Executive Summary: In late September 2024, Business Systems House (BSH), a Middle Eastern business partner of ADP used by Broadcom for payroll processing, was subjected to a ransomware attack. This breach compromised the personal data of Broadcom employees, which was subsequently made available on the internet by December 2024. The stolen data included sensitive information such as national ID numbers, health insurance details, financial account numbers, and more. The El Dorado ransomware group, suspected of affiliation with the BlackLock group, claimed responsibility for the attack. The incident highlights vulnerabilities in third-party service providers and underscores the necessity for robust supply chain cybersecurity measures (The Register, RedPacket Security).

Incident Overview: The Broadcom data breach resulted from a ransomware attack on Business Systems House (BSH), a Middle Eastern partner of ADP, affecting Broadcom's payroll data. The El Dorado ransomware group, linked to the BlackLock group, claimed responsibility.

Attack Vector Analysis: - The attack involved a ransomware operation using double extortion tactics, encrypting data while exfiltrating sensitive information to pressure victims by threatening public exposure (The Register, RedPacket Security). - BlackLock's operations are known for targeting Windows, VMWare ESXi, and Linux systems, with a focus on exploiting ESXi environments (ReliaQuest).

Malware and Tools Identified: - BlackLock employs custom-built ransomware, which prevents easy reverse-engineering and defense by security researchers (ReliaQuest). - Techniques used include deleting shadow copies to inhibit system recovery and pass-the-hash attacks for lateral movement (ReliaQuest).

Historical Context and Threat Actor Activities: - El Dorado, suspected to be a rebrand of BlackLock, emerged as a major ransomware-as-a-service player in 2024, noted for its rapid rise in activity (ReliaQuest). - BlackLock's data-leak site and forum activities demonstrate its strategic engagement with affiliates and its technical sophistication (ReliaQuest).

Sector-Specific Targeting Patterns: - The attack targeted BSH, a payroll service provider, indicating a focus on supply chain vulnerabilities and third-party service providers. - BlackLock's targeting spans various sectors, with a notable focus on technology and infrastructure due to its exploitation of ESXi environments (ReliaQuest).

MITRE ATT&CK Framework Mapping: - Initial Access: T1078 - Valid Accounts; T1190 - Exploit Public-Facing Application - Execution: T1059 - Command and Scripting Interpreter - Persistence: T1547 - Boot or Logon Autostart Execution - Privilege Escalation: T1548 - Abuse Elevation Control Mechanism - Defense Evasion: T1070 - Indicator Removal on Host - Credential Access: T1550 - Use Alternative Authentication Material - Discovery: T1083 - File and Directory Discovery - Lateral Movement: T1021 - Remote Services - Collection: T1114 - Email Collection - Exfiltration: T1041 - Exfiltration Over C2 Channel - Impact: T1486 - Data Encrypted for Impact (ReliaQuest).

Recommendations: 1. Critical: Enhance multi-factor authentication for all systems and user accounts to prevent unauthorized access. 2. High: Conduct a thorough review of third-party service agreements and security practices to ensure adherence to cybersecurity standards. 3. Medium: Implement regular security audits and penetration testing to identify and mitigate potential vulnerabilities. 4. Low: Increase employee awareness and training on phishing and ransomware threats to reduce the likelihood of successful attacks.

Conclusion: The breach underscores the risks associated with third-party suppliers in supply chain cybersecurity. Affected individuals are advised to enable multi-factor authentication and monitor for unauthorized financial activities. The El Dorado/BlackLock group’s sophisticated tactics and rapid rise highlight the need for vigilant security measures and proactive threat intelligence (The Register, RedPacket Security).

Confidence Level for Attribution: High, based on claimed responsibility, known tactics, and technical details matching BlackLock's operations.

About Rescana: Rescana provides comprehensive threat intelligence and incident analysis services, focusing on identifying vulnerabilities and enhancing organizational security posture. Our capabilities include advanced threat detection, third-party risk assessment, and supply chain security management, all critical in mitigating risks highlighted by incidents such as the Broadcom data breach.