We have recently learned that the Underground ransomware gang has taken credit for an attack on Casio, the Japanese tech giant, on October 5. The attack caused disruptions in the company’s systems and affected some of its services.

Earlier this week, Casio acknowledged the attack on its website but did not provide any specifics. Instead, they mentioned that external IT specialists were brought in to determine if any personal data or other confidential information was stolen during the breach.

Now, the Underground ransomware group has posted information on its dark web extortion portal, claiming they have stolen a significant amount of data from Casio.

The stolen data allegedly includes:

• Confidential documents (社外秘)
• Legal documents
• Personal data of employees
• Confidential NDAs
• Employee payroll information
• Patents information
• Company financial documents
• Project information
• Incident reports

If these claims are true, Casio’s workforce and intellectual property have been significantly compromised, potentially harming the company’s business operations.

We contacted Casio to request a comment on these claims and the data leak, but we have not received any response. As such, we cannot verify the authenticity of the threat actor’s statements at this time.

Underground ransomware: A brief overview

According to a Fortinet report from August 2024, Underground is a relatively small-scale ransomware operation that has been targeting Windows systems since July 2023. The operation is associated with the Russian cybercrime group ‘RomCom’ (Storm-0978), previously known for delivering Cuba ransomware on breached systems.

Fortinet’s report indicates that over the summer, Underground ransomware operators exploited CVE-2023-36884, a remote code execution flaw in Microsoft Office, likely used as an infection vector. Once a system is breached, the attackers modify the registry to keep Remote Desktop sessions alive for 14 days after user disconnection, providing ample time for them to maintain access to the system.

Interestingly, Underground does not add any file extensions to encrypted files and is designed to avoid file types essential for Windows operation, ensuring the affected system remains functional. The ransomware also stops the MS SQL Server service to free up data for theft and encryption, maximizing the impact of the attack.

Like most Windows ransomware strains, Underground deletes shadow copies to make data restoration extremely difficult.

One unique aspect of Underground’s extortion tactics is that it also leaks stolen data on Mega, promoting links to archives hosted there via its Telegram channel. This strategy increases the exposure and availability of the stolen information.

Currently, Underground ransomware’s extortion portal lists 17 victims, with the majority based in the USA.

It remains to be seen whether the Casio attack will serve as the catalyst for the threat group to gain mainstream attention and increase the frequency and scale of its attacks.

As cybersecurity experts, we believe it’s essential for businesses and individuals to stay informed about the latest threats and best practices for protecting their valuable data. We encourage you to contact us and keep coming back to learn more about the ever-evolving world of cybersecurity.

Updates added at the end of the article.

Did you know that the Internet Archive’s “The Wayback Machine” was recently compromised in a data breach? A hacker managed to infiltrate the website and steal a user authentication database containing 31 million unique records. Yikes!

News of the breach began circulating when visitors to archive.org saw a JavaScript alert created by the hacker, stating that the Internet Archive was breached.

“Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!,” the message read.

What is HIBP?

HIBP stands for Have I Been Pwned, a data breach notification service created by Troy Hunt. Threat actors commonly share stolen data with this service so users can check if their information has been compromised.

Hunt confirmed that the threat actor shared the Internet Archive’s authentication database with him, which is a 6.4GB SQL file named “ia_users.sql.” The database contains authentication information for registered members, including email addresses, screen names, password change timestamps, Bcrypt-hashed passwords, and other internal data.

The most recent timestamp on the stolen records is September 28th, 2024, likely when the database was stolen.

How many people are affected?

Hunt says there are 31 million unique email addresses in the database, with many subscribed to the HIBP data breach notification service. The data will soon be added to HIBP, allowing users to enter their email and confirm if their data was exposed in this breach.

The data was confirmed to be real after Hunt contacted users listed in the databases, including cybersecurity researcher Scott Helme, who allowed us to share his exposed record.

Helme confirmed that the bcrypt-hashed password in the data record matched the brcrypt-hashed password stored in his password manager. He also confirmed that the timestamp in the database record matched the date when he last changed the password in his password manager.

What’s being done about it?

