Information Technology

CISA, the FBI and NSA officially implicated the BlackMatter ransomware group in the recent attacks on two agriculture companies, confirming the assessments of some security researchers who said the gang was behind incidents involving New Cooperative and Crystal Valley in September.New Cooperative — an Iowa-based farm service provider — was hit with a ransomware attack on September 20 and BlackMatter demanded a $5.9 million ransom. Crystal Valley, based in Minnesota, was attacked two days later. Both attacks came as harvests began to ramp up for farmers.In the advisory, CISA, the FBI and NSA said BlackMatter has targeted multiple US critical infrastructure entities since July. The advisory provides a detailed examination of BlackMatter’s tactics and outlines how the group typically attacks organizations. “Using embedded, previously compromised credentials, BlackMatter leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD) to discover all hosts on the network,” CISA said in the advisory. “BlackMatter then remotely encrypts the hosts and shared drives as they are found. Ransomware attacks against critical infrastructure entities could directly affect consumer access to critical infrastructure services; therefore, CISA, the FBI, and NSA urge all organizations, including critical infrastructure organizations, to implement the recommendations listed in the Mitigations section of this joint advisory.”The law enforcement organizations noted that BlackMatter operates as ransomware-as-a-service and may possibly be a rebrand of DarkSide, a ransomware group that allegedly closed shop in May after attacking Colonial Pipeline. They added that BlackMatter has demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero.

“Notably, this variant of BlackMatter leverages the embedded credentials and SMB protocol to remotely encrypt, from the original compromised host, all discovered shares’ contents, including ADMIN$, C$, SYSVOL, and NETLOGON. BlackMatter actors use a separate encryption binary for Linux-based machines and routinely encrypt ESXi virtual machines. Rather than encrypting backup systems, BlackMatter actors wipe or reformat backup data stores and appliances,” the advisory explained.”BlackMatter leverages legitimate remote monitoring and management software and remote desktop software, often by setting up trial accounts, to maintain persistence on victim networks. BlackMatter attempts to exfiltrate data for extortion. BlackMatter remotely encrypts shares via SMB protocol and drops a ransomware note in each directory. BlackMatter may wipe backup systems.”The notice lists dozens of measures organizations should take to protect themselves from BlackMatter, including the implementation of detection signatures, strong passwords, MFA, routine patching, network segmentation and access limitations.Due to the increase in ransomware attacks on weekends and holidays, CISA suggested organizations implement time-based access for accounts set at the admin-level and higher.In September, the FBI released its own notice warning companies in the food and agriculture sector to watch out for ransomware attacks aiming to disrupt supply chains. The FBI note said ransomware groups are seeking to “disrupt operations, cause financial loss, and negatively impact the food supply chain.” “Ransomware may impact businesses across the sector, from small farms to large producers, processors and manufacturers, and markets and restaurants. Cybercriminal threat actors exploit network vulnerabilities to exfiltrate data and encrypt systems in a sector that is increasingly reliant on smart technologies, industrial control systems, and internet-based automation systems,” the FBI said. “Food and agriculture businesses victimized by ransomware suffer significant financial loss resulting from ransom payments, loss of productivity, and remediation costs. Companies may also experience the loss of proprietary information and personally identifiable information and may suffer reputational damage resulting from a ransomware attack.”The notice listed multiple attacks on the food and agriculture sector since November, including a Sodinokibi/REvil ransomware attack on a US bakery company, the attack on global meat processor JBS in May, a March 2021 attack on a US beverage company and a January attack on a US farm that caused losses of approximately $9 million. In November 2020, the FBI also cited an attack on a US-based international food and agriculture business that was hit with a $40 million ransom demand from the OnePercent Group. The company was able to recover from backups and did not pay the ransom. More

A new survey of 300 US-based IT decision-makers found that 64% have been victims of a ransomware attack in the last 12 months, and 83% of those attack victims paid the ransom demand.

