Security News Frontier says 750,000 Social Security numbers accessed during April cyberattack

[vtqhtr413]

Content source

https://therecord.media/frontier-provides-new-details-april-ransomware-attack

Dallas-based telecommunications company Frontier Communications told regulators that more than 750,000 U.S. residents had information stolen during a cyberattack that took place in April.

Frontier — which offers internet and TV service across 25 states — previously reported the cyber incident to the U.S. Securities and Exchange Commission (SEC) in April but filed new documents with regulators in Maine on Thursday specifying how many people were impacted. According to the documents, 751,895 people had their names and Social Security numbers accessed by hackers during the attack, which Frontier said was discovered on April 14.

Victims are being given one year of identity theft protection. The ransomware gang allegedly behind the incident claimed this week to have stolen information on more than 2 million people. The ransomware operation — RansomHub — was spotlighted by researchers on Wednesday as a likely rebranded version of the older Knight ransomware.

Experts at Symantec said the operators behind the Knight ransomware tried to sell the source code of the malware on the dark web in February before it was used as part of the new ransomware-as-a-service operation.

Frontier says 750,000 Social Security numbers accessed during April cyberattack

Frontier told regulators that a ransomware attack it discovered in April resulted in exposed Social Security numbers on hundreds of thousands of people.

therecord.media

 

[Andy Ful]

A similar attack was analyzed by Forescout Vedere Lab's Research:

Ransomware Group Emerges from the Change Healthcare Attack

RansomHub emerges during the Change Healthcare cyber attack. Forescout Research analyzes the criminal ransomware as a service and its impact.

www.forescout.com

The attackers leveraged compromised credentials on Citrix remote-access software that did not have multi-factor authentication enabled. Following lateral movement and data exfiltration, they deployed the ransomware nine days later. It’s had a reported financial impact of $872 million, and included the exfiltration of 6TB of sensitive data. It has taken months to restore systems and the company has had at least two congressional testimonies
(...)
These files were used as shown in the figure below, for TA0005 – Defense Evasion, TA0008 – Lateral Movement and TA0040 – Impact.

Edit.
In the attacks investigated by Symantec, the attackers exploited the Zerologon vulnerability (CVE-2020-1472), which can allow an attacker to gain domain administrator privileges. In the attack analyzed by Forescout Vedere Lab, the compromised credentials were used.