Also: Swiss Multinational ABB, Lacroix, US DOT and Qilin Ransomware
Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. In the days between May 11 and May 18, the spotlight was on a cybersecurity incident at the Philadelphia Inquirer, Swiss engineering multinational ABB, French electronics manufacturer Lacroix, the U.S. Department of Transportation, Dallas’ ongoing efforts to recover from a Royal ransomware attack, Brightly Software, Discord, Virginia debt collector Credit Control Corp., and IT and telecom distributor ScanSource. Also, researchers at Group-IB infiltrated the Qilin ransomware-as-a-service group to disclose details about its inner workings.
The Philadelphia Inquirer is working to restore systems affected in a cyberattack over the weekend that caused it to suspend delivery of the Sunday edition. The online edition was briefly affected on Saturday morning.
Publication resumed Monday but without classified and death notices, which resumed Wednesday. The paper reported Monday that Lisa Hughes, the Inquirer’s publisher and chief executive, is declining to say whether the newspaper received a ransom demand or if it received communication from the attackers.
Staffers spent Monday and Tuesday locked out of the newsroom, working instead in a temporary space. Hughes said cybersecurity vendor Cynet first detected anomalous activity on Thursday. The newspaper is calling the attack its greatest disruption since a paralyzing winter blizzard in January 1996.
Swiss multinational technology giant ABB detected an IT security incident that affected some of its systems, a spokesperson told Information Security Media Group. While the attack halted some operations, a vast majority of its systems and factories are up and running, the spokesperson said.
Bleeping Computer reported the incident was a ransomware attack by the Black Basta ransomware gang. The online outlet said hackers attacked ABB’s Windows Active Directory, affecting hundreds of devices. As of publication, Black Basta has not listed ABB on its leak site.
ABB employs nearly 105,000 people across the globe and has $29.4 billion in revenue for 2022. The company manufactures a range of industrial products including industrial software, motors and electric vehicle charging infrastructure.
French electronic assemblies and subassemblies manufacturer Lacroix said it detected a targeted cyberattack on its sites in France, Germany and Tunisia. “Some local infrastructures have been encrypted, and an analysis is also being carried out to identify any exfiltrated data,” the company said. The attack disrupted production at the sites, and the company aims to restart manufacturing on May 22. The three sites represent 19% of the group’s total sales in 2022.
US Department of Transportation
The U.S. Department of Transportation is investigating the breach of personal information of 237,000 current and former federal government employees first reported by Reuters. In a letter to Congress, the DOT said the incident affected the TRANServe transit benefits system that reimburses government employees for commuting costs. The agency took the TRANServe system offline for “unscheduled maintenance.”
Coincidentally on Monday, a report from the Government Accountability Office said DOT could improve its implementation of cybersecurity policies and provide better oversight of cyber leaders at subagencies. “For example, DOT reviewed component agency cybersecurity programs for agencies within the department, but didn’t use the reviews to address long-standing cyber issues.”
Update on Dallas
The city of Dallas is still recovering from a Royal ransomware attack in a process a city official told The Dallas Morning News could take months to complete.
A Monday update from the city says investigators have still not found any indication that data from residents, vendors or employees was leaked during the attack. Dallas TV station WFAA reported May 11 that the emergency service computer-aided dispatch system had been partially restored. Dallas Police Chief Eddie Garcia said Tuesday the attack is hampering annual summer youth programs created in a bid to lower crime.
The city public library system advised readers not to return overdue books since its catalog database is still down.
Siemens subsidiary Brightly Software notified customers about a compromise to personal information and credentials linked to its SchoolDude maintenance work order tracking system. Hackers gained access to information including names, email addresses, passwords, phone numbers and school district names. The software company reset all user passwords and encouraged users to set new, stronger passwords.
Instant messaging and social platform Discord notified users last week of a data breach. According to a notice posted by a Reddit user, “Discord was made aware of a brief incident that resulted in unauthorized access to a third-party customer service agent’s support ticket queue.” Compromised data may include email addresses, the content of customer services messages and attachments. Discord is being tight-lipped about the breach with the media. It did not respond to ISMG’s request for additional information.
Credit Control Corp.
Virginia debt collection company Credit Control Corp. revealed Saturday that a March 7 security incident had led to the compromise of personal data of 286,699 individuals. Threat actors gained unauthorized access and copied files containing confidential client data such as name, address, Social Security number and account balance. The breach primarily affects 12 healthcare institutions that use CCC to collect money from patients.
North Carolina IT and telecom distributor ScanSource said Tuesday that a ransomware attack that began on Sunday has affected systems. The attack may result in delays for customers and suppliers in North America and Brazil.
Qilin RaaS Platform Unveiled
Researchers at cyber threat intelligence firm Group-IB infiltrated the Russian-speaking Qilin ransomware-as-a-service group.
Findings include: Qilin’s targets are primarily critical sector companies, and affiliate hackers keep between 80% and 85% of extortion payments.
Affiliates gain access to a panel divided into sections such as “Targets” and “Payments.” The Targets section allows affiliates to customize Qilin ransomware with settings such as the ransom amount and victim revenue culled from ZoomInfo. The panel also allows affiliates to create and edit blog posts containing information about attacked companies that declined to pay extortion money.
Other Coverage From Last Week