ZDNet Recommends

Cybersecurity company ThycoticCentrify released its “2021 State of Ransomware Survey & Report” on Tuesday, featuring the insights of IT leaders who have dealt with ransomware attacks over the last year. Of those surveyed, 72% have seen cybersecurity budgets increase due to ransomware threats, and 93% are allocating special budgets to fight ransomware threats. Half of the respondents said they experienced a loss of revenue and reputational damage from a ransomware attack, while 42% indicated they had lost customers as a result of an attack. More than 30% said they were forced to lay off employees as well.Respondents said the most vulnerable vectors for ransomware attacks were email (53%), followed by applications (41%) and the cloud (38%).26% of respondents cited the top attack vector was privileged access, followed closely by vulnerable endpoints (25%). “Organizations are spending their increased cyber security budgets investing in ransomware prevention with network security (49%) and cloud security (41%) solutions. It is interesting to note that in this survey, identity access management (24%), endpoint security (23%) and privileged access management (19%) are lower priorities for budget spend,” the survey said. “The most common steps taken to prevent ransomware attacks include backing up critical data (57%), regularly updating systems and software (56%), and enforcing password best practices (50%). Last on the list was adopting a least privilege posture (34%).”

Experts were not surprised by the survey’s findings, considering how many companies have been public about paying ransoms. Major corporations like Colonial Pipeline and JBS admitted to paying ransoms after devastating ransomware incidents, and studies show many organizations end up paying ransoms. “Naive statements like ‘never pay the ransom’ simply ignore the reality of the situation and do not have any chance in actually changing anything. Over the years, we have gotten better at recovery from breaches, and attackers are trying new ways to get paid. It has been increasingly frequent in recent months where supply chain breaches are leading to ransom demands to not leak data belonging to the victim organization,” said John Bambenek, threat intelligence advisor at Netenrich. “Frankly, as long as the economics are in favor of paying, most organizations will pay. However, the paying of ransoms doesn’t guarantee results.” More

It looks like more than ghosts are wreaking havoc on haunted networks. We’re less than a full week into October, and Cybersecurity Awareness Month isn’t quite taking shape the way we expected. Ostensibly, orgs decided to pivot and use this time to confess their wrongdoings before Halloween. Let’s take a trip through what’s happened so far and the lessons we’ve learned. Luckiest breach announcement timing… ever? Before October 4, you likely had not heard of Syniverse, though it works with 95% of the top 100 telecoms in the world. If you learned about them on October 4, it was first thing in the morning, and then … other stuff happened. Unfortunately, your texts, call records, and more were likely hoovered up by hackers in yet another third-party telecom breach. What makes this breach unique — for now anyway — is that the unauthorized access went unnoticed or undisclosed for five years, topping SolarWinds by an order of magnitude. It also highlights the risks of SMS and geolocation data, which could play a critical role in misinformation/disinformation and espionage. 

Facebook disappeared from the internet — literally — and that effectively buried the Syniverse news under a mountain of speculation about the Facebook outage. In an ironic twist of fate, Facebook simultaneously contended with the outage and experienced a deluge of rumors on the cause. Speculation ranged from an insider show of solidarity with the whistleblower to the opposite, using the outage to draw attention away from the whistleblower testifying to the US Congress. The truth is less salacious but far more realistic: a faulty configuration change interrupted communication between data centers. While Facebook data centers could not communicate, few tried to communicate at all about Syniverse. And that’s troubling, since Syniverse “processes 740 billion texts yearly and has over 300-plus direct connections to mobile operators” per its website. This breach is not limited to an individual consumer’s text messages and records. Twilio is a minority owner of Syniverse and is mentioned as one of its major contributors to revenue, behind only AT&T. That makes this breach relevant from a B2C and B2B perspective, given Twilio’s reach into the developer world. The long tail of this breach will have far-reaching consequences as Sen. Ron Wyden told Motherboard: “The information flowing through Syniverse’s systems is espionage gold.” Expect security and privacy events that trace back to this one for years. Attackers reveal how Twitch fails livestreamers In what’s certainly damaging to users — but perhaps more so damaging to the platform itself — Twitch, the dominant livestreaming choice for content creators, experienced a massive data leak. This one features partner, platform, and product security issues. And  the ugliest part of all? It provides a serious glimpse into gender and racial pay gap disparities between content creators. The payout rates negotiated between Twitch, sponsors, and streamers are now publicly available and exposed. There’s zero doubt Twitch — already facing competition from YouTube for streamers — could see a talent exodus as feelings of unequal treatment get confirmed as fact. As a platform, Twitch sits between content creators, sponsors, advertisers, and viewers, facilitating and monetizing parasocial relationships. That ecosystem requires trust, which data breaches and disclosure of sensitive intellectual property threatens. 

