Rankiteo Logo
Rankiteo
Leader in Cyber Underwriting
Loading...
NEWRankiteo Cyber Underwriting Desktop - Score, price, and bind from your desktop
WindowsmacOSLinux
Download
Analyze » JBS USA » JBSKASCOL1773505774

Incident Score: Analysis & Impact (JBSKASCOL1773505774)

The details regarding individual company incidents & reports gives you full view from every side.

Rankiteo Score Impact Analysis

Rankiteo Incident Impact-201
Company Score Before Incident761 / 1000
Company Score After Incident560 / 1000
INCIDENT NUMBERJBSKASCOL1773505774
Type of Cyber IncidentRansomware
ATTACK VECTORPhishing emails, Remote Desktop Protocol (RDP) compromises, Desktop-sharing apps
DATA EXPOSEDHigh-value data, Customer data, Operational...
INCIDENT DATE31/12/2020
STATUSpublished

Key Highlights From The Incident Analysis

  • Timeline of JBS USA's Ransomware and lateral movement inside company's environment.
  • Overview of affected data sets, including SSNs and PHI, and why they materially increase incident severity.
  • How Rankiteo’s incident engine converts technical details into a normalized incident score.
  • How this cyber incident impacts JBS USA Rankiteo cyber scoring and cyber rating.
  • Rankiteo’s MITRE ATT&CK correlation analysis for this incident, with associated confidence level.

Full Incident Analysis Transcript

In this Rankiteo incident briefing, we review the JBS USA breach identified under incident ID JBSKASCOL1773505774.

The analysis begins with a detailed overview of JBS USA's information like the linkedin page: https://www.linkedin.com/company/jbsusa, the number of followers: 67443, the industry type: Food and Beverage Manufacturing and the number of employees: 5670 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 761 and after the incident was 560 with a difference of -201 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on JBS USA and their customers.

Colonial Pipeline recently reported "Ransomware Surge: Sophistication, Costs, and Evolving Threats Reshape Cybersecurity Landscape", a noteworthy cybersecurity incident.

Ransomware attacks have reached unprecedented levels of sophistication, with demands now exceeding tens of millions of dollars.

The disruption is felt across the environment, affecting Industrial control systems (ICS), Operational technology (OT) and Remote-management tools, and exposing High-value data, Customer data and Operational data, plus an estimated financial loss of ['$4.4 million (Colonial Pipeline)', '$11 million (JBS)', '$40 million (CNA Financial)'].

In response, moved swiftly to contain the threat with measures like Hard shutdowns and Forensic analysis, and began remediation that includes Decryption alternatives and Backup recovery, while recovery efforts such as Data restoration and System cleanup continue.

The case underscores how teams are taking away lessons such as Resilience against ransomware is rooted in prevention, preparation, response, and recovery. Key lessons include the importance of cybersecurity hygiene, securing RDP and Active Directory, enforcing MFA, patch management, employee training, and developing robust business continuity plans. Organizations must also prioritize asset protection, engage boards in cybersecurity discussions, and coordinate with law enforcement and insurers during incidents, and recommending next steps like Secure RDP with strong passwords, MFA, and restricted access, Enforce MFA for critical assets and Patch legacy systems and vulnerabilities.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

MITRE ATT&CK® Correlation Analysis

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Exploit Public-Facing Application (T1190) with moderate to high confidence (70%), with evidence including unsecured RDP, unpatched legacy systems, and active Directory vulnerabilities, Phishing (T1566) with high confidence (90%), supported by evidence indicating 75% of ransomware breaches originate from phishing emails, Valid Accounts (T1078) with moderate to high confidence (80%), with evidence including rDP compromises, and lack of MFA for critical assets, and Exploitation of Remote Services (T1210) with moderate to high confidence (80%), with evidence including remote Desktop Protocol (RDP) compromises, and desktop-sharing apps. Under the Execution tactic, the analysis identified User Execution: Malicious File (T1204.002) with moderate to high confidence (70%), supported by evidence indicating 60% of malware is installed via desktop-sharing apps and Command and Scripting Interpreter (T1059) with moderate confidence (60%), supported by evidence indicating disable command-line capabilities to reduce attack surfaces. Under the Persistence tactic, the analysis identified Valid Accounts (T1078) with moderate to high confidence (80%), supported by evidence indicating prolonged dwell time attacks where hackers lurk undetected and External Remote Services (T1133) with moderate to high confidence (70%), supported by evidence indicating unsecured RDP with restricted access vulnerabilities. Under the Privilege Escalation tactic, the analysis identified Exploitation for Privilege Escalation (T1068) with moderate to high confidence (70%), with evidence including unpatched legacy systems, and active Directory vulnerabilities and Valid Accounts (T1078) with moderate to high confidence (80%), supported by evidence indicating lack of MFA for critical assets. Under the Defense Evasion tactic, the analysis identified Masquerading (T1036) with moderate confidence (60%), supported by evidence indicating hackers lurk undetected to identify high-value data and Impair Defenses: Disable or Modify Tools (T1562.001) with moderate to high confidence (70%), supported by evidence indicating hard shutdowns by attackers complicate restoration. Under the Credential Access tactic, the analysis identified Brute Force (T1110) with moderate to high confidence (70%), supported by evidence indicating unsecured RDP with weak passwords and OS Credential Dumping (T1003) with moderate confidence (60%), supported by evidence indicating active Directory vulnerabilities. Under the Discovery tactic, the analysis identified Account Discovery (T1087) with moderate to high confidence (80%), supported by evidence indicating prolonged dwell time attacks to identify high-value data and File and Directory Discovery (T1083) with moderate to high confidence (70%), supported by evidence indicating hackers lurk undetected to identify high-value data. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (90%), supported by evidence indicating high-value data, customer data, operational data compromised. Under the Command and Control tactic, the analysis identified Application Layer Protocol (T1071) with moderate to high confidence (70%), supported by evidence indicating ransomware-as-a-service (RaaS) operations and Proxy (T1090) with moderate confidence (60%), supported by evidence indicating prolonged dwell time attacks suggest C2 communication. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating data exfiltration confirmed in ransomware attacks and Transfer Data to Cloud Account (T1537) with moderate confidence (60%), supported by evidence indicating high-value data targeted for exfiltration. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with high confidence (100%), supported by evidence indicating data encryption confirmed in ransomware attacks, Service Stop (T1489) with moderate to high confidence (80%), with evidence including hard shutdowns by attackers, and 21 days average downtime, and Inhibit System Recovery (T1490) with moderate to high confidence (70%), supported by evidence indicating hard shutdowns complicate restoration. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.

Initial Access
Exploit Public-Facing Application (70%)
Phishing (90%)
Valid Accounts (80%)
Exploitation of Remote Services (80%)
Execution
User Execution: Malicious File (70%)
Command and Scripting Interpreter (60%)
Persistence
Valid Accounts (80%)
External Remote Services (70%)
Privilege Escalation
Exploitation for Privilege Escalation (70%)
Valid Accounts (80%)
Defense Evasion
Masquerading (60%)
Impair Defenses: Disable or Modify Tools (70%)
Credential Access
Brute Force (70%)
OS Credential Dumping (60%)
Discovery
Account Discovery (80%)
File and Directory Discovery (70%)
Collection
Data from Local System (90%)
Command and Control
Application Layer Protocol (70%)
Proxy (60%)
Exfiltration
Exfiltration Over C2 Channel (90%)
Transfer Data to Cloud Account (60%)
Impact
Data Encrypted for Impact (100%)
Service Stop (80%)
Inhibit System Recovery (70%)