[Security Weekly] Australian TV Network Taken Down by Ransomware

cover image

1st Week of April 2021


1. Australian TV network taken down by suspected state-backed ransomware attack

Nine Network, one of the most popular TV networks in Australia, was taken off service for over 24 hours following a ransomware attack, making this the largest attack on a media company Australia has ever experienced.

Operated by Sydney-based media company Nine Entertainment, Nine Network was taken down in the early morning of March 28 when ransomware hit the company’s IT network. All broadcasting-related systems were affected, while radio and publishing services remained operational. The company’s employees were told to work from home until further notice, while live staff was forced to move from the Sydney studio to the Melbourne studio.

While the company was working on restoring the encrypted systems, it revealed that the hackers did not demand any ransom, making it highly likely that it was a state-sponsored attack. During the period of the outage, the channel was scheduled to broadcast a show that reveals how Vladimir Putin uses poison to murder his political opponents. Nevertheless, there is not enough evidence to suggest that the attack was led by Russian intelligence.

At the same time as the attack, Australia’s parliament also suffered a suspected cyberattack where all MPs and senators lost their email access for two days. Again, there is no evidence of any direct linkage between the two incidents.

Sources: US News and World Report, Infosecurity, The Guardian


2. Insurance giant CNA Financial attacked by new ransomware strain

Chicago-based CNA Financial, the seven-largest commercial insurance issuer in the United States, posted a statement on its out-of-service website disclosing a ransomware attack it suffered on March 21. The company was forced to shut down a number of systems along with its website as a precautionary measure.

The attack was confirmed by sources at Bleeping Computer to be a new strain of the CryptoLocker ransomware, known as the Phoenix CryptoLocker ransomware. Sources also suggest that the infamous hacking group Evil Corp is likely behind this novel ransomware strain.

A number of systems, including email servers, were infected with the ransomware. Again, Bleeping Computer reported that over 15,000 systems and devices may have been encrypted, including the personal devices of remote workers who worked from home via the company’s VPN.

As of now, it is unclear whether the attackers obtained any unencrypted copies of personal data belonging to CNA’s customers.

Sources: Bleeping Computer, Threatpost


3. US Secretary of Homeland Security’s email hacked in SolarWinds attack

According to a report by The Associated Press, the US Department of Homeland Security (DHS) was hacked by suspected Russian state-backed hackers who exploited the SolarWinds Orion vulnerabilities, making it the latest identified victim of the massive supply chain attack.

Specifically, the hackers gain intrusion into the email accounts of a number of former DHS officials under the Trump administration. These included the account of former Secretary of Homeland Security Chad Wolf, as well as the accounts of other high-ranking members of the department’s cybersecurity team, which was in charge of investigating and mitigating foreign cybersecurity threats.

Sources: The Associated Press, ZDNet


4. MobiKwik faces external audit after denying data breach affecting 110 million users

On April 1, Indian mobile payment provider MobiKwik was ordered by the Reserve Bank of India (RBI) to conduct an external forensic audit of its IT network following a data breach that claimed to have originated from the company.

The incident started as a post published on a dark web forum claimed to have the personal data of 110 million users of MobiKwik. The file was 8.2 TB in size and was sold for 1.2 bitcoins, or roughly US$72,000. The database included phone numbers, email addresses, transaction history, payment card information, as well as government-issued ID numbers.

The searchable database allowed anyone to search for their phone numbers or emails to verify if their information was among the leaked data. Security researchers were able to verify several of the cases.

MobiKwik has been denying the data breach claim and said that internal investigations showed no evidence of their IT systems suffering any attack. Yet, heightened mistrust from the public had led to the RBI’s order of an external audit.

Sources: TechCrunch, Reuters


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: ISign+ 

Car, Energy, Factory, City Solutions: Penta IoT Security