Fujitsu Hacked, Company Publishes Report

The first to discover Fujitsu hack was the company’s IT specialists who were performing the scanning. The first signs of compromised systems were noticed earlier in March 2023, which immediately raised concerns among the technical team. The company’s management was immediately notified of the possible threat, leading to an extensive internal investigation.

The said investigation is still ongoing, and is now targeted at determining the amount and types of leaked data. The company says it has not received any reports of personal information being misused as a result of the hack. However, the attack could have affected important databases containing customers’ personal data, including names, addresses, contact information and details of contractual relationships.

Initial steps taken by Fujitsu included isolating the infected systems to prevent the malware from spreading further. The company also engaged external cybersecurity experts to conduct a detailed analysis of the situation and determine the source of the attack.

Analysis of Malware

Preliminary analysis showed that the malware was specifically designed to steal sensitive information. Experts noted that it was not a “common” malware sample but a one crafted for this specific attack. The program acted selectively, targeting particularly sensitive data, such as employees’ personal data, financial information and details of internal company research.

Most interestingly, the attack targeted specific systems and used sophisticated methods to bypass standard security measures. It is a common tactic for attackers to use custom malware builds for targeted attacks on corporate networks, but it is not usual to see them using a yet unseen sample.

Fujitsu Was Hacked Before

In June 2023, Fujitsu Cloud Technologies, a subsidiary of Fujitsu Limited, received a public reprimand from Japan’s Ministry of Internal Affairs and Communications. The ministry demanded that both Fujitsu Cloud Technologies and Fujitsu Limited take immediate action to implement security measures to safeguard communications privacy and enhance cybersecurity. Fujitsu Limited is set to merge with its subsidiary in the near future.

In 2022, a breach affected Fujitsu Limited’s cloud-based internet service used by governments and large corporations. Attackers accessed the system and leaked sensitive information. Around the late 2022, the company uncovered the hack in one of their divisions, FENICS Internet.

This company was also implicated in the May 2021 supply chain attack. Its Fujitsu ProjectWEB project management suite was accessed by an unauthorized third party and the incident resulted in a data leak affecting several Japanese government agencies. The data was allegedly sold on the darknet. The company later discontinued the ProjectWEB portal/tool.

What then?

Well, despite best efforts, even technologically advanced companies like Fujitsu are not immune to cyberattacks and subsequent data breaches. Even with advanced defense systems, attackers are finding ways to bypass defenses, resulting in serious consequences for companies and their customers. Hopefully, the measures taken and lessons learned from this experience contribute to strengthening data protection.

The post Fujitsu Hacked, Warns of Data Leak Possibility appeared first on Gridinsoft Blog.

Data Breach in Zeroed-In Affects Dollar Tree

Popular discount retailer Dollar Tree has revealed that they were impacted by a data breach from a cyberattack on one of their third-party vendors, Zeroed-In Technologies. The breach is believed to have exposed the personal details of almost 2 million people. It primarily consists of current and former Dollar Tree and Family Dollar employees.

The incident first came to light on November 21, 2023. Then, the company sent notification letters to those affected on behalf of Zeroed-In. According to the letter, Zeroed-In experienced a security breach in early August 2023. This resulted in unauthorized access to internal systems containing sensitive personal information.

Zeroed-In Hack Sets Up Multiple Companies

While Zeroed-In has not confirmed which files were accessed, their investigation determined next. The accessed systems contained names, dates of birth, and SSNs belonging to individuals associated with Dollar Tree and Family Dollar. This suggests a high likelihood that this sensitive data on nearly 2 million people may have been compromised.

In response to the data breach, Zeroed-In stated that they will provide victims with 12 months of identity protection and credit monitoring services free of charge. Additionally, the company is currently undertaking efforts to enhance its security and ensure better protection of data. When reached for comment, Family Dollar representatives provided the following statement:

This indicates Dollar Tree became aware of the breach after being contacted by the vendor once the incident had already occurred. As of now, no evidence points to Dollar Tree or Family Dollar’s systems being directly compromised. Moreover, no major cybercrime groups stated about hacking Dollar Tree. Which means the breach may not have as much impact as expected.

Legal Ramifications and Investigations

At this time, the full impact of the data breach remains unclear. While Dollar Tree has confirmed receiving notice of the incident, other clients of Zero-Tech have yet to disclose whether their data was involved as well. Nonetheless, the massive scale of the breach has already garnered high-profile attention from state Attorney Generals and class-action lawsuit attorneys seeking accountability for the security lapse.

