High-end audio-tech specialist Bose has disclosed a ransomware attack, which it said rippled “across Bose’s environment” and resulted in the possible exfiltration of employee data.
The incident began on March 7, according to a disclosure letter sent to the Attorney General’s Office in New Hampshire, which kicked off a successful incident-response process, the company said. While the letter didn’t mention how much the ransom was, a company spokeswoman confirmed to media that Bose declined to pay up and instead was able to rely on its own resources to regain control of its environment.
“Bose initiated incident-response protocols, activated its technical team to contain the incident, and hardened its defenses against unauthorized activity,” according to the letter, sent more than two months after the incident. “In conjunction with expert third-party forensics providers, Bose further initiated a comprehensive process to investigate the incident. Given the sophistication of the attack, Bose carefully, and methodically, worked with its cyber-experts to bring its systems back online in a safe manner.”
As is the case with many modern ransomware attacks, the cyberattackers may have purloined company data to ratchet up the pressure on the headphone- and speaker-maker. They were able to access HR files for six former employees, which included names, Social-Security numbers and compensation-related information, the team determined – but it’s unclear whether the data was successfully stolen.
“The forensics evidence at our disposal demonstrates that the threat actor interacted with a limited set of folders within these files,” the letter explained, adding that it couldn’t confirm the state of exfiltration one way or another.
“Bose has engaged experts to monitor the Dark Web for any indications of leaked data,” the company said. “Bose has not received any indication through May 19, 2021 its monitoring activities or from impacted employees that the data discussed herein has been unlawfully disseminated, sold, or otherwise disclosed.”
The company added that it notified the affected individuals of the data-compromise issue, which was discovered April 29.
“There are both some positives and negatives to how they handled the communication to affected individuals,” Kevin Dunne, president at Pathlock, told Threatpost. “On the positive, they acknowledged the attack, contacted the affected individuals directly, and offered up a small concession (12 months of identity protection). What lacked in the Bose response was faster response time, as more than 60 days passed between when the breach was detected and when the affected individuals were notified. Additionally, they could have taken more responsibility for the attack and laid out a clear plan for how they would prevent these future attacks from happening.”
Jack Mannino, CEO at nVisium, added that Bose should be applauded for transparency.
“The hard requirement for reporting depends on many things including industry, location, compliance scope, and the breach’s impact,” he said. “Companies that are forthcoming about breaches, and demonstrate a genuine desire to harden their defenses proactively, avoid some of the scrutiny that inevitably comes when an organization attempts to construct their own narratives based on limited public information.”
Remediating the Ransomware Attack
During and after the attack, Bose said that it implemented the following measures:
- Enhanced malware/ransomware protection on endpoints and servers to further enhance our protection against future malware/ransomware attacks;
- Performed detailed forensics analysis on impacted server to analyse the impact of the malware/ransomware;
- Blocked the malicious files used during the attack on endpoints to prevent further spread of the malware or data exfiltration attempt;
- Enhanced monitoring and logging to identify any future actions by the threat actor or similar types of attacks;
- Blocked newly identified malicious sites and IPs linked to this threat actor on external firewalls to prevent potential exfiltration;
- Changed passwords for all end users and privileged users;
- And changed access keys for all service accounts.
Ransomware World: Maturing and Changing
It’s unclear which ransomware gang hit Bose, but the process of exfiltrating information under cover of the ransomware attack itself is increasingly common. This so-called “double-extortion” approach has given way to a new wrinkle called “triple extortion,” where crooks lock up files, steal data and also steal the data of partners and suppliers of the victim company.
The economy of ransomware continues to mature too – so much so that many Dark Web forums where ransomware operators sell their wares have implemented a kind of “People’s Court” to dispute claims and wrongdoings. Affiliates can file a claim and have their time in front of a jury.
“Ransomware attacks are on the rise and evolving into a very dangerous digital weapon,” said Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, told Threatpost. “Not only are they on the rise, they are becoming more successful, more damaging and the ransom demands are increasing into tens of millions of dollars. Ransomware and data theft continues to be the biggest threats to organizations around the world and no one is immune.”
Join Threatpost for “A Walk On The Dark Side: A Pipeline Cyber Crisis Simulation”– a LIVE interactive demo on Wed, June 9 at 2:00 PM EDT. Sponsored by Immersive Labs, find out whether you have the tools and skills to prevent a Colonial Pipeline-style attack on your organization. Questions and LIVE audience participation encouraged. Join the discussion and Register HERE for free.