Breaches often come at the worst possible time, and Twitch already had serious issues with content creators facing harassment from viewers and other streamers on occasion. Hot tub streams, hate raids, swatting, racism, and sexism plague Twitch. A data breach is not the most serious problem the company faces given those other items, but it’s certainly not making things easier. The power of incident response compels you If this month keeps going the way it is, the “X” in XDR (extended detection and response) might stand for eXorcism, given the ratio of breach announcements-to-days of October we’ve experienced so far. Add this to the volume and severity of breaches reported in 2021, and we’re swimming in pea soup. Yet, according to Forrester Analytics Business Technographics® Security Survey, 2021, just 12% of respondents list breach and attack simulation as a top information/IT security priority over the next 12 months. Firms should revisit, revise, and rehearse incident response and crisis management plans at least biannually, if not quarterly, to keep up with attackers and their tactics. At least one of those breach simulations should be a ransomware attack, and all exercises should assume data exfiltration. Those concerned about data that could come from Twitch should consider a crisis management exercise. For customers, platforms, and partners, trust is on the line. Don’t wait until the incident is underway to assemble your crisis management ecosystem of critical third parties like legal, digital forensics, and incident response, along with PR to ensure notifications, handoffs, and all communication flows smoothly. Consider media training for key executives who will be seen as the face of any crisis affecting your firm. Zero Trust to the rescue The old way to approaching security architecture is already widely known to be a failure from a technical perspective (see the above examples if you aren’t convinced). Add in the business realities of the interconnectedness of relationships between platforms, partners, and customers without shifting your strategy, and security, risk, and privacy leaders will get totally left behind. This makes a shift to Zero Trust architectures a requirement. Customers and business partners demand dependability, believing that you’re protecting the entire ecosystem by forgoing inherent trust in any user, device, or system. Zero Trust enables you and your ecosystem to be both resilient and protected. At the end of the day, organizations don’t want another mystery on their hands. To learn more about Zero Trust, register to attend Forrester Security & Risk Forum here. This post was written by Forrester Vice President, Principal Analyst Jeff Pollard and it originally appeared here.  More

The US Federal Communications Commission (FCC) is due to consider a new proposal to clamp down on robot texts.

On October 18, FCC Acting Chairwoman Jessica Rosenworcel unveiled a new set of proposed rules that would force wireless carriers to block illegal robot texts, potentially at the network level. According to the chairwoman, the US regulator received roughly 14,000 complaints from consumers concerning unwanted, robot texts in 2020. So far, the commission has received over 9,800 complaints, which suggests that this is a rising trend that needs to be tackled alongside robot calls.  Research conducted by RoboKiller found that spam text message rates in the US are far higher than the rate of complaints received by the FCC, with an estimated 7.4 billion spam SMS messages sent in March alone. Robocalls and robotexts are often pushed out to consumers for the same purpose: to lure them into scams — such as insurance claims or, more recently, coronavirus-themed services — as well as to share Personally identifiable information (PII), banking details, or to visit malicious and fraudulent websites in phishing campaigns.  Rosenworcel said that if the proposal is accepted, mobile carriers in the United States would be required to protect customers from illegal text messages, and this could include initiatives such as blocking texts at the network level — or “applying caller authentication standards to text messaging.” The proposals build upon rules discussed in September to protect 911 call centers from robocalls. As a critical service, call handlers certainly do not need to also have to deal with influxes of scam calls — and the FCC’s proposal would force service providers to stop robocalls from reaching numbers on do-not-call registries. 

In addition, the watchdog is attempting to stop telecoms firms from accepting calls on their networks from voice service providers that are not registered in the FCC’s Robocall Mitigation Database. “We’ve seen a rise in scammers trying to take advantage of our trust of text messages by sending bogus robotexts that try to trick consumers to share sensitive information or click on malicious links,” Rosenworcel commented. “It’s time we take steps to confront this latest wave of fraud and identify how mobile carriers can block these automated messages before they have the opportunity to cause any harm.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Twitter has suspended accounts belonging to a North Korean hacking group targeting security researchers. 

The social media accounts, @lagal1990 and @shiftrows13, were suspended this month after “posing as security researchers,” according to Google Threat Analysis Group (TAG) analyst Adam Weidermann, who added that the profiles “leaned on the hype of 0-days to gain followers and build credibility.”As noted by Threatpost, another account, @lagal1990, was closed for the same reason in August. The campaign, believed to be the work of state-sponsored North Korean cyberattackers, has been tracked by the Google TAG team over the past year.  First documented in January 2021, the campaign includes the creation of a network of fake profiles across platforms including Twitter, LinkedIn, Keybase, and GitHub.  The fake profiles are riding on interest in exploits and zero-day bugs to establish an aura of credibility and will post content such as proof-of-concept (PoC) code and exploit techniques.  According to Weidermann, the fake accounts were found by researchers Francisco Alonso and Javier Marcos.

