Nightfall Breaches: The Growing Threat of After-Hours Cyberattacks

img blog nightfall breaches the growing threat
When most people are winding down for the day, cybercriminals are just getting started. As the world sleeps, the digital underworld springs to life, exploiting the cover of night to launch attacks on vulnerable systems. Recent reports indicate that a staggering 94% of cyberattacks occur after hours, capitalizing on reduced staffing and slower response times to maximize damage.
This nocturnal onslaught is exemplified by a series of high-profile cyber incidents that have crippled industries and exposed critical vulnerabilities. From automotive dealerships to healthcare giants, the impact of these nighttime cyberattacks is far-reaching, underscoring the urgent need for robust cybersecurity measures around the clock.

Cyberattacks Crippled Thousands of Car Dealers

In excerpts from an article by The Washington Post, they wrote, “Thousands of car dealers are struggling to do business in late June because of two cyberattacks on an industry software provider.

The cyberattacks on CDK Global, which provides software to nearly 15,000 car dealerships in the United States and Canada, led to a shutdown of sales, financing and payroll systems for many dealers. That has forced some car sellers to do business the old fashioned way.
“Everything is messed up — we have to do everything manually,” said Kevin Red, a car salesman at AutoNation Honda Dulles in Sterling, Va. “There’s discomfort for everybody. For us, for management, for customers.”
Here’s what to know about the cyberattacks’ impact.

What happened with CDK’s systems?

CDK experienced its first attack Tuesday evening, cybersecurity trade publications reported. The company shut down dealerships’ systems Wednesday as a precaution while the incident was investigated, spokesperson Lisa Finney told the Associated Press.
The company restored some systems by Wednesday afternoon, but another “cyber incident” occurred that evening and was still affecting many dealers Friday, Finney told AP.
The second cybersecurity incident suggests CDK may have brought its systems back online before it fully understood the problem, experts said.
“They may have realized at that point that it was going to be a game of whack-a-mole, and that they’re not going to be able to win until they identify all the compromises,” said Rob Lee, the chief curriculum director for the SANS Institute, a cybersecurity training organization.

How long will the effects last?

Cybersecurity professionals say it could take weeks for CDK to fully restore all systems.
“One cyberattack has disproportionate impacts,” said Jake Williams, a member of the faculty at the Institute for Applied Network Security, a cybersecurity consulting firm. “Most organizations just don’t have disaster recovery plans and business continuity plans that are high-quality and tested enough to deal with a large-scale attack.”
This cyberattack has a “ripple effect” across the country because the company has so many individual clients, said Williams, who described CDK as the “800-pound gorilla” of car-dealer software. Several major auto companies use CDK systems in their dealerships, including Ford, General Motors and Stellantis.

Can you still buy a car?

It depends.
Customers may be able to buy a car on paper, but they may not be able to complete some parts of the process, such as registration with state motor-vehicle agencies and setting up financing with banks and credit providers. There’s no easy way for dealers to conduct those operations until CDK resolves its problems.
“It really has moved from a ‘Hey, we’ll come back online within a week, sit tight,’ to a real nuisance,” Lee said.
AutoNation Honda Dulles is letting some people drive off the lot with cars they intend to purchase on a “case by case” basis, Red said. Customers must return to complete paperwork and finalize the sale once the dealership’s CDK system functions properly again, he added.

How will this get fixed?

“The first thing is just figuring out the exposure to the hack, really, so taking a moment to basically check through your systems, certainly find the point of compromise,” said Katie Brooks, the global cybersecurity policy director for Aspen Digital.
It’s difficult for large companies such as CDK to get reports about cyberattacks 100 percent correct initially because they may not know the extent of an attack’s network penetration.
Meanwhile, dealerships should develop a “pen and paper plan” to make sure they can still sell cars, she said.
“You need a way to do business that is unplugged, and that is the old school way of operating, and your staff needs to be aware of it,” Brooks said. “This attack, in particular, demonstrates the need for those resilience measures.”

Why Do Cyber Attacks Happen at Night?

Reduced Vigilance

During nighttime hours, many organizations operate with minimal staff, often relying on automated monitoring systems. This reduced human oversight can delay the detection and response to an attack.

Slower Response Times

Even if an attack is detected, response teams might be slower to act. Incident response teams may not be fully staffed, and key personnel might not be immediately available.

Increased Vulnerability

Systems undergoing maintenance or updates during off-hours might be more vulnerable to attacks. Cybercriminals can exploit these windows of opportunity when defenses are temporarily weakened.

