AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 09/12/2023

Sri Lankan government loses months of data following ransomware attack 

Sri Lanka’s government email network was hit by a ransomware attack that wiped months of data from thousands of email accounts, including ones belonging to top government officials, authorities confirmed on Monday. The attack, which started at the end of August, affected nearly 5,000 email addresses using the gov.lk email domain. The victims include Sri Lanka’s council of ministers which forms the central government of the country. The targeted system, Lanka Government Cloud (LGC), was encrypted along with backups of the system. Although officials were able to restore LGC within 12 hours of the attack, they didn’t have backups from May 17 to August 26, so all affected accounts lost data from that period, according to Mahesh Perera, the head of Sri Lanka’s Information and Communication Technology Agency (ICTA). 

 

MGM Resorts blames ‘cybersecurity issue’ for ongoing outage 

Hotel and casino giant MGM Resorts has confirmed a “cybersecurity issue” is to blame for an ongoing outage affecting systems at the company’s Las Vegas properties. “MGM Resorts recently identified a cybersecurity issue affecting some of the company’s systems,” the company said in a statement posted to X, formerly Twitter, on Monday. “Promptly after detecting the issue, we quickly began an investigation with assistance from leading external cybersecurity experts. We also notified law enforcement and took prompt action to protect our systems and data, including shutting down certain systems. Our investigation is ongoing, and we are working diligently to determine the nature and scope of the matter,” the statement reads. 

 

New WiKI-Eve attack can steal numerical passwords over WiFi 

A new attack dubbed ‘WiKI-Eve’ can intercept the cleartext transmissions of smartphones connected to modern WiFi routers and deduce individual numeric keystrokes at an accuracy rate of up to 90%, allowing numerical passwords to be stolen. WiKI-Eve exploits BFI (beamforming feedback information), a feature introduced in 2013 with WiFi 5 (802.11ac), which allows devices to send feedback about their position to routers so the latter can direct their signal more accurately. The problem with BFI is that the information exchange contains data in cleartext form, meaning that this data can be intercepted and readily used without requiring hardware hacking or cracking an encryption key. 

 

Microsoft will block 3rd-party printer drivers in Windows Update 

Microsoft will block third-party printer driver delivery in Windows Update as part of a substantial and gradual shift in its printer driver strategy over the next 4 years. “With the release of Windows 10 21H2, Windows offers inbox support for Mopria compliant printer devices over network and USB interfaces via the Microsoft IPP Class Driver,” Microsoft says“This removes the need for print device manufacturers to provide their own installers, drivers, utilities, and so on.” According to Johnathan Norman, Microsoft Offensive Research & Security Engineering (MORSE) principal engineer manager, the company will implement a new default print mode to disable third-party drivers for printing purposes. 

 

Save the Children feared hit by ransomware, 7TB stolen 

Cybercrime crew BianLian claims to have broken into the IT systems of a top non-profit and stolen a ton of files, including what the miscreants claim is financial, health, and medical data. As highlighted by VX-Underground and Emsisoft threat analyst Brett Callow earlier today, BianLian bragged on its website it had hit an organization that, based on the gang’s description of its unnamed victim, looks to be Save The Children International. The NGO, which employs about 25,000 people, says it has helped more than a billion kids since it was founded in 1919. BianLian added that its victim, “the world’s leading nonprofit,” operates in 116 countries with $2.8 billion in revenues. The extortionists claim to have stolen 6.8TB of data, which they say includes international HR files, personal data, and more than 800GB of financial records. They claim to also have email messages as well as medical and health data. 

 

Hackers Claim Coca-Cola Bottler Paid $1.5 Million to Keep Lid on ‘Certain’ Files Stolen in Ransomware Attack 

Coca-Cola FEMSA, the world’s largest franchise Coca-Cola bottler, allegedly suffered a cyberattack, prompting management to pay the hackers ransom to prevent the leak of “certain” files. A threat actor known as “TheSnake” allegedly acquired a “full database Coca-Cola FEMSA containing company information, confidential photos and files, and much more,” reports DataBreaches.net, which covers daily data breach events and leaks. In a typical ransomware attack, the threat actor and his crew allegedly penetrated the company’s IT infrastructure twice in just over a year, resulting in a data dump exceeding 8 GB (5.8 GB compressed). 

 

Related Posts