[Security Weekly] Kia Motors Faces Service Outage as DoppelPaymer Ransomware Demands $20 M

cover image

3rd Week of February 2021


1. Kia Motors America faces service outage due to DoppelPaymer ransomware

Kia Motors America has been experiencing a massive service outage starting on February 14, which was later confirmed to be the result of a double-extortion attack led by the DoppelPaymer ransomware group. Headquartered in Irvine, California, Kia Motors America runs over 800 domestic dealers along with a factory in West Point, Georgia that manufactures over 340,000 vehicles annually.

The outage affected Kia’s mobile app, customer portal, telephone services, payment systems, and internal portals used by dealerships. Some customers complained on Twitter about delays in car shipments as they were told by the dealers that they were infected by ransomware.

The DoppelPaymer ransomware operators claimed on the ransom note that they have exfiltrated and encrypted huge amounts of data from a wide range of servers, including their backups. They went on to demand 404 bitcoins — equivalent to $20 million — in exchange for the decryption key, and warned that portions of the stolen data would be released online if the company does not cooperate.

Due to the nature of the industry, automotive firms are highly vulnerable to such an attack as they compete on fast and immediate sales — a day of service outage can lead to millions of lost revenue that goes directly to competitors. It is important for such companies to stay prepared for ransomware attacks by having backups on isolated networks, as well as by adopting a database encryption system like D’Amo

Sources: Bleeping Computer, Industry Week


2. Singtel suffers data breach after hackers exploit Accellion FTA vulnerability

Singtel, Singapore’s largest telecommunications service provider, became the latest victim of a series of attacks that had been exploiting a vulnerability in Accellion FTA, a legacy file transfer application. Singtel is a telecom giant with 4.1 million local customers and a worldwide customer base of 640 million through its subsidiaries.

After investigating the incident, Singtel found out that the attack resulted in a massive data breach involving customers, employees, and enterprises. Compromised data included the personally identifiable information (PII) of 129,000 customers containing their names, dates of birth, addresses, and phone numbers. Also among the data were the bank account details of 28 former Singtel employees and the credit card numbers of 45 employees at a client firm. Lastly, the data included internal information relating to 23 companies, mostly partners and suppliers.

Accellion made an announcement on February 1 declaring end-of-life for the FTA product, expecting to end its support on May 1. Unfortunately, the attack happened right at a time when Singtel was in the process of switching to a different product. Other recent victims of the vulnerability included the Reserve Bank of New Zealand, the Australian Securities and Investments Commission, the Washington State Auditor’s Office, and law firm Jones Day.

Sources: ZDNet, The Straits Times


3. French firms hit by suspected Russian hacking campaign through Centreon

French National Cybersecurity Agency (ANSSI) published a detailed report on February 15 suggesting that a number of French companies, primarily IT firms and web hosting providers, were breached in a three-year-long hacking campaign by which the attackers gained intrusion via the Centreon Platform, an IT monitoring platform offering very similar services to Solarwinds Orion.

ANSSI was not sure whether the intrusion to the Centreon Platform was a result of software vulnerabilities or simply credential leakage. Nonetheless, it was clear that the attackers used the platform to install two strains of malware that helped them to gain complete control over the users’ systems and network. During this process, a backdoor called Exaramel was also installed by the attackers. This backdoor had so far been used exclusively by Sandworm, a Russian state-sponsored APT.

Centreon reported a day later confidently claiming that none of its paid customers were affected. It said that the hacking campaign only targeted the open-source version of the Centreon Platform that was freely downloadable on its website, and that only about 15 entities were impacted.

As of today, Centreon’s claim seems valid as none of the paid clients of the Centreon Platform — including Airbus, Air France-KLM, Orange, Sephora, Lacoste, and the French Department of Justice — reported any related incident.

Sources: ZDNet, Help Net Security


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: ISign+ 

Car, Energy, Factory, City Solutions: Penta IoT Security