Global Time Zones

Cybercriminals often operate from different time zones, making nighttime attacks a strategic choice to align with their working hours while targeting businesses during their downtime.

Examples of Other Nighttime Cyber Attacks (Short)

Colonial Pipeline Ransomware Attack: Although not entirely limited to nighttime, the Colonial Pipeline attack highlighted the vulnerabilities during off-hours. The attack, which began in the evening, disrupted fuel supplies across the Eastern United States, showcasing how critical infrastructure can be compromised during less vigilant hours.

JBS Meat Processing Ransomware Attack: The world’s largest meat processing company, JBS, experienced a ransomware attack that forced the shutdown of its operations in the United States, Canada, and Australia. The attack occurred during the early hours of the morning, delaying the company’s response and exacerbating the disruption.

Irish Health Service Executive (HSE) Attack: The HSE experienced a significant ransomware attack that began in the early hours, crippling its IT systems. The timing of the attack allowed the cybercriminals to maximize disruption before a full response could be mounted.

As cybercriminals continue to exploit the vulnerabilities present during off-hours, it is imperative for organizations to enhance their cybersecurity measures. By understanding the tactics used by attackers and implementing comprehensive security protocols, businesses can protect their assets and minimize the risk of nighttime cyber attacks.

Food and Agriculture Sector Hit With More Than 160 Ransomware Attacks Last Year

In excerpts from an article by The Record, they wrote, “The U.S. food and agriculture sector dealt with at least 167 ransomware attacks last year, according to the leading industry group.

In its first annual report, the Food and Agriculture-Information Sharing and Analysis Center (Food and Ag-ISAC) said the industry was the seventh most targeted sector in the country, behind manufacturing, financial services, and others.

Thus far in the first quarter of 2024, the sector has counted 40 attacks, a slight decrease on the year before.

Multiple large food companies dealt with cyber incidents in 2023, including Dole, Sysco and Mondelez. The U.S. Department of Agriculture (USDA) told Recorded Future News last year that it was affected by a ransomware group’s exploitation of a popular file transfer tool, exposing troves of industry information.

Jonathan Braley, director of the Food and Ag-ISAC — which was formed in 2022 following a run of attacks on the industry that directly affected food pricing — told Recorded Future News that the sector is in the middle of the pack compared to other critical infrastructure sectors affected by ransomware.

Ransomware gangs are going after low-hanging fruit and organizations with discoverable or exploitable security lapses, he said. Braley noted that there was a 54% increase in ransomware attacks across sectors in January, year-on-year.

The interconnected nature of the industry means an attack on one company often affects others.

“For example, ransomware attacks could impact or disrupt processes along agricultural production lines, such as seed production. Any downtime caused by an attack could lead to a chain reaction of delays, potentially causing late planting or harvesting windows,” the organization explained.

“As a result, crops may need to be palletized and moved to other regions with an active growing season, which is done in cases of severe weather such as droughts or flooding. This is an expensive and taxing process that puts strain on organizations, costing them already limited time and resources.”

The ransomware attack on Dole in February 2023, for example, impacted shipments to grocery stores, which were unable to stock Dole salad kits as a result of the attack.

The research also highlights the threat of intellectual property theft in the industry — with certain companies spending years on genetic crop work that can be stolen in a moment.”

Change Healthcare Cyber Attack

In excerpts from an article by Energy & Commerce, they wrote, “Change Healthcare is one of the largest health payment processing companies in the world. It acts as a clearing house for 15 billion medical claims each year—accounting for nearly 40 percent of all claims.

The cyberattack that occurred in February knocked Change Healthcare—a subsidiary of the behemoth global health company UnitedHealth—offline, which created a backlog of unpaid claims. This has left doctors’ offices and hospitals with serious cashflow problems—threatening patients’ access to care.

It has since come to light that millions of Americans may have had their sensitive health information leaked onto the dark web, despite UnitedHealth paying a ransom to the cyber attackers.

The Oversight and Investigations Subcommittee called UnitedHealth CEO Sir Andrew Witty to explain to the American people what happened in the lead up to and during the attack, how the company is responding, and how it plans to prevent such an attack from happening again.

WHAT WE LEARNED

1. The attack occurred because UnitedHealth wasn’t using multifactor authentication [MFA], which is an industry standard practice, to secure one of their most critical systems.

