Conversation

Notices

1. Embed this notice
   Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 27-Nov-2024 02:41:49 JST Kevin Beaumont

   The Blue Yonder SaaS ransomware incident is bad.

   They got into their Private Cloud environment at hypervisor level, deleted the DR and backup storage, then encrypted all 5 datacenters.

   • Embed this notice
     Fritz Adalis (fritzadalis@infosec.exchange)'s status on Wednesday, 27-Nov-2024 05:08:10 JST Fritz Adalis

     in reply to

     • cR0w :cascadia:

     @GossiTheDog @cR0w
     Is this a supply chain attack?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 27-Nov-2024 05:08:41 JST Kevin Beaumont

     in reply to

     On this - Blue Yonder, aside from doing supply chain management (how many Pot Noodles you should order per day per store etc), they also sell a HR suite called Blue Yonder Workforce Management, or WFM. It's another SaaS solution, does HR stuff, payroll etc. WFM was hosted in their private cloud and is toast.

     https://techhub.social/@rasldasl/113551046134997472

   • Embed this notice
     PJ Sliney (pjsliney@infosec.exchange)'s status on Wednesday, 27-Nov-2024 05:19:56 JST PJ Sliney

     in reply to

     • Matt Panaro

     @eigen @GossiTheDog
     Yes, it’s exactly that.
     Servers, switches, storage, backup- all running in a datacenter somewhere, managed by the vendor or a subcontractor.

     Typically all infra is shared across the customers.
     The larger customers may get their own VMware compute cluster or storage, but management tools touch every customer.

     Source: I sell it for a living.

   • Embed this notice
     Matt Panaro (eigen@mattstodon.panar.ooo)'s status on Wednesday, 27-Nov-2024 05:19:57 JST Matt Panaro

     in reply to

     @GossiTheDog out of curiosity, what does "private cloud" mean in this context? like, giving extra money to a cloud provider so nobody else's VMs are on the hardware? or is it just a fancy phrase for their own "data center"?

   • Embed this notice
     Richard (richrants@toot.community)'s status on Wednesday, 27-Nov-2024 08:01:26 JST Richard

     • PJ Sliney
     • Matt Panaro

     @GossiTheDog @pjsliney @eigen That third party DC being mostly or completely Azure, as evidenced by publicly available info, e.g. https://media.blueyonder.com/blue-yonder-recognized-as-a-finalist-for-2022-microsoft-partner-of-the-year-awards/

     Disclaimer: I worked at BY in the past but obvs have no insider knowledge of what’s going on there now.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 27-Nov-2024 10:14:21 JST Kevin Beaumont

     in reply to

     One of the Blue Yonder things is they have absolutely nothing about the situation on their website - just a list of customers, many of whom are mentioned in the press as suffering. They’re in day four.

     Learning: have a comms plan.

   • Embed this notice
     Richard (richrants@toot.community)'s status on Wednesday, 27-Nov-2024 18:58:19 JST Richard

     • PJ Sliney
     • Matt Panaro

     @GossiTheDog @pjsliney @eigen I see, so that’s why a subset of applications (WMS, WFM, not sure about replenishment) was affected. It didn’t hit the new cloudy stuff.
     That also makes a link to #SnowflakeHack less likely.

     #BlueYonder

   • Embed this notice
     TheTomas (thetomas@social.toot9.de)'s status on Wednesday, 27-Nov-2024 18:58:48 JST TheTomas

     in reply to

     @GossiTheDog which HV? HyperV?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 27-Nov-2024 23:18:05 JST Kevin Beaumont

     in reply to

     I think it's probably RansomHub holding Blue Yonder to ransom, based on a few things. Neither RansomHub nor Blue Yonder wish to comment.

   • Embed this notice
     Fringed Crow :battery_ok: (fringedcrow@infosec.exchange)'s status on Thursday, 28-Nov-2024 00:20:16 JST Fringed Crow :battery_ok:

     in reply to

     @GossiTheDog
     What few things? I have been thinking either Ransomhub or Blackbasta.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 28-Nov-2024 02:26:28 JST Kevin Beaumont

     in reply to

     I’ll modify that - the ransomware operator may have worked with Ransomhub in the recent past.

     Azure services not impacted, just some private cloud. Obviously they have multiple DCs. There is apparently DR and backups.. but, well, the proof is in DR working.

     There’s a webpage for the security incident but it hasn’t been updated in 3 days and isn’t linked on the website. https://blueyonder.com/customer-update

   • Embed this notice
     Richard (richrants@toot.community)'s status on Thursday, 28-Nov-2024 02:39:59 JST Richard

     in reply to

     @GossiTheDog I assume that they think of their website as a tool to drive new sales, not a destination for existing customers. And that minimising publicly available information about the incident will minimise negative impact on their image and future sales.

   • Embed this notice
     snercoal (snercoal@cyberplace.social)'s status on Saturday, 30-Nov-2024 01:16:38 JST snercoal

     in reply to

     @GossiTheDog @GossiTheDog any updates on this? I work at Starbucks and we were paid according to what we were scheduled, not what we actually clocked in and out for (which was recorded in a paper book lol) and still can’t clock in, use sick time / PTO etc. Can I assume they had no other backups / DR and are basically rebuilding from scratch? 8 days or whatever it’s been seems like a LONG time to recover with any backups they had.