Ransomware Attack Shuts Down US Defense Contractor and Major Forklift Maker Crown Equipment Corp., Company Asks Workers to File for Unemployment

A June 9 ransomware attack has completely shut down major defense contractor Crown Equipment Corporation, the world’s fifth-largest forklift manufacturer with annual revenues of $4.69 billion and 19,100 employees, most of whom are now out of work and being asked by company management to file for unemployment.

Crown is based in New Bremen, Ohio, but also has a manufacturing facility in Roding, Germany.

Since the incident began, production at the forklift truck manufacturer's two sites has been halted. The company’s website is still down, and the manufacturer cannot be reached by phone because its voice system is inoperable.

Crown Equipment has offered no explanation for what has happened. It has told all but the most essential IT workers to go home and urged them to take vacation time or file for employment until operations have resumed. Numerous employees note they have not been paid since June 10.

In an object lesson in lousy incident response, Crown's lack of communication has prompted employees in Germany and the US to flock to social media and even local newspapers to complain about the mass layoffs, creating a growing PR crisis for the company.

@tiffs0492

Where is your integrity Crown lift trucks? Your employees and their families deserve better! #Fyp #2024 #wtfamerica #rant #blowthisup #cro... See more

According to social media reports, the shuttering of the plants in New Bremen is a significant blow to the rust belt town, whose residents have few options for finding alternative employment. Company CEO James Dicke has a reported net worth of $500 million, owns a private jet, and is a yacht aficionado who owns a yacht called Reef Chief worth $25 million, which costs $2 million per year to operate.

According to one Reddit post, the incident began when a hacker posing as an IT employee called a Crown employee, installed a fake VPN program on the Crown employee's computer and gained access to everything. The hacker created a privileged account on the network that gave them access to all systems. The network went down on Sunday, June 9, 2024, and has not been restored since.

Another Redditor claimed that the hacker is demanding a $25 million ransom. Based on social media posts, the company initially planned to resume operations on June 18 but has pushed back that date to June 24. The FBI is reportedly investigating the incident. (Günter Born / Born’s Tech and Windows World and various reports)

Related: r/linustechtips, r/forkliftmechanics, Mercer County Outlook, CIO.de, Mittelbayerische

According to a representative for the Russian ransomware actor Qilin, it is demanding $50 million from UK lab services provider Synnovis to end a ransomware attack that has paralyzed services at London hospitals for weeks.

The representative confirmed that it had breached the pathology services and demanded money in exchange for a code to unlock affected computers. In an interview, the representative said the hackers were preparing to post online data stolen in the attack.

“The investigation into the attack continues, including any possible impact to data,” a Synnovis spokesperson said in a statement, adding that the company will inform regulators and affected individuals as it learns more about the incident.

A Qilin website where the group listed its alleged victims disappeared from the internet in the days after the hack, though another page remains online. Synnovis wasn’t listed on that site.

Responding to questions about the breach through a messaging account long associated with the gang, a representative for the hackers said they were very sorry for the people who suffered but refused to accept responsibility for the human cost. They suggested the attack was justified because it was in retaliation for the British government’s involvement in unspecified wars.

The representative added that they had ceased contact with Synnovis after apparently failing to receive any ransom payment following the expiration of a 120-hour deadline. They said hackers had exploited an undisclosed security zero-day to gain access to Synnovis’ computers. (Ryan Gallagher / Bloomberg)

Related: Insurance Journal, Silicon Angle, Gigazine

Semiconductor giant AMD is investigating whether it suffered a data breach a day after the cybercriminal group IntelBroker claimed to have stolen company databases from the chipmaker.

“We are aware of a cybercriminal organization claiming to be in possession of stolen AMD data,” the company said. “We are working closely with law enforcement officials and a third-party hosting partner to investigate the claim and the significance of the data.”

A day earlier, IntelBroker posted in a hacking forum about allegedly breaching AMD sometime this month. The stolen data allegedly includes information on “future AMD products, spec sheets,” and databases covering employee and customer information. Other data looted involves AMD’s finances, source code, and firmware.

IntelBroker posted some screenshots of the stolen data, including the corporate email addresses and internal phone numbers. However, in all cases, the employee information shown has been recorded as “inactive,” suggesting the staffers no longer work at the company and that the emails have become defunct.