“We (TAG) confirmed these are directly related to the cluster of accounts we blogged about earlier this year,” Weidermann commented. “In the case of @lagal1990, they renamed a GitHub account previously owned by another of their Twitter profiles that was shut down in Aug, @mavillon1.” The cluster of accounts is used to reach out to their intended targets, including well-known and credible security researchers. A research blog, too, was published online, and videos have been uploaded online claiming to be proof of exploits and bugs. “They’ve used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits, and for amplifying and retweeting posts from other accounts that they control,” Google TAG says.  However, once communication has been established, the North Korean group then asks their targets if they are interested in collaborating on security research.  Links are then sent to researchers to a blog that contains browser exploits including an Internet Explorer zero-day unmasked in January. Alternatively, they may also be sent a malicious Visual Studio project file containing a backdoor, granting the attackers entry into their victim’s machine — and the information contained therein.  In March, the group created a fake Turkish offensive security company called SecuriElite, with a batch of profiles linked to this firm pretending to be made up of cybersecurity researchers and recruiters.  Last week, Google TAG documented efforts to counter attacks from APT35, an Iranian group specializing in phishing campaigns against high-risk users of Google, including campaign staffers during the 2020 US election.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cybercriminals claiming to be part of the REvil ransomware group have alleged that the gang is closing shop after the group lost control of vital infrastructure and had internal disputes. Recorded Future security expert Dmitry Smilyanets shared multiple messages on Twitter from ‘0_neday’ — a known REvil operator — discussing what happened on the cybercriminal forum XSS. He claimed someone took control of the group’s Tor payment portal and data leak website.In the messages, 0_neday explains that he and “Unknown” — a leading representative of the group — were the only two members of the gang who had REvil’s domain keys. “Unknown” disappeared in July, leaving the other members of the group to assume he died. The group resumed operations in September but this weekend, 0_neday wrote that the REvil domain had been accessed using the keys of “Unknown.” In another message, 0_neday said, “The server was compromised and they were looking for me. To be precise, they deleted the path to my hidden service in the torrc file and raised their own so that I would go there. I checked on others — this was not. Good luck everyone, I’m off.”
Dmitry Smilyanets
REvil originally closed shop in July after the devastating attack on Kaseya infected hundreds of organizations across the world and caused untold damage. The group is one of the most prolific ransomware gangs currently operating, attacking hundreds of vital companies and organizations over the last few years. But the group attracted immense law enforcement scrutiny following the July 4 attack on Kaseya and ended its operation on July 13. By September, the group returned, continuing to attack dozens of companies in the last few weeks. According to The Record, the July 13 shut down happened because “Unknown” allegedly stole the group’s money and shut down their servers, making it difficult for those remaining to pay affiliates. 

