[Security Weekly] Scottish Environment Protection Agency Attacked by Conti Ransomware

cover image

3rd Week of January 2021


1. Scottish Environment Protection Agency attacked by Conti ransomware

The Scottish Environment Protection Agency (SEPA), the environmental regulator of Scotland, has been suffering from the ongoing impact of a ransomware attack that took place on December 24, 2020.

After gaining access to SEPA’s internal IT system, the ransomware operators paralyzed all internal communications and a number of operations. Despite isolating the infected systems, email, scheduling services, reporting tools, and a number of databases have remained offline throughout January. The agency’s online pollution data reporting platform also remains unavailable. 

Furthermore, the attackers exfiltrated 1.2 GB of sensitive data from the agency’s servers before encrypting them with the ransomware. This included the employees’ personal information. The Conti ransomware group later claimed responsibility for the attack and published a portion of the stolen data on its leak site.

SEPA is currently working with the government, police, and the National Cyber Security Centre to resolve the issues. Experts suggested that the impact of the attack is so heavy that some systems might need to be replaced completely.

Sources: ZDNet, Bleeping Computer


2. Data breach at OpenWrt forum exposes user records

The online forum for the OpenWrt developer community suffered a cyberattack that led to the compromise of user information. OpenWrt is a Linux-based embedded operating system used on devices such as routers.

According to the administrators who maintain the website, the forum was attacked in the early morning of January 16, where hackers obtained unauthorized access to all forum members’ usernames, email addresses, and information on their activities. Even though passwords were not exfiltrated, the forum still recommends its users to reset their passwords since it does not have two-factor authentication (2FA).

It is not clear how the hackers managed to make the intrusion. The forum administrators warn all its users to be cautious of phishing attacks. Since most users are OpenWrt developers who build routers and other networking devices, targeting them with phishing emails could help the hackers get into enterprise networks.

Sources: Threatpost, Bleeping Computer


3. Photo editing site Pixlr suffers data breach, 1.9 million account details leaked online

Pixlr, one of the most popular online photo editing tools, suffered a cyberattack initiated by the ShinyHunters hacking group. The website provides a free photo editing platform as well as a premium membership that offers advanced tools and stock photos.

ShinyHunters claimed that it exploited a misconfigured AWS S3 bucket belonging to Pixlr back in 2020, and had obtained access to the usernames, email addresses, and hashed passwords for over 1.9 million users. These credentials were later published on an online hacking forum for free on January 17. 

Experts warn all Pixlr users to stay aware of potential phishing scams and credential stuffing attacks, and also urge them to change their passwords immediately.

ShinyHunters is particularly successful at targeting companies offering online services. Recent victims include payment app Dave, shopping comparison site Wishbone, ecommerce giant Tokopedia, and interior design platform Havenly.

Sources: Infosecurity, SiliconANGLE


4. Stolen credentials from massive phishing campaign accessible via Google Search

Security researchers recently discovered that over 1,000 stolen login credentials collected from a massive phishing campaign were easily accessible by anyone via a search on Google.

The ongoing phishing campaign began back in August 2020, hitting thousands of companies from a variety of industries. The attackers sent out emails in the name of Xerox, luring victims into checking an online document, which would then trigger a fraudulent Microsoft Office 365 login page. Over 1,000 corporate Microsoft Office 365 accounts had been collected over the past months.

Yet, the hackers made a critical mistake by storing these stolen credentials on a compromised server that was set to public. Despite not having any direct links to the page, Google was able to scan it and have it on its search results, leaving these credentials accessible by anyone on the internet.

Sources: Threatpost


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: ISign+ 

Car, Energy, Factory, City Solutions: Penta IoT Security