Whatever Blue Yonder’s enterprise playbook was for a ransomware attack – if it had wargamed one – it did not involve communicating regularly.
“We do not have a timeline for restoration” was the essence of its last meaningful comment, on November 23; a day after it admitted that it had “experienced disruptions to its managed services hosted environment, which was determined to be the result of a ransomware incident.”
The “supply chain solutions” firm provides demand forecasting and replenishment, automated ordering, warehouse and transportation software. Supermarket chains Morrisons and Sainsbury’s are customers.
The former is particularly badly affected, with fruit and vegetable shortages reported in many supermarkets as it turns to manual ordering.
It also serves the likes of Starbucks and FedEx with workforce management software that is used to track, time, attendance and daily schedules. Both have had to resort to manual processes.
Whilst Blue Yonder's customer advisory said it "experienced disruptions to its managed services hosted environment" from November 21, FedEx staff reported widespread issues over 20 days before this notice. It was not clear if this was connected to the same issue.
“Every shipment planning and execution and payment is being impacted for Blue Yonder data center hosted transportation management systems. We’ve been planning manually (and SO PAINFULLY) for days. Today’s supply chain is not built for this,” A logistics operator posting to Reddit.
“Morrisons is also warning its wholesale and convenience customers that availability on some lines may drop as low as 60%” The Grocer reported.
Blue Yonder ransomware attack: Change my pitch up; smack my backup
The Blue Yonder attackers “got into their Private Cloud environment at hypervisor level, deleted the DR [disaster recovery] and backup storage, then encrypted all [five] datacenters” posted the usually well-informed security researcher Kevin Beaumont on Mastodon, without citing a source; he added that it was a VMware environment that had been hit.
(Ransomware attacks typically involve the attackers going after backups to make recovery harder and many companies do not regularly test their ability to restore systems from segregated “cold” backups nor how they could do so if they, for example, lose access to their Active Directory.)
In which we speculate wildly...
Without further authoritative technical detail that The Stack could not immediately surface, details on the attack vector for the incident are entirely speculative; but we are not entirely averse to speculating.
VMware environments have come under public attack recently, with critical vulnerabilities CVE-2024-38812 and CVE-2024-38813 chained to compromise vServer environments. An initial patch from Broadcom failed to fix the bugs. If Blue Yonder, had missed that memo, it could have been exposed.
It is notable that Blue Yonder has been highly acquisitive. (It posted in August 2024 that it had made three acquisitions in the past six months alone). Inherited security risk – whether unpatched software, insider risk, or ageing endpoints unwatched on networks – is a live issue for CISOs, with gaps in security oversight also emerging as firms are integrated.
Indeed, one of the most impact ransomware attacks of recent years, at Change Healthcare, was blamed on this: The Citrix appliance through which attackers got a foothold there “was ... a platform which had only recently become part of the company was in the process of being upgraded," CEO Andrew Witty said in May.
(He was referring to UnitedHealth's $13 billion acquisition of Change in 2022.)
Siemens USA CISO Kurt Johnson earlier warned "[attackers] are just hedging their bets for when an acquisition happens, so that they get a foothold into a larger organisation” – whilst that may be the case, it is more often unpatched or unidentified/older assets brought into a network via an acquisition that can, later, be a chink in the defensive armour.
CSO has touted security investment
It's Chief Security Officer, appointed in 2023, appears to have been busy.
At Blue Yonder he has already “led a global cross-functional team implementing a range of security capabilities and compliance initiatives, including TISAX, FedRAMP, DDoS protection, ransomware-proof backups, threat modeling, secure design reviews, SAST/DAST/OSS scanning, supply chain security, vendor risk management, pen testing, IaaC scanning, CI/CD security assessments, 24x7 SOC, SOAR, enhanced detections, incident response playbooks, crisis communication, executive protection, business continuity, and disaster recovery plans" says his LinkedIn profile.
Every box ticked then: Recovery should be a doddle.
Leadership may not have been focused on security; after all, sexier things are happening: “There is a growing fascination with generative AI among senior executives,” said Duncan Angove, CEO, Blue Yonder in a Q2 earnings release in August. “There’s now a widespread hunger for initiatives that drive productivity across customer experience and supply chain operations to help supplement the talent and labor shortage.”
Trust ransomware to get in the way.
Snark aside, hugops to those rebuilding. There but for the grace of god...
Peter Mackenzie, director, Incident Response, security firm Sophos noted: "Supply chain attacks pose a growing threat to organizations, applying significant pressure on the customers who rely on these vendors. While the full impact of this particular attack remains unclear, affected customers often have limited options while awaiting remediation."
He added: "These attacks are a reminder that organizations must not only prepare for potential attacks but also plan for vendor disruptions. This includes thoroughly evaluating vendors' security measures and testing incident response plans during the procurement process."
Has the incident affected you? Do you have insight on the Blue Yonder ransomware attack? Drop us a line or Signal in confidence @thestack.01