Mr. Witty:

We’re continuing to investigate as to exactly why MFA was not on that particular service. It clearly was not. I can tell you I’m as frustrated as you are about having discovered that and as we’ve gone back and figured out how this situation occurred.

Change Healthcare was a relatively older company with older technologies, which we had been working to upgrade since the acquisition. For some reason, which we continue to investigate, this particular server did not have MFA on it.

2. It’s estimated that a third of Americans had their sensitive health information leaked to the dark web as a result of the attack.

Oversight Subcommittee Chair Morgan Griffith:

“Substantial proportion of the American population.” What does that mean? How much are we talking? 20 percent? We talking 50 percent? We’re talking 70? Tell us.

Mr. Witty:

I think maybe a third or somewhere of that level.

3. This might not be the end of the leaks. Despite UnitedHealth paying a ransom to the criminals, it cannot guarantee that more of Americans’ sensitive information will not be leaked.

Chair Rodgers:

How much did you pay in ransom? And how was it paid it? In dollars? Bitcoin or other cryptocurrency?

Mr. Witty:

$22 million in Bitcoin.

Chair Rodgers:

Can you affirmatively say that the hackers you paid did not make copies of protected or personal data and then, at a later date, uphold it onto the internet or the dark web.

Mr. Witty:

I cannot affirmatively say that. No.

Some Press Coverage Quotes About the Incident…

  • UnitedHealth’s handling of the situation will probably be “a case study in crisis mismanagement for decades to come,” said Rep. Cathy McMorris Rodgers (R-Wash.), chair of the House Energy and Commerce Committee
  • Rep. Gary Palmer (R., Ala.), in an afternoon hearing held by the House Energy and Commerce Committee’s subcommittee on Oversight and Investigations, pressed Witty about how many government employees with security clearance were included in the breach. That kind of theft would be a national-security risk, he said.
  • Rep. Earl L. “Buddy” Carter, R-Ga., railed against the company’s use of vertical integration, in which it has acquired physician practices, pharmacy benefit managers and other players in the health care system. “Let me assure you that I’m going to continue to work to bust this up,” Carter said.“This vertical integration that exists in health care in general has got to end.”
  • Several members also took the opportunity to chide United Healthcare’s use of prior authorization, which Witty said resumed for its Medicare Advantage plans April 15.  The company should “carefully review how that prior authorization” has affected patient outcomes, said Rep. John Joyce, R-Pa.”

In short, the cyberattack on Change Healthcare in February has revealed significant vulnerabilities within one of the largest health payment processing companies in the world. The failure to implement multifactor authentication on a critical system facilitated the breach, resulting in severe financial disruptions for healthcare providers and exposing sensitive health information of potentially a third of Americans to the dark web.

Despite paying a substantial ransom, UnitedHealth cannot guarantee that additional data leaks will not occur. The incident has drawn intense scrutiny from the House Energy and Commerce Committee, highlighting issues of inadequate cybersecurity measures and the broader implications of vertical integration within the healthcare industry. This event underscores the urgent need for enhanced cybersecurity protocols to protect sensitive health data and ensure the stability of healthcare services.

Cyberattacks' Far-Reaching Impact on Everyday Life

The threat of cyberattacks extends far beyond the confines of the digital world, infiltrating critical aspects of everyday life and posing significant risks to society. While high-profile incidents often capture headlines, the true breadth of cyber vulnerabilities spans numerous sectors, each with the potential to disrupt essential services, compromise personal safety, and undermine public trust.

From the stability of our power grids to the security of our financial systems, cybercriminals are increasingly targeting the very infrastructure that underpins our daily existence. This overview reveals the critical need for heightened cybersecurity measures across diverse areas, ensuring resilience against the ever-evolving landscape of cyber threats.

Critical Infrastructure Attacks

  • Energy Sector: Attacks on power grids and utilities can lead to widespread blackouts, affecting millions of households and critical services like hospitals and emergency response.
  • Water Supply Systems: Cyberattacks on water treatment facilities can compromise water safety and availability, posing severe public health risks.

Financial Sector Breaches

  • Banks and Financial Institutions: Cyberattacks on banks can lead to financial losses, identity theft, and disruption of financial services. Such attacks can undermine trust in financial systems and impact the economy.

Transportation Systems

  • Airlines and Airports: Cyberattacks on airline systems can lead to flight cancellations, delays, and potential safety hazards. Passenger data breaches can also result in identity theft and privacy concerns.
  • Public Transportation: Attacks on public transit systems can disrupt services, leading to chaos and inconvenience for daily commuters.