Smilyanets told the news outlet that he hoped the group had shut down because of law enforcement actions by US officials. The FBI and other US agencies faced significant backlash over the past few weeks because of their actions during the REvil attack on Kaseya. The FBI admitted it had decryption keys that could have helped the nearly 1,500 ransomware victims affected by the Kaseya attack, but decided against it because they were preparing an operation to disrupt REvil’s infrastructure. The group closed shop before the operation could be seen through and the FBI has been harshly criticized by the organizations affected and lawmakers for waiting to hand out the decryption keys. Bitdefender later released a free decryptor for all of the organizations affected by the Kaseya attack. Opinions on the situation were mixed among experts, with some cautioning people not to believe the word of criminals. Others said the situation made sense because REvil was facing criticism from its own affiliates for their actions. Allan Liska, a ransomware expert with Recorded Future, told ZDNet that there were two theories in his mind.”Unknown (the former leader of REvil) ‘returned from the dead’ and was not happy that his software developers were trying to push his ransomware. The second is that a government agency managed to penetrate the server before they closed shop the first time, got Unknown’s private key and decided to take these new actors down,” Liska said. “Normally, I am pretty dismissive of ‘law enforcement’ conspiracy theories, but given that law enforcement was able to pull the keys from Kaseya attack, it is a real possibility. The relaunch of REvil was ill conceived from the start. Rebranding happens a lot in ransomware after a shutdown. But no one brings old infrastructure that was literally being targeted by every law enforcement operation not named Russia in the world back online. That is just dumb.”Liska said that while some may question whether the drama within the group is real, he believes it is legitimate, noting the internal controversy that has engulfed other ransomware groups this year.”There is a lot of money in ransomware right now, and with lots of money is going to come drama,” he said. But while the REvil operators may have shut down this specific group, Liska said there is no doubt that everyone who was part of the REvil organization will continue to conduct ransomware attacks. “Whether it is through creating a new ransomware or becoming an affiliate for another ransomware group, it is hard to give up the money that can be made from ransomware,” Liska said. Sean Nikkel, Digital Shadows senior cyber threat intel analyst, said REvil was already facing additional scrutiny from the broader cybercriminal community due to drama involving accusations of failing to pay those involved in its partnership program and claims that it effectively cut out affiliates and shared decryption keys with victims.  On XSS, Nikkel said 0_neday was asked about who would work with REvil after this latest series of problems, and the representative replied, “Judging by everything, I’ll be working on my own.””Reaction to the news from other forum members ranged from largely unsympathetic to bordering on conspiracy theory. The main area of debate was whether the group would rebrand for a third time, with many questioning whether the cybercriminal community would still trust REvil-related schemes,” Nikkel explained.  Nikkel added that opinions appeared split on whether REvil’s reputation would ensure the group’s continued success, with many pointing out that all publicity is good publicity, and predicting that the promise of profits would still entice affiliates to work with the group in the future. “One theory doing the rounds posited that a disgruntled former team member, combined with poor password hygiene, could have resulted in the attack,” Nikkel added, noting that many users questioned the fact that this topic was even being discussed on the site at all considering XSS’s May 2021 ban on ransomware-related content. “The XSS representative for the LockBit ransomware group claimed to have predicted this turn of events, providing links to their ‘prophetic’ forum posts. They questioned the REvil representative’s intention to leave the forum, opining ‘if the domains have been hijacked, this is 100% proof that someone had a root on the server, which means that your database has been leaked too.’ The LockBit representative even put forward the idea the new REvil forum account may in fact be operated by law enforcement,” Nikkel said. Nikkel noted that in his opinion, the tone of the REvil’s forum posts indicate the group will be back in some form. But they may face difficulty returning after advertising for affiliates on a 90/10 profit-splitting basis, which is more than the group has shared in previous years. “Despite this, and the many controversies that REvil has been involved in that could have eroded all trust in and willingness to cooperate with the group, it seems that the group’s infamy and the promise of high profits are simply too much of a lure for many cybercriminals, who have returned to work with the group time and time again,” Nikkel said. Senior security researcher for DomainTools Chad Anderson added that his team discovered that REvil had a backdoor in its RaaS offering. After that, multiple affiliates of the REvil program confirmed they had been ripped off by the creators. “It’s hard to say what’s real at this point. We’ve seen groups disappear only to be reborn as a more full featured affiliate program. We’ve seen groups of affiliates shift to better payment models and we’ve seen group sites be taken over by others and their source code leaked or re-used,” Anderson told ZDNet. “At this point evidence suggests that the private keys for the Onion hidden services backing the REvil payment infrastructure have been compromised. This certainly could be a government agency operation but it’s just as likely without hard confirmation that it’s some other ransomware group. REvil made a lot of affiliates mad when it turned out their code had a backdoor that could let REvil operators steal from their affiliates.”Emsisoft ransomware expert Brett Callow was skeptical of what was written in the cybercrime forum, noting that they double as press release services for ransomware gangs.”Threat actors know that law enforcement, researchers and reporters monitor forums, and so use them to issue statements. They say only what they want people to know and believe,” Callow said. “Whether REvil has really closed shop, or are scamming their affiliates, or have some other reason for going dark, is impossible to say.” More