Without prompt and effective response, diminished consumer trust in Dollar Tree’s ability to safeguard data can be anticipated. Legal experts warn that companies are still responsible for vetting and auditing the data security of third-party partners handling sensitive customer or employee information. So, failure to ensure adequate protection exposes organizations to legal, financial, and reputational damages in an incident like this.

Data Breach Trends are Concerning

This marks the third major retail data breach disclosed in 2023 alone, following incidents at Walmart and Wawa earlier this year. Despite retailers increasingly transitioning to EMV chip-enabled payment systems, cybercriminals continue finding alternative methods of monetizing consumer data. Law enforcement officials continue investigating the technical details surrounding this latest breach.

In the meantime, consumers worried their personal information was exposed in the Dollar Tree/Zeroed-In breach. In addition, they can enroll in the free identity protection services being offered. They also remain vigilant for any suspicious activity on their accounts. Experts also advise setting up fraud alerts and credit freezes. This is a helpful precaution until investigations shed more light on the scope and severity of stolen data.

The post Dollar Tree Data Breach Impacting 2 Million People appeared first on Gridinsoft Blog.

What is BlackCat Ransomware Gang?

The BlackCat ransomware gang, emerging in November 2021, is believed to be a rebrand of the notorious DarkSide/BlackMatter group. The gang gained global attention after targeting Colonial Pipeline, which led to fuel supply disruptions across the entire US East Coast. The FBI has linked them to over 60 breaches globally between November 2021 and March 2022, indicating a pattern of sophisticated cybercriminal activity.

Henry Schein Attacked by ALPHV, Again

On October 15, Henry Schein reported a cyberattack that impacted its manufacturing and distribution businesses, causing operational disruptions. Two weeks later, the BlackCat/ALPHV ransomware group claimed responsibility, boasting about encrypting files and stealing a massive 35 terabytes of sensitive data, potentially including personal information, bank account details, and payment card numbers.

The situation escalated in early November when the cybercriminals declared that negotiations had stalled. In response, they threatened to re-encrypt files, a move confirmed by Henry Schein’s subsequent system restoration updates. The company informed customers on November 22 that its applications, including the e-commerce platform, were rendered unavailable due to actions by the threat actor.

Despite anticipating short-term disruptions, the latest update on November 26 assured customers that systems would soon be fully restored. As of the latest information, Henry Schein is no longer listed on the BlackCat leak website, hinting at a potential resumption of negotiations or even a ransom payment.

How to resist ransomware?

Organizations can enhance their resilience against extortionists through a multifaceted approach. First and foremost, robust cybersecurity measures are imperative. Regularly updating and patching systems can mitigate vulnerabilities, making it harder for extortionists to exploit weaknesses. Implementing strong access controls and regularly reviewing user privileges adds an extra layer of defense. Regular data backups are essential to ensure that organizations can quickly recover from ransomware attacks without succumbing to extortion demands. A well-defined incident response plan, including communication protocols and coordination with law enforcement, prepares organizations to swiftly and effectively handle extortion attempts.

Lastly, collaboration within the industry and sharing threat intelligence can strengthen collective defenses against evolving extortion tactics. By staying informed and implementing proactive measures, organizations can significantly reduce the likelihood of falling victim to extortionists.

The post Henry Schein was hacked twice by BlackCat ransomware appeared first on Gridinsoft Blog.

Welltok Data Leaked Because of MOVEit

Welltok specializes in online wellness programs, predictive analytics, and supporting healthcare needs for providers nationwide. The breach, resulting from a MOVEit software vulnerability exploited by the Cl0p ransomware gang, allowed unauthorized access to confidential patient data.

Sensitive patient information compromised during the breach includes a whole lot of information. Among them are full names, email addresses, physical addresses, telephone numbers, Social Security Numbers (SSNs), Medicare/Medicaid ID numbers, and certain health insurance information. The breach has affected healthcare institutions in multiple states, with notable providers such as:

• Blue Cross and Blue Shield
• Corewell Health
• Mass General Brigham Health Plan
• Corewell Health
• Faith Regional Health Services

Welltok’s initial estimates didn’t disclose the full scale of impacted individuals. However, recent reports confirm that 8,493,379 people have been affected, making it the second-largest MOVEit data breach after Maximus. The breach’s ripple effect extends to various healthcare plans, emphasizing the widespread consequences for patients and healthcare providers.

