the fact that only ‘a very small number of individuals’ were impacted, and they did not have to resort to paying the ransom, would indicate that Bose may have addressed many of the weaknesses ransomware tends to easily exploit. Furthermore, the immediate inclusion and involvement of a third-party specialist to diagnose the extent of the damage and restore infected systems would indicate that Bose knew what to do if and when such an event occurred.
So often organizations wait too long to understand that they lack the knowledge or capability to deal with these situations alone or adequately. While there for sure will be some lessons learned from this event, Bose was either extremely lucky or had done a more exemplary job of mitigating, detecting, and responding to what so many organizations have failed so miserably with. Given the efficiency and pervasiveness of ransomware in the world today, it’s much more likely the latter than the former.”