Montreal defence supplier hit by ransomware

Share post:

A Montreal-area defence supplier is one of the latest Canadian firms to be hit by ransomware, the second military-related North American company the AlphV/BlackCat gang has struck in recent days.

On October 1st, the AlphV/BlackCat gang listed Simex Defence Inc. of Pointe-Claire, Que., as one of its victims on its data breach leak site.

In a telephone interview Monday, Fares Hamade, Simex’s director of marketing and business development, wouldn’t say if documents were copied in the attack. However, he did say that any ransomware malware is now gone. “We mitigated it. There is no risk. We haven’t paid a ransom.”

Asked how the incident affected the company’s operations, he said, “We mitigated it. There is no ransomware anymore in our system now. And we are putting more stricter policies in place, obviously, to prevent this happening again. And we reported it as well to the police.”

News of the attack comes after Cybernews reported that Virginia-based NJVC, a provider of IT and software services to civilian, U.S. government agencies, and the Department of Defense, was listed on the AlphV/BlackCat victim list.

Simex, which calls itself “Canada’s #1 trusted defence and military contractor” on its website, was formed 28 years ago. Its website says it is a supplier to the Canadian Forces, the RCMP, NATO, and the Canadian Coast Guard, as well as the manufacturing and energy sectors.

Simex distributes secure digital communications equipment, parts for Canadian air force planes, light ammunition, and portable water purification systems and more.

In 2018 the company said it hit record sales of $36 million.

The gang behind the breach

The AlphV/BlackCat gang offers a ransomware-as-a-service operation in which affiliates often do the hacking of victim organizations and then deploy. In an April background paper on the group, the FBI estimated it had compromised at least 60 organizations worldwide.

A common tactic, according to the FBI, is leveraging previously compromised user credentials to gain initial access to the victim system. After that, attackers try to compromise Active Directory user and administrator accounts. The malware uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware.

In a July backgrounder on the gang, researchers at Sophos emphasized that falling to the gang isn’t just bad luck. Post-incident investigations show the gang or affiliates often exploit vulnerabilities in unpatched or outdated firewall/VPN devices.

In four of the five incidents Sophos investigated, the vulnerabilities allowed the attackers to get VPN credentials from memory on firewall devices, which they could then use to log in to the VPN as if they were an authorized user. None of the targets used multifactor authentication for these VPNs, Sophos said. The one outlier appears to have been a spearphishing attack that revealed an internal user’s VPN login credentials to the attackers.

Once inside the network, Sophos said, the attackers predominantly used Windows’ RDP (remote desktop protocol) to move laterally between computers, conducting brute-force attacks over the VPN connection against the administrator account on machines inside the network.

Another problem: The networks at each of the five organizations Sophos studied were flat, with every machine able to see every other machine in the network – something that made it extremely easy for the attackers to scan for and identify targets of greatest value. Segregating portions of the network from one another using VLANs would have helped. 

The post Montreal defence supplier hit by ransomware first appeared on IT World Canada.

Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs

SUBSCRIBE NOW

Related articles

Cyber Security Today, April 24, 2024 – Good news/bad news in Mandiant report, UnitedHealth admits paying a ransomware gang, and more

This episode reports on the danger of using expired open-source packages, a tool used by a Russian hacking group and passw

Google Play introduces new biometric verification with a user warning

Google has recently announced updates to the biometric verification process for Google Play purchases, aiming to bolster security...

Cyber Security Today, Week in Review for week ending Friday April 19, 2024

On this episode Jen Ellis, co-chair of the Ransomware Task Force, talks about ways of fighting one of the biggest cyber threats to IT d

Cyber Security Today, April 19, 2024 – Police bust phishing rental platform, a nine-year old virus found on Ukrainian computers, and more

This episode reports on a threat actor targeting governments in the Middle East with a novel way of hiding malware is going international

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways