Investigating Claimed Data Leak after Ransomware Attack at Blue Yonder
In a recent cybersecurity incident, the ransomware group Termite claimed to have targeted Blue Yonder, a supply chain software provider. The attack disrupted the operations of at least two major companies: Morrisons, a U.K.-based supermarket chain, and Starbucks.
Morrisons, which operates about 500 stores across the U.K., faced operational disruptions to its warehouse management system for produce and fresh food. Despite this, the company has managed to restore normal operations following the attack, and its internal backup systems are now online.
Starbucks, on the other hand, was impacted by the attack and had to revert to manual scheduling due to a disruption in a Blue Yonder platform used to keep track of employee hours. The specific nature of the operational disruptions experienced by Starbucks is not specified.
According to Laurie Iacono, associate managing director, cyber risk at Kroll, the attack was carried out using the Red Line Stealer malware, which collected credentials. Kroll researchers also observed Termite using a watering hole attack method that relied on malicious ad software.
Blue Yonder has notified customers impacted by operational disruptions and has been working closely with them throughout the restoration process. The company is also working with outside forensic experts to address the claims and their investigation into the attack is ongoing.
Security researchers from Arctic Wolf have identified a leak site where the claim was posted, which has only been in operation since October. The attack on Blue Yonder appears to have used a double extortion method, extorting victims for a decryptor in order to prevent the release of stolen data.
It is worth noting that the ransomware used in this attack, Termite, is a distinct ransomware family and is not directly connected to Babuk ransomware. While some reports have linked the Blue Yonder attack to Babuk ransomware operators, there is no publicly confirmed direct relationship between Termite, Babuk, and the Blue Yonder attack.
Blue Yonder is currently investigating claims made by the Termite ransomware group regarding a November ransomware attack. Further details on the relationship between these ransomware variants or the Blue Yonder incident can be found in targeted threat intelligence sources or official incident reports.
- The attack on Blue Yonder, a supply chain software provider, revealed the use of the Red Line Stealer malware for credential collection and a watering hole attack method relying on malicious ad software.
- Starbucks, a company targeted in the cybersecurity incident involving Blue Yonder, had to revert to manual scheduling due to a disruption in a Blue Yonder platform used to keep track of employee hours.
- The specific nature of the operational disruptions experienced by Starbucks and Morrisons' fresh food warehouse management system were addressed, with both companies restoring normal operations following the attack.
- As a response to the ransomware attack, Blue Yonder is working with outside forensic experts, notifying customers impacted by operational disruptions, and maintaining an ongoing investigation into the incident. The company is also collaborating with other security researchers to understand the claims made by the Termite ransomware group.
