Overview of security incidents for the period of 24th to the 30th April 2021
The beginning of the week was marked by the announcement of an attack on the Phone House network, a mobile phone company in Spain, using the ransomware Babuk. Although the incident took place on April 11, it was not previously reported to the general public. According to the cybercriminals, they published the data of 13 million Phone House customers on the darknet.
The Babuk operators had also “distinguished themselves” by hacking the server of the Metropolitan District of Columbia Police Department (USA).
In case of non-payment of the ransom, they threatened to release the data of criminal investigations.
According to the group, in total, they managed to steal more than 250 GB of data. The hackers then gave the police three days to pay the ransom, and if the money was not transferred on time, they promised to contact local organized crime groups and reveal to them the identities of police informants.
Having played enough, the Babuk operators suddenly announced the termination of their activities.
On Thursday, April 29, on their darknet leaks site, they posted a short message about their intention to leave the business, as they had already achieved their goal. In the original version of the message, the ransomware group explained that their ultimate goal was to attack the Washington police, and now that the goal has been achieved, they scaled back their operations and released the ransomware source code. The second version of the message no longer mentions the police.
Babuk isn’t the only ransomware to make headlines durning week. For example, after the ransom negotiations failed, DopplePaymer ransomware operators released a large volume of documents belonging to the Illinois Attorney General’s Office.
The files released include court documents in cases initiated by the Attorney General’s Office, confidential documents not listed in public records, and personally identifiable information about prisoners and their cases.
One of Japan’s largest construction companies, the Kajima Construction Corporation, had allegedly been the victim of the REvil extortionist group. The group had stolen a total of 1,300,000 files belonging to the company, including confidential contracts and blueprints, according to a post on the REvil darknet website.
As evidence, the ransomware group posted a series of screenshots of documents allegedly stolen from the company.
As reported last week, REvil hacked into the computers of Apple’s partner, Quanta Computer, and stole blueprints for future MacBook laptops and other Apple technology.
Earlier, on its darknet site, hackers published a ransom demand from Quanta Computer in the amount of $ 50 million.
This week, the group suddenly removed all references to stolen documents from its website. Whether Apple paid the ransomware is unknown.
Gyrodata, the largest drilling company in the United States, had confirmed a ransomware attack on its computer systems, as a result of which the data of its current and former employees was leaked. In the course of the attack, attackers had stolen data such as names of former and current employees, addresses, dates of birth, driver’s license numbers, social security numbers, passport numbers, tax return data, and information related to health insurance plans.
Due to a series of cyberattacks on the Swedish supplier of radiotherapy machines Elekta, its customers (in particular, cancer hospitals) are still unable to restore normal operation, as the company shut down its cloud services in response to the incident.
Due to the unavailability of Elekta cloud services, a number of cancer centres in the United States have had to suspend radiotherapy for their patients.
On April 25, 2021, the Australian organization UnitingCare Queensland, which provides care services for the elderly, people with disabilities and people in difficult situations, was the victim of a cyberattack that caused its computer systems to malfunction.
The flight booking system of Radixx Res (a subsidiary of Saber Corporation) had been cyber attacked using malware. The incident did not affect the Saber systems and the customer database was not compromised, however, due to the cyberattack, customers of 20 airlines were unable to book flights. Airlines affected included Peach Aviation, ZIPAIR, Air Belgium, Sky Airlines, Air Transat, Vietravel, Aero K Airlines, Salam Air, FlySafair, Air India Express and Wingo.
American cloud infrastructure provider DigitalOcean sent out emails to its customers warning about the leakage of their payment data. As reported in the company, the unknown group gained access to “some payment data via a vulnerability that has been fixed” in the period from 9 to 22 April. As a result of the incident, the attackers got hold of the names and addresses of customers used for invoicing, as well as information about the last four digits of payment cards, their expiration dates and the name of the card-issuing bank.
According to the specialists of the US Department of Homeland Security, vulnerabilities in the Pulse Connect Secure software from Ivanti allowed hackers to break into at least five federal agencies. The names of the affected organizations were not disclosed.
Another attack on the supply chain was reported by the developers of the corporate password manager Passwordstate, Click Studios. Unknown attackers compromised the password manager update mechanism and used it to install malware on users’ systems.
According to a report from Click Studios, the attackers launched a phishing campaign, taking advantage of the fact that some users posted copies of emails sent by it on social networks. As part of the attacks, cybercriminals send phishing emails imitating Click Studios messages in order to infect users’ systems with a new version of the Moserpass info-stealer.
The hacker under the pseudonym Monsieur Personne decided to prove that, despite the laudatory media reviews of non-fungible tokens (NFTs), in fact, they are not so unique and secure. To demonstrate the “absurdity of the NFT hype,” the hacker faked the NFT of a digital painting Everydays: The First 5000 Days by American artist Beeple, which was sold at Christie’s last month for $ 69.34 million.
Cybercriminals broke into corporate and government computer systems in order to steal confidential data through two vulnerabilities in a popular file-sharing server. As part of a global malware campaign, hackers had already attacked the office of the Japanese Prime Minister.
The attackers exploited vulnerabilities in the popular FileZen file-sharing network solution from the Japanese company Soliton. This campaign was very similar to attacks through vulnerabilities in the file-sharing software Accellion FTA, discovered by hackers in December 2020.
The Uranium Finance decentralized finance project based on the Binance Smart Chain blockchain fell victim to a cyberattack, as a result of which cybercriminals stole about $50 million. The project developers planned to transfer the assets of liquidity providers to the new version of the protocol – 2.1. However, the hackers exploited a vulnerability in the logic of the Uranium balance modifier, increased the project’s balance by 100 times, and gained access to user funds.