After ransomware attack, company finds 650+ breached credentials from NEW Cooperative employees

According to FYEO, "chicken1" was used over 10 times by employees at the company.

Digital identity management firm FYEO says it has discovered hundreds of instances of breached credentials from employees of NEW Cooperative, the Iowa-based farm service provider hit with a ransomware attack in recent days. 

Tammy Kahn, COO of FYEO, told ZDNet that when researchers searched through the company's database, they found 653 instances of breached credentials connected to NEW Cooperative.

The password "chicken1" was common among the company's 120 employees and was used over 10 times.

Kahn added that the firm's current executives also had passwords that had been leaked. 

NEW Cooperative did not respond to multiple requests for comment.

"The NewCoop ransomware situation is concerning for a number of reasons, the first being that hackers are still going after critical infrastructure and seeking to disrupt supply chains even when explicitly stating otherwise. Beyond that, it's indicative of a larger problem: password management," Kahn said. 

"We saw that the Colonial Pipeline breach was ultimately a result of a bad password, and it's likely a similar case here. A majority of internet users and the companies they work for are likely sitting ducks for hackers as they have a limited number of stale passwords and believe someone else should take responsibility for cybersecurity."

FYEO built an active domain intelligence database of over 20 billion leaked credentials and passwords, offering alerts any time email addresses and passwords resulting from third-party breaches appear on the darknet. 

By running the newcoop.com domain through the database, they found the 653 instances of previously exposed credentials.

Dozens of studies -- and previous ransomware incidents or breaches -- have shown that leaked passwords are one of the easiest ways cyberattackers routinely gain access to systems. The problem has gotten so bad that some companies, like Microsoft, are doing away with passwords altogether. 

"Until organizations find ways to empower their employees to practice good cybersecurity hygiene both in and out of the office, these problems will persist and grow," Kahn said. 

"Especially in industries like this, password management should be the first line of defense. FireEye execs were alerted to the SolarWinds breach via 2FA -- what some consider 'basic' in cyber hygiene can often be the most impactful."

The BlackMatter ransomware group has been implicated in the attack on NEW Cooperative, which is involved in a variety of aspects of the grain business, including running grain storage elevators, selling fertilizer, buying from farmers and providing technology to farmers.

The company is in the process of helping customers transport grain to livestock and poultry farms as it tries to restore its systems, which they shut down when notified of the attack. 

The ransomware group was demanding a $5.9 million ransom and refused to back down when negotiators for the company said it was a critical component of the US agriculture industry and would elicit a forceful response from the US government. 

Critical Insight CISO Mike Hamilton said the company provides a lot of animal feed, meaning the attack "is probably going to have a long tail." 

"There have been a number of recent warnings about vulnerabilities in the food and ag sector, which were apparently accurate," Hamilton said. "The gang seems pretty adamant in their communication: no ransom, no network. The critical infrastructure argument is not swaying them."

Chad Anderson, the senior security researcher for DomainTools, said BlackMatter has only been around a few short months and already has netted some large victims and millions in ransom payments. 

"As the direct heir of DarkSide, BlackMatter shares a lot of interesting features with the other, quickly-rising affiliate program LockBit: speedy encryption, stronger anti-analysis techniques than previous malware families, and double-extortion," Anderson said. 

"However, one place BlackMatter interestingly differs is that, unlike most ransomware families, it does not have a function to check a victim computer's locale before encrypting, making them a threat everywhere. The most recent batch of ransomware families have truly come a long way and are ever more threatening."