Implications of Welltok Data Breach

Welltok sent out data breach letters to those impacted by the data security incident on November 17, 2023. The letters contain a list of compromised information.

A review of the affected files revealed that they contained sensitive information about health plan members, including their names, dates of birth, addresses, and health records. In addition, some individuals’ Social Security numbers, Medicare/Medicaid IDs, and health insurance information were also stolen. A substitute breach notification was uploaded to the Welltok website in October. However, the page was set as no-index, meaning it wouldn’t be indexed by search engines and would only likely be found by individuals who visited the website.

How to prevent data breaches?

To prevent data breaches, organizations should prioritize a comprehensive cybersecurity strategy. Begin by conducting regular security audits and implementing strong access controls, ensuring employees have minimal access privileges. Encrypt sensitive data both in transit and at rest, utilizing robust encryption methods. Keep systems updated with the latest security patches and employ multi-factor authentication to enhance access security.

Invest in employee training to raise awareness about cybersecurity risks, particularly phishing attacks. Secure network perimeters using firewalls and intrusion detection systems, monitoring user activities for any anomalies. Regularly back up critical data and establish a solid recovery plan to minimize downtime in case of a breach.

The post Welltok Data Breach Exposes More Than 8 million Patients appeared first on Gridinsoft Blog.

What is Plume?

Plume Design, Inc. develops and sells smart home Wi-Fi mesh networking systems. Its flagship product, the Plume SuperPod, is a mesh Wi-Fi system that uses AI to optimize network performance. Plume also provides software features such as parental controls, network security, and motion sensing. ISPs, cable companies, and telecoms use the company’s technology.

It works as a Software-as-a-Service (SaaS) specializing in smart Wi-Fi solutions, cloud management, and AI-driven security services. Operating in over 45 countries, the company boasts a significant user base, claiming to serve more than 55 million homes and small businesses.

Plume Data Breach Details

Plume, a leading provider of smart WiFi services, finds itself at the center of a potential data breach. The attackers have purportedly posted gigabytes of user data on a prominent data leak forum. The breach, if confirmed, could impact millions of Plume’s customers and staff members. Attackers claim to have successfully infiltrated Plume’s systems, making off with a substantial 20GB of data from the company’s WiFi database. This trove of information reportedly encompasses more than 15 million lines, featuring diverse user profiles, including mobile app users, customers, and even Plume’s internal staff.

The attackers said the dataset encompasses sensitive information like email addresses, device details, carriers, first and last names, iOS and Android versions, and more. As for the company’s reaction, Plume’s response to the claims has been prompt, acknowledging the alleged breach and initiating an internal investigation. A representative from Plume stated, “We are aware of the claim, and our teams are actively investigating the situation.”

Data Sample Validation

The research team has delved into the data sample provided by the attackers, affirming that the sample aligns with the details outlined in the attackers’ statements. However, the lack of a complete data set from the attackers raises questions about the authenticity of the leaked information. Without a comprehensive dataset, whether the compromised data genuinely belongs to Plume or was sourced from an alternative origin remains uncertain.

Notably, the attackers have taken an unconventional approach by creating an X account and announcing the alleged breach on social media platforms. This departure from traditional covert channels raises some eyebrows within the cybersecurity community. In contrast, attackers typically opt for discreet methods when publicizing their exploits.

Potential Impacts

As Plume’s investigative teams delve deeper into the situation, users are advised to remain vigilant and consider implementing additional security measures. While the company is actively addressing the claims, the potential exposure of sensitive information necessitates a proactive approach from users to safeguard their data.

The post Plume Hacked, Data Leaked in the Darknet appeared first on Gridinsoft Blog.

Detection of data breach

Freecycle, a nonprofit organization that promotes sustainability through community involvement, recently discovered a severe data breach. The organization’s security team detected the breach on August 30th, 2023, several weeks after a cybercriminal had already put the stolen data up for sale on a hacking forum on May 30th. Accordingly hacker’s warning emphasized the situation’s urgency, urging affected individuals to change their passwords immediately.

After analyzing the screenshots posted by the attackers, experts concluded that the attackers had stolen the credentials of Freecycle founder and executive director Deron Beal. As a result, the attackers had gained access to sensitive information.