Healthcare Sector

  • Hospitals and Medical Devices: Beyond healthcare payment systems, attacks on hospital IT systems and medical devices can directly impact patient care, leading to delays in treatment and compromised patient safety.
  • Pharmaceutical Companies: Cyberattacks on pharmaceutical firms can disrupt drug production and distribution, affecting medication availability.

Government and Public Services

  • Municipal Services: Cyberattacks on local governments can disrupt public services such as emergency response, waste management, and public records, affecting daily life and safety.
  • National Security: Attacks targeting government agencies and defense contractors can compromise national security, leading to potential threats from adversaries.

Educational Institutions

  • Schools and Universities: Cyberattacks on educational institutions can disrupt learning, compromise student and staff data, and lead to financial losses through ransomware demands.

Retail and Consumer Services

  • E-commerce Platforms: Attacks on online retailers can lead to financial losses, data breaches, and loss of consumer trust.
  • Supply Chain Disruptions: Cyberattacks on supply chain systems can lead to shortages of goods, affecting everything from groceries to essential supplies.

Tips for Staying Cyber Prepared 24/7

  1. Implement Continuous Monitoring: Use advanced security information and event management (SIEM) tools to monitor your network for suspicious activity in real-time. Continuous monitoring can help identify and respond to threats promptly, even during off-hours.
  2. Establish a 24/7 Incident Response Team: Ensure you have a dedicated incident response team available around the clock. This team should be well-trained in handling various types of cyber threats and have clear protocols for escalation and resolution.
  3. Utilize Automated Threat Detection: Deploy automated threat detection systems that use artificial intelligence and machine learning to identify and respond to anomalies. These systems can act faster than human responders, particularly during late hours.
  4. Conduct Regular Security Audits: Regularly audit your security systems and protocols to identify and fix vulnerabilities. This includes penetration testing and vulnerability scanning, especially on critical systems that may be targeted during nighttime.
  5. Implement Robust Authentication: Use multi-factor authentication (MFA) for all critical systems to add an extra layer of security. This reduces the risk of unauthorized access, even if credentials are compromised.
  6. Establish a Clear Communication Plan: Develop a communication plan for notifying key personnel during an after-hours incident. Ensure that all employees know who to contact and what steps to take if they suspect a cyberattack.
  7. Enhance Employee Training: Provide regular cybersecurity training for all employees, focusing on recognizing phishing attempts and other common attack vectors. Awareness can significantly reduce the risk of successful attacks.
  8. Prepare for Offline Operations: Develop and maintain offline procedures for critical business operations. This ensures that your organization can continue functioning even if your digital systems are compromised.
  9. Back-Up Data Regularly: Ensure that all critical data is backed up regularly and that redundant backups are stored securely. In the event of a ransomware attack, having reliable backups can help you recover without paying a ransom.
  10. Collaborate with Cybersecurity Experts: Partner with cybersecurity experts and organizations to stay updated on the latest threats and mitigation strategies. External experts can provide valuable insights and support during a cyber crisis.

Conclusion

The rising tide of after-hours cyberattacks demands an unwavering commitment to cybersecurity preparedness. As cybercriminals exploit the cover of night to launch their assaults, organizations must adopt a proactive stance to safeguard their digital assets. The devastating impacts of nighttime cyber incidents, as highlighted by attacks on automotive dealerships, healthcare systems, and the food and agriculture sector, underscore the critical need for continuous vigilance.

Ultimately, the key to cyber preparedness lies in a multifaceted approach that combines advanced technology, strategic planning, and human awareness. By staying vigilant and prepared around the clock, organizations can protect themselves from the growing threat of nighttime cyberattacks and ensure the continuity of their operations in an increasingly digital world.

At Adaptive Office Solutions, cybersecurity is our specialty. We keep cybercrimes at bay by using analysis, forensics, and reverse engineering to prevent malware attempts and patch vulnerability issues. By investing in multilayered cybersecurity, you can leverage our expertise to boost your defenses, mitigate risks, and protect your data with next-gen IT security solutions.

Every device connecting to the internet poses a cyber security threat, including that innocent-looking smartwatch you’re wearing. Adaptive’s wide range of experience and tools fills the gaps in your business’s IT infrastructure and dramatically increases the effectiveness of your cybersecurity posture.

To schedule a Cyber Security Risk Review, call the Adaptive Office Solutions’ hotline at 506-624-9480 or email us at helpdesk@adaptiveoffice.ca

Categories
Archives