Breach Roundup: News Corp, Dish Network and Danish HospitalsPlus, Free Decryptor Tool for MortalKombat Ransomware
Every week, Information Security Media Group rounds up cybersecurity incidents happening around the world. This week, we look at an incident affecting News Corporation, a ransomware attack causing outages at Dish Network, an outage at Washington's Pierce Transit, ransomware on a U.S. Marshals Service system and a distributed denial-of-service attack on Danish hospitals from a threat actor that isn't what it claims. We also share a bit of good news about a cybersecurity company making a ransomware decryptor available.
Media and publishing firm News Corporation revealed that a cyberattack first disclosed in 2022 stems from an incident that happened in February 2020.
"Based on the investigation, News Corp understands that, between February 2020 and January 2022, an unauthorized party gained access to certain business documents and emails from a limited number of its personnel's accounts in the affected system, some of which contained personal information," the company said in a breach disclosure letter.
The personal information accessed included names, birthdates, Social Security numbers, driver's license numbers, passport numbers, financial account information, medical information and health insurance information.
The breach affected employees at The Wall Street Journal and its parent company, Dow Jones; the New York Post; News Corp's U.K. news operation; and News Corp headquarters, according to an email the company sent to staff Friday, The Wall Street Journal reported in February 2022. News Corp hired Mandiant to conduct a forensic investigation, and the cybersecurity company concluded that the threat actor had a connection to China and was likely engaged in a spying operation.
Satellite television provider Dish Network blamed a ransomware attack for a network outage that made it difficult for users to reach customer service, access their accounts and make payments. The firm told federal regulators it had learned of the breach on Feb. 23 and determined a data leak on Feb. 27. It also said ransomware attacks had exfiltrated data and that it was "possible the investigation will reveal that the extracted data includes personal information."
In a statement on its website, Dish Network said it had enabled cybersecurity experts and outside advisers to assist with the attack and notified appropriate law enforcement authorities. Bleeping Computer reported the attacker belongs to the Black Basta ransomware-as-a-service gang.
The Pierce County, Washington, public transit company confirmed a ransomware attack affecting its systems two weeks ago. The attack came to light on Feb. 14 and temporary workarounds were required to keep buses moving. Russia-based ransomware group LockBit claimed responsibility for the attack and demanded a ransom to be paid by Tuesday.
The public transportation system serves over 18,000 people every day and provides bus, van and carpool services primarily to the city of Tacoma.
US Marshals Service
Hackers in February maliciously encrypted a system belonging to the U.S. Marshals Service, compromising and exfiltrating sensitive data law enforcement data.
Exposed data includes returns from legal process, administrative information and personal identifiable information pertaining to subjects of USMS investigations, third parties and USMS employees (see: Ransomware Hits US Marshals Service).
The Marshals Service is primarily responsible for protecting judicial personnel, administering fugitive operations, managing criminal assets and protecting individuals in witness protection.
Danish Hospital Websites
The websites of nine hospitals in metro Copenhagen fell victim to distributed denial-of-service attacks from a group calling itself Anonymous Sudan. The group is on a Scandinavian tear. Previously in February it temporarily knocked out the websites of Scandinavian Airlines and a clutch of media and education outfits. Copenhagen's health authority confirmed the attacks in a tweet and assured Danes that their public healthcare was otherwise unaffected. A couple of hours later, the authority reported that the websites had been restored.
Anonymous Sudan claimed on Telegram the attacks are part of ongoing retaliation for a January incident in which a Danish far-right politician had burned a copy of the Quran outside the Turkish embassy in Stockholm. Swedish cybersecurity firm Trusec says Anonymous Sudan is actually a Russian information operation. Radio Sweden in late February reported that Swedish cybersecurity firms took down 61 servers belonging to Anonymous Sudan hosted in Germany on IBM's cloud service.
MortalKombat Decryption Tool
A bit of good news: Romanian cybersecurity firm Bitdefender released a decryption tool for the MortalKombat ransomware, malware that spreads primarily through phishing emails and vulnerable remote desktop protocol instances.
CiscoTalos in December spotted an unidentified actor deploying the recently discovered ransomware using a phishing email impersonating CoinPayments, "a legitimate global cryptocurrency payment gateway."