Cloud provider Data Resolution claimed North Korea was behind the ransomware attack on its systems on Christmas Eve.
According to cybersecurity journalist Brian Krebs, Data Resolution was infected with the Ryuk ransomware, which is the same ransomware thought to be behind the attacks on Tribune Publishing Company’s network, which disrupted the publication of newspapers such as the Los Angeles Times and the Chicago Tribune late last week. Krebs reported the attack on Data Resolution temporarily gave the threat actors control of the cloud provider’s data center domain.
Data Resolution has over 30,000 customers worldwide and provides businesses with software hosting, cloud computing, data center services and business continuity systems. The cloud provider, which is based in San Juan Capistrano, Calif., hasn’t made a public statement about the attack yet, but Krebs reported the company notified affected customers on Dec. 29 via a status update on Dropbox. The update said the Ryuk ransomware attack happened on Christmas Eve, with a point of origin of North Korea. “We all were attacked by North Korea,” the customer notification said.
Data Resolution’s customer notification said there is no evidence that any data was stolen or compromised and that the attack was meant to garner a monetary response from the company, and not to steal customer information. The notification also said the company shut down the network and hired security consultants the next day.
According to anonymous sources cited in a Los Angeles Times report, the Ryuk ransomware was also behind the Tribune Publishing attack over the weekend. Ryuk was initially detailed in August 2018 by security vendor Check Point Software Technologies, which said the strain of ransomware had low technical capabilities, but was used in targeted attacks that were successful in getting its victims to pay large ransoms.
According to Krebs, a source at a Data Resolution customer said that Data Resolution did not attempt to pay the ransom and instead relied on restoring systems from backups.
In other news
- Starting this month, the European Commission will fund 14 bug bounty programs in order to find vulnerabilities in the free open source projects that the EU often uses. All 14 programs have varying start and end dates, rewards and platforms, yet the total reward of all bounties combined is nearly $1 million. Bug bounty programs for VLC Media Player, PuTTY, Apache Kafka, Notepad++ and FileZilla start on Jan. 7. The Free and Open Source Software Audit (FOSSA) project, which was first created by Julia Reda, is one of the driving forces behind these bug bounty programs. After the Heartbleed vulnerability was found in 2014, Reda wanted to secure open source software. While some believe that the bug bounty programs will help, others believe that open source software should use more than a bug bounty program to enhance its security.
- A hacking campaign that targets Chromecast adapters, smart TVs and Google Home has been identified after the campaign forced a YouTube video promoting the video of popular game streamer Felix Kjellberg, better known as “PewDiePie.” An anonymous hacker known as TheHackerGiraffe has been performing these attacks in order to promote PewDiePie’s channel due to a battle between PewDiePie and rival YouTube channel T-Series to obtain the most subscribers. TheHackerGiraffe started the campaign with an attack that sent print jobs promoting PewDiePie’s channel to printers connected to the internet and the attacks have grown to the forced playing of a promotional video. At first the attack reached roughly 2,000 devices but has grown to nearly 100,000 after Shodan was used to retrieve devices. In order to prevent falling victim to this attack, Chromecast users should turn Universal Plug and Play off on their devices as the attacks are using this to make internet routers forward public internet ports to private devices.
- A browser-based video game by BlankMediaGames (BMG) called Town of Salem suffered a data breach of 7.6 million users after an anonymous email was received by the security firm DeHashed. The breach included usernames, email addresses, passwords in Phpass and MD5 formats, IP addresses, game/forum activity and premium features that were purchased. According to a DeHashed blog post, the company tried contacting BMG over the holidays but received no response until after DeHashed publicly disclosed the breach. The blog post said BMG “found and removed multiple backdoors on their server.” In an official statement on its forums, BMG said its server has been secured and advised users to change their passwords immediately.