Hello and welcome to GlobalSign's weekly recap of the top incidents in cybersecurity.
This week we begin at Coca-Cola, which is investigating a ransomware group's claim it has breached the famous drink-maker's computer systems. The Russian-speaking ransomware group Stormous claims to have stolen 161GB of data from the company and is now asking for 1.65 Bitcoin (about $64,000) in ransom. The files allegedly stolen include compressed documents, text files with admin, emails, passwords as well as account and payment ZIP archives. File under: Not so refreshing.
In France, the GHT Coeur Grand Est. Hospitals and Health Care group was forced to disconnect all incoming and outgoing Internet connections after discovering it suffered a cyberattack that resulted in the theft of sensitive administrative and patient data. The cyber intrusion occurred on April 19th at the hospital network located in north-east France affected two facilities. The internet connections to the hospitals were cut to prevent the attack from spreading.
The Conti ransomware gang has hit another target, this time the government of Costa Rica. The Associated Press was the first to report Costa Rican government computer systems had been disrupted in a Conti-backed ransomware attack. Issues related to the attack were first reported by the country's Finance Ministry on Monday, which noted that the intrusion has compromised its tax collection, importation, and exportation systems, prompting shutdowns as well as the granting of tax payment extensions. By Wednesday, a local publication reported the attack had spread to eight targets.
U.S. telecommunications giant T-Mobile has admitted that its systems were breached in March, but the company says no customer or government information was stolen in the intrusion. The breach appears to be the work of cyber crime gang Lapsus$. The activity was uncovered by well-known cybersecurity researcher Brian Krebs, who reviewed private chats which revealed that Lapsus$ obtained T-Mobile's VPN credentials and stole source code for a range of company projects. Previously known victims of Lapsus$ include Globant, Microsoft, Okta, Samsung, Vodafone, Ubisoft and NVIDIA.
Internet infrastructure company Cloudflare this week said it recently mitigated the largest HTTPS distributed denial-of-service (DDoS) attack it has seen to date. The company said it detected and mitigated a 15.3 million request-per-second (rps) DDoS attack earlier this month — making it one of the largest HTTPS DDoS attacks on record. The company has been able to mitigate similar attacks, such as last August when Cloudflare stopped the largest DDoS attack on record, a 17.2 million HTTP requests/second (rps) attack - a figure the company described as almost three times larger than any previous volumetric DDoS attack that was ever reported in the public domain.
The U.S. government is increasing its search for six Russian intelligence officers affiliated with the state-backed hacking group dubbed “Sandworm,” by offering a $10 million bounty for information that identifies or locates its members. Sandworm -- also known as Telebots, Voodoo Bear, and Iron Viking -- has been linked to numerous attacks, the most notable being the NotPetya ransomware attack in the winter of 2017. More recently, in 2020, the group was charged with attacks on Ukraine, Georgia, France and South Korea. In a statement on Tuesday, the U.S. State Department said the 2017 attack spilled outside of Ukraine to the U.S., ultimately resulting in close to $1 billion in losses at a large U.S. pharmaceutical manufacturer, medical facilities, hospitals and other private sector entities.
That's all the highlights for the week. Thanks again for stopping by our blog and have a great weekend!
Top Global Security News
Security Week (April 28, 2022) Cloudflare Customer Targeted in Record HTTPS DDoS Attack
Security and web performance services provider Cloudflare recently mitigated the largest HTTPS distributed denial-of-service (DDoS) attack it has seen to date.
Peaking at 15.3 million request-per-second (RPS), this was not the largest application-layer DDoS attack ever recorded, but Cloudflare says it was the largest to be carried out over HTTPS.
In August 2021, Cloudflare announced it had mitigated a 17.2 million RPS DDoS attack. Shortly after, the company said it observed the Mēris botnet launching a 21.8 million RPS attack. The new assault, observed by Cloudflare earlier this month, stands out because HTTPS DDoS attacks require significantly higher computational resources due to the costs associated with establishing a secure TLS encrypted connection.
Bleeping Computer (April 27, 2022) Coca-Cola investigates hackers' claims of breach and data theft
Coca-Cola, the world's largest soft drinks maker, has confirmed in a statement to BleepingComputer that it is aware of the reports about a cyberattack on its network and is currently investigating the claims.
The American beverage giant has started to investigate after the Stormous gang said that it successfully breached some of the company's servers and stole 161GB of data.
Among the files listed, there are compressed documents, text files with admin, emails, and passwords, account and payment ZIP archives, and other type of sensitive information.
Although they claim to be a ransomware group, there is no indication at this time that they are deploying file-encrypting malware on their victim networks.
TechCrunch (April 27, 2022) US offers bounty for Sandworm, the Russian hackers blamed for destructive cyberattacks
The U.S. government has stepped up its hunt for six Russian intelligence officers, best known as the state-backed hacking group dubbed “Sandworm,” by offering a $10 million bounty for information that identifies or locates its members.
Sandworm may be best known for the NotPetya ransomware attack in 2017, which primarily hit computer systems in Ukraine and disrupted the country’s power grid, leaving hundreds of thousands of residents without electricity during the depths of winter.
In a statement this week, the U.S. State Department said the NotPetya attack spilled outside of Ukraine across the wider internet, resulting in close to $1 billion in losses to the U.S. private sector, including medical facilities and hospitals.
Bleeping Computer (April 26, 2022) French hospital group disconnects Internet after hackers steal data
The GHT Coeur Grand Est. Hospitals and Health Care group has disconnected all incoming and outgoing Internet connections after discovering they suffered a cyberattack that resulted in the theft of sensitive administrative and patient data.
GHT is a hospital network located in Northeast France consisting of nine locations, 6,000 employees, and approximately 3,370 beds.
The cyberattack occurred on April 19th and affected the CHs of Vitry-le-François and Saint-Dizier, causing GHT to disconnect Internet connections to the hospitals to prevent the attack's spread and further data theft.
SC Magazine (April 25, 2022) Conti ransomware claims attack on Costa Rica
Costa Rican government computer systems have been disrupted in a ransomware attack, which was claimed by the Conti ransomware gang, according to The Associated Press.
Issues related to the attack were first reported by the country's Finance Ministry on Monday, which noted that the intrusion has compromised its tax collection, importation, and exportation systems, prompting shutdowns as well as the granting of tax payment extensions.
Conti has already leaked 50% of the data it has stolen, including over 850GB from the Finance Ministry.
Security Week (April 25, 2022) Lapsus$ Hackers Gained Access to T-Mobile Systems, Source Code
T-Mobile has admitted that its systems were breached recently, but the telecoms giant claimed the hackers did not steal anything of value.
T-Mobile is another high-profile victim of the hacker group named Lapsus$. The gang has targeted several major companies, in many cases leaking large amounts of source code and other data stolen from their systems.
Previously known victims include Globant, Microsoft, Okta, Samsung, Vodafone, Ubisoft and NVIDIA. However, most of these companies said impact from the breach was limited.
Other Top Industry News