Under Armour Breach Incident Score: Analysis & Impact (UND3492734111825)

In this Rankiteo incident briefing, we review the Under Armour breach identified under incident ID UND3492734111825.

The analysis begins with a detailed overview of Under Armour's information like the linkedin page: https://www.linkedin.com/company/under-armour, the number of followers: 934816, the industry type: Retail Apparel and Fashion and the number of employees: 12231 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 657 and after the incident was 525 with a difference of -132 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Under Armour and their customers.

Under Armour recently reported "Everest Ransomware Attack on Under Armour", a noteworthy cybersecurity incident.

The Everest Ransomware group claimed responsibility for a massive data breach involving Under Armour, stealing 340 GB of sensitive data.

The disruption is felt across the environment, and exposing True.

Formal response steps have not been shared publicly yet.

The case underscores how Ongoing (no public confirmation or details from Under Armour as of report), teams are taking away lessons such as Ransomware groups are evolving with double extortion tactics (encryption + data theft), Use of privacy-focused cryptocurrencies (e.g., Monero) complicates ransom tracing and Companies must reassess data storage practices, especially for highly sensitive PII (e.g., passport details), and recommending next steps like Implement robust encryption for stored sensitive data (e.g., PII, internal documents), Adopt multi-layered ransomware defenses, including behavioral analysis and anomaly detection and Develop and test incident response plans specifically for double extortion scenarios.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Phishing: Spearphishing Attachment (T1566.001) with moderate confidence (60%), supported by evidence indicating enhance employee training on phishing and social engineering, common initial access vectors for ransomware., Valid Accounts (T1078) with moderate confidence (50%), supported by evidence indicating unclear initial access vector (e.g., phishing, unpatched vulnerability, or **insider threat**)., and Exploit Public-Facing Application (T1190) with moderate confidence (50%), with evidence including potential inadequate data encryption or access controls for sensitive PII., and possible lack of segmentation between customer data and internal business systems.. Under the Execution tactic, the analysis identified User Execution: Malicious File (T1204.002) with moderate to high confidence (70%), with evidence including everest Ransomware (evolved from BlackByte family), and aES+DES encryption. Under the Persistence tactic, the analysis identified Server Software Component: Web Shell (T1505.003) with lower confidence (40%), supported by evidence indicating potential inadequate data encryption or access controls for sensitive PII.. Under the Privilege Escalation tactic, the analysis identified Valid Accounts: Default Accounts (T1078.001) with moderate confidence (50%), supported by evidence indicating possible lack of segmentation between customer data and internal business systems. and Exploitation for Privilege Escalation (T1068) with moderate confidence (50%), supported by evidence indicating potential inadequate data encryption or access controls for sensitive PII.. Under the Defense Evasion tactic, the analysis identified Indicator Removal: File Deletion (T1070.004) with moderate to high confidence (70%), supported by evidence indicating data exfiltration followed by AES+DES encryption, Impair Defenses: Disable or Modify Tools (T1562.001) with moderate confidence (60%), supported by evidence indicating potential inadequate data encryption or access controls for sensitive PII., and Obfuscated Files or Information (T1027) with moderate to high confidence (80%), with evidence including russian-language code suggesting geopolitical targeting avoidance., and shift from Bitcoin to Monero (XMR) underscores its focus on evading law enforcement tracking. Under the Credential Access tactic, the analysis identified OS Credential Dumping: LSASS Memory (T1003.001) with moderate confidence (50%), supported by evidence indicating highly sensitive PII (e.g., passport details) suggests lateral movement and Credentials from Password Stores: Credentials from Web Browsers (T1555.003) with moderate confidence (50%), supported by evidence indicating customer databases targeted, implying credential harvesting. Under the Discovery tactic, the analysis identified File and Directory Discovery (T1083) with moderate to high confidence (80%), supported by evidence indicating 340 GB of sensitive data exfiltrated, including product SKUs, marketing/sales strategies and Remote System Discovery (T1018) with moderate confidence (60%), supported by evidence indicating internal company data (product SKUs, marketing/sales strategies) accessed. Under the Lateral Movement tactic, the analysis identified Remote Services: Remote Desktop Protocol (T1021.001) with moderate confidence (50%), supported by evidence indicating possible lack of segmentation between customer data and internal business systems. and Remote Services: SMB/Windows Admin Shares (T1021.002) with moderate confidence (50%), supported by evidence indicating internal company data accessed alongside customer PII. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (90%), supported by evidence indicating exfiltrating **340 GB of sensitive data**, including **customer PII** and **internal company data** and Data from Network Shared Drive (T1039) with moderate to high confidence (70%), supported by evidence indicating internal company data (product SKUs, marketing/sales strategies) exfiltrated. Under the Command and Control tactic, the analysis identified Application Layer Protocol: Web Protocols (T1071.001) with moderate to high confidence (80%), supported by evidence indicating threatening to sell the stolen data on the dark web and Encrypted Channel: Symmetric Cryptography (T1573.001) with high confidence (90%), with evidence including aES+DES encryption, and russian-language code suggesting geopolitical targeting avoidance. Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) with moderate to high confidence (80%), with evidence including exfiltrating **340 GB of sensitive data**, and threatening to sell the stolen data on the dark web and Exfiltration Over C2 Channel (T1041) with moderate to high confidence (70%), supported by evidence indicating everest Ransomware group executed a high-profile attack with double extortion. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with high confidence (100%), with evidence including encrypting systems while threatening to sell the stolen data, and aES+DES encryption, Data Destruction (T1485) with moderate confidence (60%), supported by evidence indicating double extortion (encryption + data theft) implies potential destruction if ransom unmet, and Double Extortion (T1659) with high confidence (100%), supported by evidence indicating employed **double extortion**, encrypting systems while threatening to sell the stolen data. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.