IntelBroker also didn’t post any stolen customer information, making it unclear what details may have been looted. But other screenshots show what appear to be internal files from AMD. In particular, one pictured file mentions “spec releases” for a variety of AMD chips, including for the Ryzen and EPYC chip lines. (Michael Kan / PCMag)

Related: Reuters, Bleeping Computer, HackRead, Cybernews, Security Week, Fudzilla, Silicon Angle, TweakTown, The Cyber Express, National Technology News, Techzine, The Register, The Verge, iTech Post

OEM manufacturer of printed circuit board assemblies (PCBA) Keytronic is warning that it suffered a data breach two weeks ago after the Black Basta ransomware gang leaked 530GB of the company's stolen data.

Last month, Keytronic disclosed in an SEC filing that it had suffered a cyberattack on May 6 that disrupted its operations and limited access to business applications that supported corporate activities.

In another filing with the SEC last week, Keytronic said that the attack also caused them to shut down domestic and Mexico operations for two weeks while they responded to the attack and that normal operations have now resumed.

The filing also states that their investigation confirmed the threat actors stole personal information during the attack.

"Since the date of the Original Report, the Company has determined that the threat actor accessed and exfiltrated limited data from the Company's environment, which includes some personally identifiable information," reads the FORM 8-K/A SEC filing.

"The Company is in the process of providing appropriate notifications to potentially affected parties and to regulatory agencies as required by applicable law.

As required by new SEC guidelines, the Company has also confirmed that the attack and loss of production will materially impact its financial condition during the fourth quarter ending June 29, 2024.

The Company says it has already incurred approximately $600,000 in expenses related to hiring external cybersecurity experts and that these expenses may continue.

While Keytronic didn't attribute the attack to a specific threat group, the Black Basta ransomware operation claimed it two weeks ago and has leaked what it claims is 100% of the stolen data.

The threat actors claim that human resources, finance, engineering, and corporate data were stolen in the attack, sharing screenshots of employees' passports and social security cards, customer presentations, and corporate documents. (Lawrence Abrams / Bleeping Computer)

Related: SEC, IZooLogic, CIO News, Security Affairs, TechRadar, Security Week, ET CISO, Silicon Angle, Benzinga

Security researcher Vsevolod Kokorin, also known online as Slonser, found a still-unpatched bug that allows anyone to impersonate Microsoft corporate email accounts, making phishing attempts look credible and more likely to trick their targets.

According to Kokorin, the bug only works when sending emails to Outlook accounts. Still, according to Microsoft’s latest earnings report, there are at least 400 million users worldwide.

Microsoft dismissed his report after saying it couldn’t reproduce his findings. This prompted Kokorin to publicize the bug on X without providing technical details that would help others exploit it. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: Times of India, Cyber Daily, Tech Times, TechNadu

A sixth suspect, Mathieu Joncas, a 38-year-old broker from Lac-Beauport, Que., has been arrested in connection with the massive Desjardins data theft has been arrested after he turned himself in to authorities.

The Sûreté du Québec (SQ) says Joncas was out of the country when his alleged accomplices were arrested last week. Joncas was expected to appear in a Quebec City courthouse today to face charges of fraud, identity theft and trafficking in identifying information.

This is the sixth arrest made by the SQ as part of the Portier investigation, launched in 2019 following the data breach that affected 9.7 million members and clients of the Desjardins Group. (CBC News)

The US Justice Department announced that two federal contractors, Guidehouse Inc., and Nan McKay and Associates, have paid the US government a total of $11.3 million in civil penalties after admitting they failed to properly test the cybersecurity of a system for providing financial assistance to low-income people in New York during the COVID-19 pandemic.

DOJ said that the agreement with the two companies resolves allegations that they violated the False Claims Act, a more than century-old law intended to protect the government from contractors who misrepresent the quality of their services.

The DOJ said Virginia-based Guidehouse paid $7.6 million, and California-based Nan McKay, wired as a subcontractor on the project, paid $3.7 million.

They set up an emergency rental assistance program (ERAP) for the state Office of Temporary and Disability Assistance (OTDA) in May 2021 and went live on June 1 of that year.

“Twelve hours later, OTDA shut down the ERAP website after determining that certain applicants’ personally identifiable information (PII) had been compromised and portions were available on the internet,” the DOJ said. “Guidehouse and Nan McKay acknowledged that had either of them conducted the contractually-required cybersecurity testing, the conditions that resulted in the information security breach may have been detected and the incident prevented.”

