Sophos Cloud Optix
Financial data from some the world’s biggest companies – including Porsche, Oracle, Toshiba and more – has been stolen and published in a ransomware attack on the large, Germany-based IT provider Citycomp.
Citycomp, which says that it maintains over 70,000 servers and storage systems “of every type and size” in 75 countries, issued a statement saying that it had “successfully fended off a hacker attack” in early April and that it has no intention of complying with the blackmail attempt.
Given its refusal to capitulate, Citycomp said, the data couldn’t be saved from being doxxed. “Full transparency” was in place and it informed its customers “right from the start,” it said.
[Citycomp] does not yield to blackmail. The repercussion is the publication of the stolen customer data.
While Citycomp said that the attack had been stopped, a security firm it’s working with and which was authorized to speak to Motherboard told the publication that as of Tuesday, it was ongoing. Michael Bartsch, executive director of Deutor Cyber Security Solutions:
Citycomp has been hacked and blackmailed and the attack is ongoing. We have to be careful as the whole case is under police investigation and the attacker is trying all tricks.
The hackers created a .onion Dark Web site where the stolen data can be browsed and downloaded. The list of victims includes names such as Porsche, Oracle, Toshiba, the New Yorker, Ericsson, Leica, UniCredit, British Telecom, Hugo Boss, NH Hotel Group, and Airbus, among many others. On the site, the hackers claim that they have “312,570 files in 51,025 folders, over 516GBb data financial and private information on all clients.”
Bartsch told Motherboard that after informing and warning all clients, being fully transparent from the get-go, their support has been “unanimous.”
The hacker(s) told Motherboard in an email that the point of the attack was financial: using the handle Boris Bullet-Dodger, they told Motherboard’s Joseph Cox that they had demanded $5,000 from Citycomp.
“Boris” claimed to have prowled Citycomp’s systems for just over a month, and that they targeted Citycomp specifically because “they have an [sic] totally awful security system.”
The hacker(s) said they had no intention of extorting the client companies themselves:
No, these companies are not guilty of awful work of citycomp.
What to do?
As we’ve mentioned before when reporting about ransomware, defending against a determined, targeted attack demands defense in depth, and, as in many things, prevention is better than cure. That starts with ensuring that your systems are patched and your Remote Desktop Protocol (RDP) is secure, and finishes with regular, comprehensive, off-site backups, with much else in between.
To read more about those things and the preventive steps you can take to protect yourself against targeted ransomware of all stripes, read our article on how to defend against SamSam ransomware.
I wonder if this was how CVE-2019-1804 was discovered (announced yesterday). Cisco has had way to many of these over the last couple years. In the words of Joe Walsh; Time to change the batter.
I wonder how I could find this leak to identify if my company was als effected by the leaked data
That should read “[Citycomp] does not yield to extortion”. It’s not blackmail, unless one considers weak security to be a crime.
I think it is entirely unexceptionable to treat “extortion” and “blackmail” as synonyms. (Australian English also has the somewhat chilling word “standover” for the same thing.)
In legalistic terms, “demanding money with menaces”.
A great example of the struggle between good and evil… the “good” as in cybersecurity team begging the “bad” (aka the business) into establishing proper server patching, adding new services, etc. to combat the real bad guys.
How many times does it have to happen before your own company falls victim, and then the business users bitch and moan about how lame “our security” is??? Humans – especially those who are on the “business” end of the equation – will NEVER learn.
Just waiting for the gaping security holes we already know about to be exploited. Guess who gets to clean up that mess?????