Conversation

Notices

1. Embed this notice
   Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 27-Nov-2024 02:41:49 JST Kevin Beaumont

   The Blue Yonder SaaS ransomware incident is bad.

   They got into their Private Cloud environment at hypervisor level, deleted the DR and backup storage, then encrypted all 5 datacenters.

   • Embed this notice
     ludiofines (ludiofines@cyberplace.social)'s status on Wednesday, 27-Nov-2024 02:44:24 JST ludiofines

     in reply to

     @GossiTheDog early christmas

   • Embed this notice
     Fritz Adalis (fritzadalis@infosec.exchange)'s status on Wednesday, 27-Nov-2024 05:08:10 JST Fritz Adalis

     in reply to

     • h011y j011y cR0w

     @GossiTheDog @cR0w
     Is this a supply chain attack?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 27-Nov-2024 05:08:10 JST Kevin Beaumont

     in reply to

     • Fritz Adalis
     • h011y j011y cR0w

     @FritzAdalis @cR0w no, just a supplier ransomware

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 27-Nov-2024 05:08:41 JST Kevin Beaumont

     in reply to

     On this - Blue Yonder, aside from doing supply chain management (how many Pot Noodles you should order per day per store etc), they also sell a HR suite called Blue Yonder Workforce Management, or WFM. It's another SaaS solution, does HR stuff, payroll etc. WFM was hosted in their private cloud and is toast.

     https://techhub.social/@rasldasl/113551046134997472

   • Embed this notice
     PJ Sliney :donor: (pjsliney@infosec.exchange)'s status on Wednesday, 27-Nov-2024 05:19:56 JST PJ Sliney :donor:

     in reply to

     • Matt Panaro

     @eigen @GossiTheDog
     Yes, it’s exactly that.
     Servers, switches, storage, backup- all running in a datacenter somewhere, managed by the vendor or a subcontractor.

     Typically all infra is shared across the customers.
     The larger customers may get their own VMware compute cluster or storage, but management tools touch every customer.

     Source: I sell it for a living.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 27-Nov-2024 05:19:56 JST Kevin Beaumont

     in reply to

     • PJ Sliney :donor:
     • Matt Panaro

     @pjsliney @eigen yeah, it's a big VMware cluster basically sat in third party DCs

   • Embed this notice
     Matt Panaro (eigen@mattstodon.panar.ooo)'s status on Wednesday, 27-Nov-2024 05:19:57 JST Matt Panaro

     in reply to

     @GossiTheDog out of curiosity, what does "private cloud" mean in this context? like, giving extra money to a cloud provider so nobody else's VMs are on the hardware? or is it just a fancy phrase for their own "data center"?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 27-Nov-2024 08:01:25 JST Kevin Beaumont

     in reply to

     • PJ Sliney :donor:
     • Matt Panaro
     • Richard

     @richrants @pjsliney @eigen nope - they also have an Azure environment, which was completely unaffected. The impacted services are their Private Cloud, on VMware.

   • Embed this notice
     Richard (richrants@toot.community)'s status on Wednesday, 27-Nov-2024 08:01:26 JST Richard

     in reply to

     • PJ Sliney :donor:
     • Matt Panaro

     @GossiTheDog @pjsliney @eigen That third party DC being mostly or completely Azure, as evidenced by publicly available info, e.g. https://media.blueyonder.com/blue-yonder-recognized-as-a-finalist-for-2022-microsoft-partner-of-the-year-awards/

     Disclaimer: I worked at BY in the past but obvs have no insider knowledge of what’s going on there now.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 27-Nov-2024 10:14:21 JST Kevin Beaumont

     in reply to

     One of the Blue Yonder things is they have absolutely nothing about the situation on their website - just a list of customers, many of whom are mentioned in the press as suffering. They’re in day four.

     Learning: have a comms plan.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 27-Nov-2024 18:58:18 JST Kevin Beaumont

     in reply to

     • PJ Sliney :donor:
     • Matt Panaro
     • Richard

     @richrants @pjsliney @eigen it’s not related to Snowflake

   • Embed this notice
     Richard (richrants@toot.community)'s status on Wednesday, 27-Nov-2024 18:58:19 JST Richard

     in reply to

     • PJ Sliney :donor:
     • Matt Panaro

     @GossiTheDog @pjsliney @eigen I see, so that’s why a subset of applications (WMS, WFM, not sure about replenishment) was affected. It didn’t hit the new cloudy stuff.
     That also makes a link to #SnowflakeHack less likely.

     #BlueYonder

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 27-Nov-2024 18:58:46 JST Kevin Beaumont

     in reply to

     • TheTomas

     @TheTomas VMware

   • Embed this notice
     TheTomas (thetomas@social.toot9.de)'s status on Wednesday, 27-Nov-2024 18:58:48 JST TheTomas

     in reply to

     @GossiTheDog which HV? HyperV?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 27-Nov-2024 23:18:05 JST Kevin Beaumont

     in reply to

     I think it's probably RansomHub holding Blue Yonder to ransom, based on a few things. Neither RansomHub nor Blue Yonder wish to comment.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 28-Nov-2024 00:20:15 JST Kevin Beaumont

     in reply to

     • Fringed Crow :battery_ok:

     @Fringedcrow yeah I looked into Black Basta, they aren’t unlisted on the portal (at least yesterday)

   • Embed this notice
     Fringed Crow :battery_ok: (fringedcrow@infosec.exchange)'s status on Thursday, 28-Nov-2024 00:20:16 JST Fringed Crow :battery_ok:

     in reply to

     @GossiTheDog
     What few things? I have been thinking either Ransomhub or Blackbasta.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 28-Nov-2024 02:26:28 JST Kevin Beaumont

     in reply to

     I’ll modify that - the ransomware operator may have worked with Ransomhub in the recent past.

     Azure services not impacted, just some private cloud. Obviously they have multiple DCs. There is apparently DR and backups.. but, well, the proof is in DR working.

     There’s a webpage for the security incident but it hasn’t been updated in 3 days and isn’t linked on the website. https://blueyonder.com/customer-update

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 28-Nov-2024 02:39:57 JST Kevin Beaumont

     in reply to

     • Richard

     @richrants it’s usually that thinking. But the reality is existing customers will use the website and media types - it allows you to set the narrative.

   • Embed this notice
     Richard (richrants@toot.community)'s status on Thursday, 28-Nov-2024 02:39:59 JST Richard

     in reply to

     @GossiTheDog I assume that they think of their website as a tool to drive new sales, not a destination for existing customers. And that minimising publicly available information about the incident will minimise negative impact on their image and future sales.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 28-Nov-2024 02:42:56 JST Kevin Beaumont

     in reply to

     There’s a bit on the known customer impact here: https://therecord.media/starbucks-bic-morrisons-blue-yonder-supply-chain-attack-ransomware