After detecting the data breach, the organization informed the police. The company also advised users to be cautious of phishing attacks and scams that may target them. The warning states that despite most email providers efficiently filtering spam, users may receive an increased amount of spam emails.

Consequences of data leakage

The compromise of Deron Beal’s credentials, the founder and executive director of Freecycle, is one of the most concerning aspects of this data breach. This security breach allowed the threat actor to gain full access to member information and forum posts, which could lead to further data manipulation or unauthorized actions.

The data that was stolen includes a variety of important user information, such as:

• User IDs. Each user assigned a numerical identity for identification purposes.
• Usernames. The platform uses unique identifiers that members can use to identify themselves.
• Email Addresses. The contact information used for communication and notifications.
• MD5-hashed Passwords. Passwords encrypted using the MD5 hashing algorithm. (Which is now considered relatively weak and vulnerable to attacks.)

Fortunately, no additional personal information was exposed beyond this dataset. However, compromising MD5-hashed passwords is concerning since weak passwords can be decrypted.

Freecycle response

Freecycle assured users that no personal data beyond the specified dataset was compromised. In addition, the breach has been contained, and the organization cooperates with privacy authorities.

Minimization of Data Breaches

The following tips can help reduce the risk of a data breach in your organization:

• Keeping your system updated is critical to ensure that vulnerabilities patched, and cybercriminals cannot exploit them.
• It’s highly recommended to encrypt your data as it can prevent fraudsters from taking advantage of it.
• Regularly back up your data, as it allows for quick and efficient recovery in case of any damage.
• Zero-trust model prevents cybercriminals from infiltrating and moving laterally by not trusting any entity inside or outside the network perimeter.
• To strengthen cybersecurity, all users must use multi-factor or biometric authentication.

Users who reuse passwords across multiple online services should change them immediately to prevent security breaches.

The post 7 Million Freecycle Users Exposed In a Massive Data Breach appeared first on Gridinsoft Blog.

NortonLifeLock Hacked via MOVEit Vulnerability

The vulnerability in Progress’ MOVEit MFT solution set the whole cybersecurity community abuzz. It allowed hackers to send external login requests to the cloud SQL database. After a successful brute force in such a manner, the crooks were receiving full access to the web repository – meaning they could upload their files and manage existing ones. Despite the patch being released pretty soon after the vulnerability discovery, it was too late. Threat actors, particularly ones who stand behind Cl0p ransomware, successfully abused the vulnerability to breach into the companys’ networks.

NortonLifeLock company, the developer of a famous Norton Antivirus, appears to be hacked via this breach as well. Along with 80+ other companies, it was listed on the Cl0p’s Darknet leak site since the beginning of summer 2023. It is not clear though whether exactly MOVEit vulnerability was used, and if it was – which one of several uncovered ones was used.

What is Cl0p Ransomware?

Cl0p ransomware gang is a Russian ransomware project backed by the threat actor known under the FIN7/Sangria Tempest name. A lot of facts point at FIN7 being related to Russian external reconnaissance service (a.k.a. SVR). The gang is famous for its cheeky pick of targets, particular passion at hacking into educational institutions and heavy use of novice software vulnerabilities. Earlier this year, Cl0p ransomware was spread after the use of vulnerability in PaperCut – another MFT solution. Though, the list of all security breaches it uses is obviously far bigger.

Getting back to the Norton hack, in the note on the Darknet site, Cl0p said nothing about the negotiations. If the company refuses to pay, hackers disclose this fact and publish the leaked data. This is not the case of Norton – their record says only about the fact of the hack. The negotiation commonly takes up to several weeks – especially if the company is ready to pay, but wishes to discuss the ransom sum.

How to protect against MOVEit vulnerability?

For any cybersecurity company, being hacked is a big reputational loss. Even though Norton is not guilty of MOVEit vulnerabilities, they were hacked and potentially let the user information leak – and that is already image-busing. Though until the detailed info regarding how exactly it was hacked, and how much data is lost, it is hard to say whether the users suffer or not. And despite Norton being not entirely guilty in this situation, they could use several preventive measures that minimise the chances of zero-day vulnerability exploitation.