As part of the settlement, Guidehouse also admitted that “for a short time period in 2021, it used a third-party data cloud software program to store personally identifiable information without first obtaining OTDA’s permission, in violation of its contract.” (Joe Warminsky / The Record)

Related: Justice Department

R.R. Donnelley & Sons (RRD) has agreed to pay a $2.1 million fine to the US Securities & Exchange Commission in connection with a ransomware attack in 2021.

The SEC said that RRD did not reasonably manage the resources it devoted to the security alerts by its third-party managed security services provider (MSSP). The agency said In its contract and communications with the MSSP, RRD failed to reasonably set out a sufficient prioritization scheme and workflow for review and escalation of the alerts.

Moreover, the SEC said that RRD’s internal policies governing its personnel’s review of cybersecurity alerts and incident response also failed to sufficiently identify lines of responsibility and authority, set out clear criteria for alert and incident prioritization, and establish clear workflows for alert review and incident response and reporting. (John Pletz / Crain’s Chicago Business)

Related: SEC.gov, Mondo Visione

Following a legal intervention by the German federal cybersecurity agency BSI, Microsoft has disclosed additional information on encryption measures it adopted to secure its customer data, publishing a white paper that details how it is deploying double-key encryption across its platform, including Microsoft 365 and Azure.

Microsoft's decision to publish the report came after the Federal Office for Information Security, or BSI, invoked a clause within the country's Federal Office for Information Security Act in May. The clause requires information technology companies to provide "all necessary" information related to security incidents when requested by the agency.

BSI reportedly made the legal case for disclosure after Microsoft repeatedly failed to provide adequate information on its encryption measures to agency requests. BSI's inquiry is related to its probe of a 2023 incident in which hackers stole Azure Active Directory tokens to target U.S. government networks.

The company at the time attributed the attack to a Chinese threat actor tracked as Storm-0558 or Volt Typhoon. Since Microsoft disclosed the hack, BSI has been working with the company to review its security measures, particularly to understand data protection steps deployed by the company against similar Violet Typhoon attacks. (Akshaya Asokan / Data Breach Today)

Related: Microsoft

A scathing report by Australia's Information Commissioner details how misconfigurations and missed alerts allowed a hacker to breach Medibank and steal data from over 9 million people.

In October 2022, Australian health insurance provider Medibank disclosed that it had suffered a cyberattack that disrupted the company's operations. A week later, the company confirmed that the threat actors stole all of its customer's personal data and a large number of health claims data, causing a data breach that impacted 9.7 million people.

The data from the attack was later leaked by a ransomware gang known as BlogXX, believed to be an offshoot of the shutdown REvil ransomware gang. The attack was ultimately linked to a Russian national named Aleksandr Gennadievich Ermakov, who was sanctioned by Australia, the UK, and the USA.

The agency's investigation determined that significant operational failures allowed the hacker to breach Medibank's network.

"The Commissioner alleges that from March 2021 to October 2022, Medibank seriously interfered with the privacy of 9.7 million Australians by failing to take reasonable steps to protect their personal information from misuse and unauthorised access or disclosure in breach of the Privacy Act 1988," the OAIC said.

The report states that Medibank failed to protect users' data as it had not enforced multi-factor authentication on VPN credentials and allowed anyone with access to the credentials to log into the device.

"The threat actor was able to authenticate and log onto Medibank's Global Protect VPN using only the Medibank Credentials because, during the Relevant Period, access to Medibank's Global Protect VPN did not require two or more proofs of identity or multi-factor authentication (MFA). Rather, Medibank's Global Protect VPN was configured so that only a device certificate, or a username and password (such as the Medibank Credentials), was required," continued the report.

Using this access to the internal network, the threat actor began spreading through the systems, stealing 520 GB of data from the company's MARS Database and MPLFiler systems between August 25 and October 13, 2022.

It wasn't until mid-October, when Medibank brought in a threat intelligence firm to investigate a Microsoft Exchange ProxyNotShell incident, that they discovered data was previously stolen in the cyberattack. (Lawrence Abrams / Bleeping Computer)

Related: OAIC, OAIC, Australian Broadcasting Corporation, Information Age

The US Federal Trade Commission said it had referred a complaint against the social media platform TikTok and its parent company ByteDance over potential violations of children's privacy to the Justice Department.

"The investigation uncovered reason to believe named defendants are violating or are about to violate the law and that a proceeding is in the public interest, so the Commission has voted to refer a complaint to the Department of Justice," the FTC said.

