Incident Overview: - Coca-Cola and its bottling partner, Coca-Cola Europacific Partners (CCEP), were targeted in separate cyber incidents by two threat groups: the Everest ransomware gang and the Gehenna hacking group. - The Everest ransomware gang claimed to have breached Coca-Cola’s systems, accessing internal documents and personal information of 959 employees, including visa and passport scans and salary data. This breach appeared to target Coca-Cola’s operations in the Middle East, specifically the Dubai office at the Dubai Airport Free Zone (DAFZ). - The Gehenna hacking group claimed to have breached CCEP’s Salesforce dashboard, exfiltrating over 23 million records dating back to 2016. The data allegedly includes Salesforce account records, customer service cases, contact entries, and product records.

Verified Incident Date: - The data breach was confirmed to have occurred in April 2023.

Types of Data Compromised: - Employee data, including personally identifiable information (PII) such as visa and passport scans, salary data, and HR-related records. - Salesforce data, comprising account records, customer service cases, contact entries, and product records.

Sector-Specific Implications and Impacts: - The breach highlights vulnerabilities in CRM systems and the potential for significant exposure of both employee and customer data. - The incident underscores the importance of robust cybersecurity measures, especially for multinational corporations that handle vast amounts of sensitive data.

Official Disclosures and Statements: - As of the information retrieved, Coca-Cola and CCEP had not publicly confirmed the breach. - Security experts highlighted the risks associated with SaaS platforms and the need for improved logging and security visibility.

Technical Analysis: - Initial reports suggest tactics involved credential harvesting and targeting Active Directory. - The breaches reflect a trend of cyberattacks targeting large corporations with the intent of financial gain through ransomware and data leaks.

References: - Hackread: hackread.com/coca-cola-bottling-partner-ransomware-data-breach/ - Cyware: social.cyware.com/news/coca-cola-bottling-partner-named-in-separate-ransomware-and-data-breach-claims-34e00ee0

This report consolidates the available information into an evidence-based analysis of the data breach incident affecting Coca-Cola and Salesforce systems. Additional confirmations from Coca-Cola or relevant authorities would further clarify the incident's scope and impact.

Historical Context and Threat Actor Activities: - The Everest ransomware group is known for ransomware and extortion campaigns targeting large entities. The Gehenna hacking group has been associated with breaches involving high-profile organizations. - Both groups have used phishing and credential theft as common tactics in previous incidents, aligning with the methods suggested in this breach.

MITRE ATT&CK Framework Mapping: - Tactic: Initial Access - Technique: Phishing (T1566) - Technique: Valid Accounts (T1078)

• Tactic: Credential Access

• Technique: Credential Dumping (T1003)

• Tactic: Exfiltration

• Technique: Data Compressed (T1560)
• Technique: Data Encrypted (T1022)

Recommendations: - Critical: Implement multi-factor authentication for all sensitive systems to prevent unauthorized access. - High: Enhance monitoring and logging of SaaS platforms to detect unusual activities promptly. - Medium: Conduct regular security audits and penetration testing to identify and mitigate potential vulnerabilities. - Low: Educate employees on recognizing phishing attempts and safe data handling practices.

References: - Hackread: https://hackread.com/coca-cola-bottling-partner-ransomware-data-breach/ - Cyware: https://social.cyware.com/news/coca-cola-bottling-partner-named-in-separate-ransomware-and-data-breach-claims-34e00ee0

About Rescana: Rescana specializes in providing in-depth threat analysis and cybersecurity solutions tailored to combat sophisticated cyber threats. Our capabilities include real-time threat intelligence, incident response planning, and comprehensive security assessments designed to protect and secure organizational data and systems against evolving cyber threats.