Sinclair Broadcast Group — which controls hundreds of TV stations across the US — has confirmed a ransomware attack on certain servers and workstations.In a statement and notice sent to the SEC, Sinclair said it was notified of a cybersecurity incident on Saturday, October 16. By Sunday, the company confirmed that it was a ransomware attack and backed up what many online had been reporting — outages at numerous local TV stations. “Data also was taken from the Company’s network. The Company is working to determine what information the data contained and will take other actions as appropriate based on its review. Promptly upon detection of the security event, senior management was notified, and the company implemented its incident response plan, took measures to contain the incident, and launched an investigation,” Sinclair said. “Legal counsel, a cybersecurity forensic firm, and other incident response professionals were engaged. The company also notified law enforcement and other governmental agencies. The forensic investigation remains ongoing. While the Company is focused on actively managing this security event, the event has caused – and may continue to cause – disruption to parts of the company’s business, including certain aspects of its provision of local advertisements by its local broadcast stations on behalf of its customers.” The company went on to say that it is unclear what kind of impact the attack will have on its “business, operations or financial results.” It did not say which ransomware group was behind the attack and did not respond to requests for comment. Sinclair controls 21 regional sports network brands while owning and operating 185 television stations in 86 markets. The company also controls the Tennis Channel as well as Stadium and had an annual revenue of $5.9 billion in 2020.The attack was first reported by The Record after viewers took to Twitter and Reddit to report confusion over outages in their local markets. 

Internal sources told The Record that the attack involved the company’s internal corporate network, email servers, phone services, and the broadcasting systems of local TV stations. Dozens of channels were unable to show local morning shows and NFL games on Sunday. Some channels were able to resume broadcasts because the attack did not reach Sinclair’s “master control” broadcast system. But the attack is still crippling dozens of stations even as others return to normal. The company suffered another cyberattack in July that forced them to reset all shared administration systems at all of their stations. This is the second ransomware incident targeting news stations this year, with Cox Media Group recently admitting that it was hit with a ransomware attack in June. Ransomware experts like Darktrace’s Justin Fier said that for broadcasters and media, these attacks don’t only disrupt operations but potentially give bad actors a platform to distribute disinformation on a global stage. “In the case of the Sinclair breach, simply having access to the broadcast network may itself be more valuable for attackers than a ransomware payment,” Fier said. “The reality is that the organization’s back is against the wall — it is clear that the security team at Sinclair have been caught off guard and outpaced and now must decide between system downtime or paying a hefty ransom.”Others noted that it was not surprising to see the attack occur on a weekend when ransomware actors know IT departments are working with skeleton crews. Bill Lawrence, CISO at SecurityGate, noted that the attack didn’t spread to Sinclair’s ‘master control’ broadcast system, indicating they may be using network segmentation or a higher level of protection and care for the ‘crown jewels.’ “Also, they lost their internal network, email, phones, along with local broadcasting systems. For your next incident response plan drill, put the participants in separate rooms and forbid the use of company email or phone calls,” Lawrence said. “It would be hard for them to order a pizza together, much less work on business continuity.” More

Acer has confirmed yet another cyberattack on its servers in Taiwan after their offices in India were hit less than a week ago by the same group.The Desorden Group — which claimed responsibility for both attacks — contacted ZDNet and said part of why they conducted the second attack was to prove their point “that Acer is way behind in its cybersecurity effects on protecting its data and is a global network of vulnerable servers.” Acer spokesman Steven Chung told ZDNet that the company recently detected “an isolated attack on our local after-sales service system in India and a further attack in Taiwan.””Upon detection, we immediately initiated our security protocols and conducted a full scan of our systems. We are notifying all potentially affected customers in India, while the attacked Taiwan system does not involve customer data,” Chung said. “The incident has been reported to local law enforcement and relevant authorities, and has no material impact to our operations and business continuity,” he added.The group said it hacked Acer’s Taiwan servers that stored data on its employees and product information. “We did not steal all data, and only took data pertaining to their employee details. Right after the breach, we informed Acer management on the Taiwan server breach and Acer has since taken the affected server offline,” the group said in an email to ZDNet. 

“Also, a few other of its global networks including Malaysia and Indonesia servers are vulnerable too.”The group did not say how much data they stole in this attack and did not respond to questions about what its end-goal is with these breaches. Acer has had a rough year from a cybersecurity perspective, suffering a ransomware attack in March that led to a previously-unheard ransom demand of $50 million. It is unclear if Acer ever paid the ransom. The attack last week on the company’s servers in India led to 60GB of files being stolen by the Desorden Group, which also claimed an attack on the Malaysian servers of ABX Express Enterprise in September. Acer India was hit with a similar cyberattack in 2012 by a Turkish cybercriminal group, according to DataBreaches.net. The attackers defaced the company website and leaked 20,000 user credentials at the time.  More