Probably, the best method for 0-day counteraction is using a zero-trust security solution. They have their disadvantages – particularly high resource consumption and higher access delays – but their effectiveness is exceptionally good. When set up properly, they will not allow any program to perform an action without the diligent checkup, and that is what could have stopped the Cl0p at the moment of MOVEit breach exploitation.

The post NortonLifeLock Hacked by Cl0P Gang, Using MOVEit Vulnerability appeared first on Gridinsoft Blog.

What is Third Party Data Breach?

Third party data breach occur when cybercriminals compromise the computer systems of your vendors or business partners and access your sensitive information. It is necessary to note that any vendor in your business network can be vulnerable to such attacks, and studies suggest that approximately 60% of all data breaches are caused by third-party vendors.

Experiencing a security breach can have serious financial consequences for your business, irrespective of the cause. An industry report says the average recovery and remediation cost is more than $7 million. This risk is especially significant for credit card companies, email service providers, and those offering cloud services.

Third-party suppliers, partners, and vendors are crucial to businesses but also vulnerable to cybercriminals. A breach can have severe consequences for everyone involved, not just the industry affected.

Examples of data Breaches Caused by Third-Party Vendors

Cyber attacks like phishing and ransomware have increased during the COVID pandemic as many employees work from home using virtual private network (VPN) connections with varying levels of security. These attacks can result in data breaches, a common occurrence in cybercrime.

To have a better understanding of what types of data can leak, let’s appeal to the examples of third party data breach. Here are some:

• One of the world’s largest electronics companies, General Electric (GE), recently announced that the sensitive information of current and former employees may have been exposed in a data breach at Canon, a third-party company.
• T-Mobile lost control over the personal information of approximately 1 million customers after experiencing a hack on their email provider.
• Health Share of Oregon, an organization that manages healthcare services for Medicaid clients in Oregon, experienced a security breach when an unencrypted laptop was stolen. This resulted in the exposure of personal information belonging to more than 650,000 clients.
• Improperly secured websites and login information storage can lead to security breaches. Recently, a bug on a website called Social Captain allowed unauthorized access to thousands of Instagram usernames and passwords.

These few examples I found are already enough to understand which data categories are endangered. Pretty much everything you share with your contractors – trade secrets, payment information, amounts of supplies and dates of delivery, info about other contractors – all these things may become a subject of the leak. The exact type of information exposed generally depends on the way the third party data breach happened.

Various ways data breaches by third-parties

Organizations must assess and manage the risks associated with third-party relationships and implement appropriate security measures to effectively prevent and respond to these types of breaches:

Supply Chain Attacks

In this attack, hackers exploit a trusted third-party vendor or supplier to gain unauthorized access to an organization’s systems or data. They use weaknesses in the third-party’s infrastructure or software to infiltrate the organization’s network and steal sensitive information.

Cloud Service Provider Breaches

Many organizations trust cloud service providers to store and manage their data. However, if a data breach happens, it could put the data of multiple clients at risk. This kind of breach can happen because of provider infrastructure weaknesses, poorly set up access controls or insider threats.

Outsourcing Partner Breaches

Outsourcing involves hiring a third-party service provider to perform tasks that the company’s employees traditionally did. These tasks can range from back-office support to manufacturing. However, companies need to be careful when outsourcing certain functions or services to external partners because that is a chance of a data breach if the partner’s security measures are inadequate. This can happen if the partner mishandles data, experiences a cyberattack, or has internal security weaknesses.

Payment Processor Breaches

When you purchase with a credit card, a payment processor helps facilitate the transaction between the seller and the bank. They ensure that the seller receives their payment and that everything is processed securely. However, if a payment processor’s security is compromised, it could result in the theft of crucial financial information like personal details or credit card numbers.

Insider Threats

An insider threat occurs when individuals who have permission to access an organization’s network, applications, or databases take harmful actions. These individuals can include former or current employees and third-party entities like partners, contractors, or temporary workers. They may also have gained access through compromised service accounts. In some cases, insiders within third-party organizations may intentionally access or disclose sensitive data without authorization, either for personal gain, malicious intent, or due to coercion.

Preventing Third Party Data Breach

It can be challenging for businesses to hold third-party vendors responsible, mainly if there is no established third-party security policy or program. Ideally, all third-party vendors should adhere to the same strict standards and data security measures that your company has internally.

