A Toronto-based commercial real estate services and investment management firm has acknowledged it was the victim of a cyberattack in November but isn’t saying if the incident was ransomware as a gang is claiming.
A spokesperson for publicly-traded Colliers International Group, which has corporate and institutional clients in 36 countries, acknowledged the violation of security controls on Wednesday after IT World Canada asked about a listing on the dark web by the Netfilim ransomware gang. The listing suggests that the company had been hit with ransomware and that its files copied.
“In November 2020, Colliers’ information technology team discovered a cyberattack to the company’s IT infrastructure in North America,” company communications director Pamela Smith said in an email. “Thanks to the immediate and decisive actions taken by Colliers’ IT team, the impacts on business continuity were limited. Colliers conducted a comprehensive investigation with the support of leading cybersecurity experts in an effort to determine what data may have been impacted during the recent event. Colliers continues to monitor the situation closely and will continue to notify affected individuals or organizations. The Colliers IT network is secure, safe and fully operational at this time.”
The spokesperson was mum when asked to confirm if the attack was ransomware. They were also unable to confirm if files got copied, whether the information affected was corporate or personal, and, if personal, did it affect current and former employees.
In its most recent quarterly financial statement for the period ending September 30, 2020, Colliers said it had a net income of just under $32 million on revenues of just over US$692 million. According to its 2019 financial results at the beginning of last year, it had about 15,000 employees.
Colliers performs a number of services for real estate firms including property management, sales and appraisals as well as tenant representation.
The Netfilim website entry for Colliers has the headline “Part 1,” suggesting the two files it has posted proves the firm was compromised and could be followed by more trouble.
According to Brett Callow, a British Columbia-based threat researcher for Emsisoft, Nefilim was first noticed in the spring of last year and has since racked up a string of enterprise-space victims including Whirlpool, MAS Holdings, Luxottica and Australian logistics company Toll Group.
“Unlike most other big game-hunting groups, Nefilim appears to be a closed shop rather than a ransomware-as-a-service provider, which may explain why the group is less active others,” he said in an email. “The group typically uses Microsoft RDP (remote desk protocol) and other public-facing applications for initial access of victims. Frequently, it also exploits unpatched versions of Citrix’s Application Delivery Controller going after CVE-2019-19781.”
Imitation – the greatest form of flattery
Coincidentally, Emsisoft released its annual state of ransomware in the U.S. report this week. At the beginning of 2020, only the Maze group used the threat of releasing stolen information as additional leverage to extort payment.
By the end of the year, at least 17 others had adopted it and were publishing stolen data on so-called leak sites. At least 2,354 American governments, healthcare facilities and schools were impacted by ransomware last year. In addition, it estimated by looking at data leak sites that more than 1,300 companies around the world, many U.S.-based, lost data.
“We anticipate there will be more cases of data theft in 2021 than there were in 2020 – likely, at least twice as many,” the report concludes. “We also anticipate that cybercriminals will put stolen data to more use, using it to attack the individuals to which it relates in order to put additional pressure on the organizations from which it was stolen.”
Ransomware attacks can generally be fended off or, at least, their scope limited, it adds. “While organizations can never completely eliminate the possibility of human error, they can design their networks in such a way that they do not collapse like houses of cards when those errors occur.”