The ransomware attack on software vendor Blue Yonder is solidly in the rearview mirror. However, the leaked data, which is now in the hands of Termite cybercriminals, can cause further pain.
Blue Yonder provides logistics supply chain software for various large companies, including Starbucks, BIC, and Morrisons. Many of these organizations were forced to temporarily switch to another solution.
Through various updates, Blue Yonder informed the outside world about the hack. On Nov. 21, its managed services environment was ravaged by a cyber attack. On Dec. 1, the company stated it was progressing much with security parties. This weekend followed a Blue Yonder notice about a possible data exfiltration, about which customers would have already been informed. Still, the investigation is ongoing.
Claim by Termite
The attack has since been claimed by the Termite ransomware group. They allegedly obtained 680 GB of data, including databases, mail lists, and 200,000 digital copies of documents. The 16,000 database entries could be useful for a subsequent attack, according to the group.
It is unclear whose information is involved, but customer information is likely among them. This is because it was an invasion of the managed services environment, where Blue Yonder data may well reside that is closely linked to specific customers.
Phishing gold mine
The likelihood of new attack attempts if Termite’s claims are valid is thus high. In the case of the Blue Yonder hack itself, it is unclear whether there was a ransom amount paid. Since cybercriminals can still keep the stolen information after receiving a ransom, such a payment would have offered no guarantees for Blue Yonder. Termite is known as a “double extortion” threat, where data is both encrypted as well as copied into the malicious party’s environment. Then, leaking or reselling the data is a means of pressure as well as a lucrative option to capitalize on later.
With stolen customer email addresses and possibly additional internal information, the attackers can write more convincing phishing emails. For example, parties like Hema and Jumbo might recognize details in their Blue Yonder environments as authentic in an otherwise fraudulent message, making employees more willing to click on a suspicious link. However, the advice around the Termite threat is the same as with other phishing dangers: pay attention to the sender’s validity, don’t click on links and don’t open attachments without being sure of their reliability.
The Blue Yonder hack once again shows that a single cyber-attack has even greater long-term consequences. Not only are you, as a victim, actually an extra attractive target after an initial compromise, but customers are exposed to an increased cyber threat when their data is out in the street.