1. Audit Third-Party Vendors for Compliance

Before bringing on any third-party vendors, discussing risk management requirements with them upfront is important. Some vendors may be close to being audited by partners, so it’s crucial to ensure they are willing to answer questionnaires as part of your due diligence process. If a vendor resists this, they may resist an audit.

Maintaining up-to-date data protection measures is key to building a solid relationship with third-party vendors. Conducting an audit is the best solution to ensure your vendor is following security compliance frameworks and has performed well in previous audits. During the audit, look for any indicators of compromise and assess how well the vendor manages cybersecurity risks.

2. Require Proof of the Third-Party Vendor’s Cybersecurity Program

It’s not enough for the vendor to have an information security program when preventing third-party breaches. They must also demonstrate a commitment to risk management and allocate resources to their vulnerability management program. To ensure this, ask for the vendor’s most recent internal risk assessments, penetration testing results, and compliance frameworks. The vendor must have a strong risk management program, a strategy for mitigating supply chain risks, and a plan for addressing potential data breaches.

3. Adopt a Least-Privileged Model for Data Access

It’s common for third-party data breaches to happen when the provider is given more access than they need to do their job. To improve your network security, enforcing strict access standards for third-party service providers is important. This means giving them the lowest level of access necessary. It’s also crucial to be cautious with sensitive data like Social Security numbers and personal information. By following these least-privileged access standards, you can effectively manage vendor risk and minimize any potential damage from a breach.

4. Adopt the Zero-Trust Network and Data Model

It’s crucial to map, authenticate, and encrypt your network flows to enhance your security ratings. Even if cybercriminals infiltrate a part of your computer system, implementing a zero-trust model prevents them from moving laterally. You can’t trust any entity inside or outside your established network perimeter. To strengthen this framework, it’s essential to enforce multi-factor authentication or biometric identification for all users as part of your cybersecurity protocol.

The post Third Party Data Breach: Definition and How to Prevent It appeared first on Gridinsoft Blog.

What is RaidForums?

RaidForums is an ex-leader among Darknet marketplaces and forums that was used to sell different sorts of data. Stolen credentials, PIIs, accesses to the network and data stolen from various sources – hackers flooded it with their stuff. However, it all ended in April 2022, after the successful Operation Tourniquet, initiated by the FBI. The law enforcement managed to seize the servers and detain the forum’s admin – Diogo Santos Coelho.

Nature abhors vacuum, thus the crowd migrated from the wiped platform to other forums. The new favourite – BreachForums – was swirling with criminal activity for almost a year, until the other successful FBI operation. In March 2023, one of the forum admins was detained, and another considered shutting it down due to the danger of the FBI taking over it.

RaidForums Data Leaked

On May 29, on a new favourite among Darknet forums – Exposed, that popped out after the Breached collapse – a database of RaidForum users was published. The one who released it is a forum admin, nicknamed The Impotent. The leaked database contains records (usernames, passwords, emails and even avatars) of over 478,000 users. This leak size is incredible, especially considering that RaidForums had only 550,000 users at the time of its seizure.

Though, as Exposed users who got their hands on the actual database say, it is not complete. Not all of the records have all the data sets mentioned in the leak announcement. Nonetheless, the fact that the data regarding all the users from the ceased forum is now publicly available, is tremendous. The admin refused to share the source of such a leak, but probably this data was already processed by law enforcements who managed to take over the forum. I.e., there is nothing particularly new or deanonymizing, though such a leak available to everyone may be dangerous for ex-users of the RaidForums.

Now what?

As I’ve just mentioned, the RaidForums leak creates privacy and account theft dangers to everyone present in the leaked database. Even though ones who were anywhere near the law enforcement’s interests already got a visit from men in uniform, email+password pair may give out a lot of information. For brute forcers, this data will be a great addition to their databases – and be sure, they will use it. Fortunately, the database was already indexed by services that track exposed data.

If you used RaidForums but don’t see your account in the leak/on the checkup sites, it will still be a good idea to change your password. In the modern threat landscape, this procedure is recommended to perform once a quarter. The more symbols and randomness you use – the less susceptible you are to brute force attempts.

The post RaidForums Leaked, Data of Almost 500,000 Users Published appeared first on Gridinsoft Blog.

Fullerton, LockBit – who are they?