Hunt contacted the Internet Archive to start a disclosure process and stated that the data would be loaded into the HIBP service in 72 hours. However, he has not heard back since.

It is not known how the threat actors breached the Internet Archive and if any other data was stolen.

What else is happening?

Earlier, the Internet Archive suffered a DDoS attack, which has now been claimed by the BlackMeta hacktivist group, who says they will be conducting additional attacks.

We reached out to the Internet Archive with questions about the attack, but no response was immediately available.

Update 10/10/24: Internet Archive founder Brewster Kahle shared an update on X last night, confirming the data breach and stating that the threat actor used a JavaScript library to show the alerts to visitors.

“What we know: DDOS attacked-fended off for now; defacement of our website via JS library; breach of usernames/email/salted-encrypted passwords,” reads a first status update tweeted last night.

“What we’ve done: Disabled the JS library, scrubbing systems, upgrading security.”

A second update shared this morning states that DDoS attacks have resumed, taking archive.org and openlibrary.org offline again.

While the Internet Archive is facing both a data breach and DDoS attacks at the same time, it is not believed that the two attacks are connected.

Stay safe out there!

Always be cautious of your online security and remember to change your passwords regularly. If you want to keep up-to-date with cybersecurity news and advice, don’t hesitate to contact us and keep coming back to learn more.

Did you hear about the recent cyberattack on Russian security company Doctor Web (Dr.Web)? A group of pro-Ukrainian hacktivists claimed responsibility for the breach that took place in September.

Last month, Dr.Web confirmed that its network was breached on September 14. The company had to disconnect all internal servers and stop pushing virus database updates to customers while investigating the incident.

In a recent announcement, the hacktivist group DumpForums revealed that they were the ones responsible for the attack. They claimed to have gained access to Dr.Web’s development systems and had control for about a month. During that time, they allegedly stole around ten terabytes of data, including client databases, from the company’s GitLab, email, Confluence, and other compromised servers.

Imagine the cyber equivalent of a thief breaking into your home and snooping around for a month! That’s what happened to Dr.Web, and it’s a chilling reminder of the importance of cybersecurity.

According to ReliaQuest’s Threat Research Team, DumpForums has been an online “hub for hacktivists and patriotic cyber threat actors” since at least late May 2022. Their efforts mainly focus on supporting “the Ukrainian war effort against Russia” through DDoS attacks and leaking information stolen from the Russian government and private entities. source

Dr.Web’s Response: Denying Data Theft Claims

In response to DumpForums’ claims, Dr.Web published a statement confirming the September breach but stating that the attack was “promptly stopped.” The company also mentioned that it would not pay a ransom demand, which the attackers had since requested, and denied that customer information was stolen in the attack.

“The main goal was to demand a ransom from our company, but we are not negotiating with the attackers. At the moment, law enforcement agencies are conducting an investigation, and therefore we cannot give detailed comments so as not to interfere with the investigation,” Dr.Web said in a recent post.

Dr.Web reassured its users by stating, “The information published in Telegram is mostly untrue, user data was not affected. Neither virus database updates nor software module updates pose any security threat to our users.”

We reached out to Dr.Web for more information regarding the breach and DumpForums’ claims, but they have yet to reply.

Dr.Web is just the latest Russian cybersecurity company to be targeted and breached in a cyberattack. In June, pro-Ukrainian hackers Cyber Anarchy Squad breached the Russian information security firm Avanpost, claiming to have leaked 390GB of stolen data before encrypting over 400 virtual machines. source

Moreover, in June 2023, Kaspersky disclosed that attackers infected iPhones on its network with spyware via iMessage zero-click exploits, targeting iOS zero-day bugs as part of a campaign now known as “Operation Triangulation.”

These incidents serve as a stark reminder of how important it is to prioritize cybersecurity. Cyber threats are ever-evolving, and staying informed is essential in protecting ourselves and our businesses.

Don’t wait until it’s too late – take action now to protect your digital assets. Keep coming back for more information on cybersecurity and how to safeguard your data. Together, let’s make the digital space a safer place for everyone.