Breach Roundup: Attempted Extortion Attack on DragosAlso: Twitter Hacker Pleads Guilty, Seoul National University Hospital and Sysco
Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. In the days between May 5 and May 11, the spotlight was on Dragos, a guilty plea from a Twitter hacker and cryptocurrency thief, North Korean hackers, an attack against food distributor Sysco, a Ukrainian border truck queuing system. Also, Western Digital disclosed that its recent hack involved data theft, researchers found they could decrypt some partially encrypted files and Surfshark says the overall number breached accounts is going down.
Industrial cybersecurity company Dragos disclosed a likely attempted ransomware attack. In a post it characterizes as a bid to destigmatize security events, the company said a "known cybersecurity group" attempted but failed to gain control of a Dragos system. It did retrieve 25 intelligence reports normally only available to customers.
The group pivoted to attempted extortion, threatening to publicly reveal the attack. Screenshots of messages posted online by Dragos also show the cybercriminal group threatening to contact family members of executives.
Attackers gained access by "compromising the personal email address of a new sales employee prior to their start date" and completed initial steps of the onboarding process. They obtained access to the company SharePoint and contract management system, also accessing "a report with IP addresses associated with a customer." The company says it's instituted an additional verification step to harden the onboarding process. Dragos also credits role based access control for preventing the attackers from reaching deeper into its network, stopping them from accessing resources such as its sales leads, customer support system and IT help desk.
A British man entered a guilty plea in U.S. federal court for participating in a notorious 2020 Twitter hack that compromised the accounts of prominent public figures to perpetuate a cryptocurrency fraud scheme.
Joseph James O'Connor, aka “PlugwalkJoe," also pleaded guilty to stealing $794,000 in cryptocurrency from a New York City exchange, charges for computer intrusions related to takeovers of TikTok and Snapchat user accounts and for cyberstalking two victims. He faces up to 77 years in prison and will forfeit $794,000 worth of stolen cryptocurrency.
Spanish authorities arrested O'Connor in southern Spain's Costa del Sol in July 2021, at U.S. request. Spanish courts extradited him on April 26 (see: Spanish Court Approves Twitter Hacking Suspect's Extradition).
O'Connor is one of four individuals charged with tricking several Twitter employees to share their administrator credentials, which attackers used to gain unauthorized access to 130 high-profile Twitter accounts on July 15, 2020. Compromised account holders included Joe Biden, who was then the Democratic presidential nominee, plus Tesla CEO Musk, the corporate accounts of Apple and Uber, and Floyd Mayweather, Jeff Bezos, Kim Kardashian, Mike Bloomberg and Warren Buffet.
"O’Connor’s criminal activities were flagrant and malicious, and his conduct impacted multiple people’s lives. He harassed, threatened, and extorted his victims, causing substantial emotional harm," said Assistant Attorney General Kenneth A. Polite, Jr.
Seoul National University Hospital
North Korea was behind the spring 2021 hack of Seoul National University Hospital, Korean National Police said Thursday. Pyongyang hackers gained unauthorized access to medical records and personal details of hundreds of thousands of patients.
The Korean National Police Agency Thursday said that the hackers breached South Korea's premier hospital's network between May and June 2021, using seven domestic and overseas servers.
The attackers exfiltrated the personal information of 810,000 patients and 17,000 former and current employees.
News reports previously tied the attack to North Korean threat actor Kimsuky.
Sysco Cybersecurity Event
Food distribution giant Sysco divulged in a May 2 filing with U.S. federal regulators that hackers were able to access its systems without detection for nearly two months.
Sysco said it became aware of the incident on March 5 and determined that hackers first gained access on Jan. 14. The "threat actor extracted certain company data, including data relating to operation of the business, customers, employees and personal data." Operations and related business systems were not affected.
"Sysco has begun the process of preparing to comply with its obligations with respect to the extracted data," it said.
Ukrainian Truck Crossing Service
A Ukrainian government ministry took to Facebook Tuesday to blame Russia for an attack on its electronic queuing system for trucks crossing its western border. The Ministry for Communities, Territories and Infrastructure Development of Ukraine said its eCherga system was attacked by an aggressor country and that calls for cyberattacks against the system spread through "Russian propaganda channels." The effect of the attack was short lived, the post said. Driver or vehicle data was not affected, the ministry wrote.
Western Digital Update
Hard disk drive maker Western Digital confirmed that the hacking incident that caused it in early April to yank offline its cloud services for 10 days resulted in data theft (see: Western Digital Discloses Breach a Day After My Cloud Outage).
The compromised database contained personal information such as customer names, billing and shipping addresses, email addresses, telephone numbers, as well as encrypted hashed and salted passwords and partial credit card numbers. The company said that its factories remained operational throughout the incident.
White Phoenix Decryptor
CyberArk researchers developed a tool designed recover files encrypted using intermittent encryption techniques employed by groups including BlackCat and Play.
Ransomware hackers may resort to partial rather than full encryption in a bid to speed up the process and to avoid detection by security software, which may use the amount of content written to disk by a process as a ransomware indicator.
CyberArk says its tool, dubbed White Phoenix, can, in the right circumstances, extract the content of PDFs, Microsoft Office documents and zip files. "Other formats, such as video and audio files, may also be recoverable," wrote CyberArk analyst Ari Novick.
Good News on Data Breach Statistics?
Cybersecurity firm Surfshark says its tally of global data breaches show a nearly 50 percent decrease in breached accounts during the first three months of this year compared to the last three months of 2022. It counts total breached accounts during the first quarter as adding up to 41.6 million, "almost twice less than nearly 80.8M in the previous quarter."
"Unfortunately, not all countries saw a positive turn in their data breach statistics. Russia, Taiwan, France, and Spain were among the most breached countries, marking an increased number of leaked accounts last quarter." Russia came in first for most number of account breached, followed by the United States.
Other Coverage From Last Week
- Ubiquiti Insider Hacker Sentenced to 6 Years in Prison
- Microsoft Fixes BlackLotus Vulnerability, Again
- Feds Dismember Russia's 'Snake' Cyberespionage Operation
- Hackers Leak Private Keys; Many MSI Products at Risk
With reporting from ISMG's Mihir Bagwe in Mumbai