Fullerton India Credit Company, or shortly Fullerton India, is a major lending company that operates in almost all the country. It offers a wide range of lending programs, targeted at both individuals and businesses. The company has almost 700 branches all over India, which allows it to outreach even small towns and villages. Latest reports issued by the company say about ~2.3 million of customers, net assets of over 2.5 billion, and around 13,000 employees. Such companies – pretty large and related to the financial sector – always were in scope of cybercriminals.

LockBit gang is an infamous hacker group, active since 2019. They passed 3 major “epochs” since then, expanding their operations and offering new solutions for their “product”. Gang uses ransomware-as-a-service operation form and offers a wide range of supplementary services to their “main” product – ransomware. Specific approaches used in malware design, together with the mentioned services, allow this malware to be the fastest among the massively used ones. All that made LockBit gang the most successful ransomware on the market: its share in total attacks is over 40%. Seems that at some point, they decided to have a break from ransoming American companies and try out something new.

LockBit Publishes Data Leaked From Fullerton India

Files encryption is not the only problem created by threat actors. Before launching the ciphering process, crooks often steal all the data they can reach. LockBit applies a specific tool that allows them to extract more data for shorter periods of time. Then, hackers ask for the additional ransom – otherwise, the data will be published or sold to the third party. Such a practice is known as double extortion. LockBit, however, is known for applying another way to press on their victims. Aside from threatening to publish data, they launch a DDoS attack upon the victim’s network, and keep it going until the ransom is paid. It is not clear if hackers used that trick as well.

Bearing on the data available in the surface and dark Web, I can assume that the exact breach happened around late March – early April. First deadline was set on April 29, which means Fullerton was listed ~2 weeks before. Now, however, the final date is set to May 3 – four days past the previous date. Hackers also specified that the company can delay the deadline for $1,000/day. Simple maths suppose that the company already spent $4,000, and it is not clear whether they paid a ransom for data decryption. The cybercriminals’ demand for avoiding data publishing – $3 million – is definitely not paid. Fullerton themselves reported about the cyberattack only on April 24.

In the note present among other information about the attacked company, LockBit specifies the amount of leaked data – 600 gigabytes. They also shared some details regarding data categories available in the leak:

How Dangerous is Fullerton Leak?

Most data LockBit gang got their hands on is related to company operations. Thus, the key danger and damage there goes towards the company’s image. Fullerton is not a publicly-traded company, thus info about the hacks cannot harm someone because of share price shed. Nonetheless, ransom amounts typically asked by the LockBit group are tangible – much more tangible in fact than the cost of cybersecurity improvements that could prevent the attacks in future.

The risk of any cyberattack is the fact that hackers can have a peek into a company’s internal architecture. Considering tight relationships between ransomware gangs, especially ones from Russia, it is logical to suppose that another group of hackers may be interested in attacking companies like Fullerton. And instead of doing a long research in order to find the entry point, they can simply ask their “colleagues” – and get all the information immediately. Security measures should be taken as quickly as possible – and that is true for any cybersecurity incident.

How to protect against LockBit ransomware?

Despite having advanced payload and auxiliary software, LockBit shares spreading ways with other ransomware. Email spam is the king of the hill, used in over 60% of all cyber attacks around the world. Though more target-specific approaches may be used – like RDP exploitation or using other network vulnerabilities. Protecting against them requires a multi-directional approach that is quite hard to implement in one step.

First of all, guide your personnel regarding spam emails. Detecting the fake email may be obvious for a knowing person, though not all people know how to do that. The easiest way to uncover the fraud is to check the email address – it will differ from the genuine one. Still, there were cases where hackers have been using compromised business emails to perform further attacks. For that reason, I’d recommend having a peek into a dedicated article about email phishing and ways to recognize it.

Counteracting network breaches requires the use of specific software. Passive approach is possible – yet far less effective than the use of proactive software solutions. The latter, actually, are represented as Network Detection and Response systems. They combine properties of network monitors, firewalls and (partially) anti-malware programs, giving out a secure shield over the entire network.

Adhere to the latest news regarding vulnerabilities. Top-rated security is possible only in an environment which is hard to exploit. When cybersecurity researchers uncover vulnerabilities, or hackers use a new one in the wild, it is recommended to find and fix these breaches. Consider having several cybersecurity blogs on a quick dial – and the numbers of your software vendors as well. Nothing saves you more than a fast reaction.

The post Fullerton India Hacked, LockBit Leaks 600GB of Data appeared first on Gridinsoft Blog.