Without providing further details, the FTC said, "Although the Commission does not typically make public the fact that it has referred a complaint, we have determined that doing so here is in the public interest.”

TikTok said Tuesday it has been working with the FTC for more than a year to address the agency's concerns.

"We're disappointed the agency is pursuing litigation instead of continuing to work with us on a reasonable solution," TikTok said. "We strongly disagree with the FTC's allegations, many of which relate to past events and practices that are factually inaccurate or have been addressed." (David Shepardson / Reuters)

Related: The Record, Federal Trade Commission, Engadget, Silicon Republic, Gizmodo, TechCrunch, Mashable, BERNAMA, Wall Street Journal, LAW.com, Tech Xplore, Android Headlines, BBC, Fox Business, Financial Times, Barron's Online, The Information, The Hollywood Reporter, Digital Music News, Yahoo Finance

The ransomware group BlackSuit published hundreds of stolen files from the Kansas City, Kansas, Police Department after it claimed the agency refused to pay its ransom demands.

“Kansas Police said they will not pay a ransom after voluntarily agreeing to have their case files made public. Trust your police,” BlackSuit’s message reads.

Screenshots show that BlackSuit published hundreds of sensitive files, some dating back to 2016. StateScoop’s attempts to verify the nature of the files with the Kansas City Kansas Police Department and the Kansas Office of Information Technology Services went unanswered. The screenshots show folder and file names like “Drone Pics,” “Evidence Room” and “Finance.” (Sophia Fox-Sowell / StateScoop)

Related: HackRead, Cybernews

The White House announced that the Group of Seven (G7) countries have agreed to establish a collective cybersecurity framework around operational technologies for both manufacturers and operators.

National Security Advisor Jake Sullivan said that at last week’s summit in Italy, the gathered G7 leaders “committed to taking critical action to strengthen the cybersecurity of the global supply chain of key technologies used to manage and operate electricity, oil, and natural gas systems across the world.”

The initiative seeks to address the continuous cyberattacks targeting energy systems worldwide that are “vulnerable to disruption.”

“As new digital clean energy technologies are integrated, we must ensure they are cyber secure to prevent destruction or disruption in services,” Sullivan said. (Jonathan Greig / The Record)

Related: White House, Infosecurity Magazine, SC Media, Meritalk, Industrial Cyber

Sources say Silicon Valley companies are escalating their security vetting of staff and potential recruits as US officials voice greater concern about the threat of Chinese espionage.

According to several people working directly with the groups, technology giants such as Google and high-profile start-ups like OpenAI have stepped up their personnel screening.

The move comes amid fears that foreign governments are seeking to use compromised workers to access intellectual property and company data.

Venture capital firms such as Sequoia Capital, which backs dozens of start-ups, including Elon Musk’s xAI, have also encouraged some portfolio companies to tighten staff vetting after warnings that spy agencies are targeting US tech developers.

Sequoia split off its own Chinese business last year after almost two decades due to geopolitical pressure. (Tabby Kinder, Stephen Morris, and Demetri Sevastopulo / Financial Times)

Cybersecurity provider Huntress announced it had raised $150 million in a Series D venture funding round.

Kleiner Perkins, Meritech Capital, and existing investor Sapphire Ventures led the round. (James Rundle / Wall Street Journal)

Related:  Reuters, CRN, Huntress Labs, Crunchbase News, Globe Newswire, Silicon Angle, The Business Journals, CRN, PitchBook, BankInfoSecurity

Entro Security, a non-human identity and secrets management platform company, announced that it has closed a $18 million Series A venture funding round.

Dell Technologies Capital led the round with the participation of seed investors Hyperwise Ventures and StageOne Ventures, and angel investors such as Rakesh Loonkar and Mickey Boodaei. (Meir Orbach / Calcalist)

Related: Business Wire, Silicon Angle, Security Week, Business Wire, FinTech Global, FinSMEs, Forbes, Chronicle-Tribune, Help Net Security

Best Thing of the Day: US Says Go Ahead, Hack Kim Jong Un

Alejandro Caceres, the cybersecurity researcher who famously hacked North Korea’s internet, bared it all in a lively Reddit AMA, saying that so far, the only consequences he’s suffered for the stunt is that “every DoD entity and intelligence agency want to know how I did it.”

Worst Thing of the Day: Just Joshing About That 2FA

Even though it enables two-factor authentication for logins, reservation giant Booking.com doesn’t require it when logging in.

Closing Thought