Ransomware Hits the San Francisco 49ers Football Organization

While the San Francisco 49ers were unable to make it to the Super Bowl this year, they still made headlines over the weekend of the big game. The 49ers front office confirmed on Super Bowl Sunday that they were the victim of a ransomware attack and that the ransomware gang, BlackByte had taken credit for the attack the day prior. The attack was typical of the double extorsion attacks witnessed over the past year in which data is first exfiltrated to a third-party site before encrypting the internal systems. BlackByte claims to have stolen financial data from the team’s servers and posted 300 MB of documents on a site located on the dark web as proof of their acquisition. The gang is known for releasing increasing amounts of data as time goes on until the ransomware payment is made. Neither the 49ers nor the perpetrators have publicly mentioned a ransom or alluded to the extent of the encryption attack. The 49ers reported a temporary disruption to parts of their network but said the attack failed to involve stadium and ticket operations. Some security experts believe that attack was a way for BlackByte to attain some ‘street creds’ by pulling off an attack against such a high-profile organization and advertise it during the Super Bowl weekend.

While BlackByte took credit for the attack, the gang itself may not have implemented the attack itself. BlackByte is a Ransomware as a Service (RaaS) which means that it lets others use its attack software for a share of any successful ransom. BlackByte first came on the scene in July of 2021. The organization’s calling card is to leave a ransom note in every encrypted directory. Their typical attack methodology is to exploit three Microsoft Exchange vulnerabilities that are known ProxyShells. The three vulnerabilities along with their released patches are listed below:

• CVE-2021-34473 – Pre-auth Path Confusion leads to ACL Bypass (KB5001779)
• CVE-2021-34523 – Elevation of Privilege on Exchange PowerShell Backend (KB5001779)
• CVE-2021-31207 – Post-auth Arbitrary-File-Write leads to RCE (KB5003435)

The attack is another example of how imperative it is to keep systems patched and up to date. Those who have not yet installed the released patches for the ProxyShell vulnerabilities should do so immediately. Some of the other mitigation steps you can take include the following:

• Implement a Web Application Firewall (WAF) to protect Internet facing web applications. A WAF protects against common web-based attacks and published vulnerabilities, such as the three mentioned in this article.

• Do not expose remote desktop and Citrix directly to the internet. Always use a secure MFA and encrypted connection to access the network these central access solutions reside on.

• Enforce the principle of least privilege security (PoLP) by not allotting standard users admin rights to any machines.

• Those user accounts that do have administrative privileges should be audited as well as the membership of privileged groups.

• Implement network segmentation, such that all machines on your network are not accessible from every other machine.

• Consider stripping all embedded hyperlinks from emails or at least utilize an advanced email security system that can identify and eradicate suspicious links.

• Implement a well-designed backup strategy that is air gapped and segmented from the rest of the network. Always retain copies of your backups offline.

• Sensitive data stored on shared volumes or client devices should be encrypted to make it inaccessible if compromised.