Posted 9 months ago by Kevin W.

Black Basta Ransomware Group Targeting Southern Water (UK)

Summary:

The Black Basta ransomware group claims they hacked Southern Water, a major UK water utility, on January 22nd, 2024. They allegedly stole 750GB of sensitive data, including personal and corporate documents, and posted screenshots of some leaked data on their dark web portal. Southern Water confirmed a "cyber incident" but hasn't confirmed the extent of the attack or data breach.

Attack Methodology:

Details of the attack method are unknown, but Black Basta typically uses phishing emails, stolen credentials, or software vulnerabilities to gain initial access to networks. Once inside, they deploy malware that encrypts files and demands a ransom payment for decryption.

Who is Affected:

Southern Water serves 2.5 million customers with water and 4.7 million with wastewater services in southeastern England. Employees, customers, and other stakeholders could be affected by the potential data breach.

Impacted Data:

The leaked screenshots suggest possible compromise of:

  • Personal documents: passports, IDs, driving licenses (potentially impacting employees and customers)
  • HR documents: employee names, addresses, dates of birth, nationalities, email addresses
  • Corporate documents: car-leasing documents (potentially exposing employee data)

Potential Implications:

  • Identity theft: Leaked personal information could be used for fraudulent activities like opening bank accounts or credit cards in victims' names.
  • Financial loss: Companies may incur costs for investigations, remediation, credit monitoring for affected individuals, and potential fines from data protection regulators.
  • Operational disruption: Southern Water's operations could be impacted if critical systems are compromised, potentially leading to water supply disruptions or service outages.
  • Reputational damage: The attack could damage Southern Water's public image and erode customer trust.

Current Status:

Southern Water is investigating the incident with the support of cyber security experts and has reported it to the UK government and regulators. They are urging customers and employees to be vigilant against phishing emails and suspicious activity.

Unanswered Questions:

  • The full extent of the data breach and what data was accessed is still unclear.
  • Southern Water hasn't confirmed whether they received a ransom demand from Black Basta.
  • Whether and how Southern Water's systems and operations were impacted remains unknown.

Further Developments:

The situation is fluid, and more information is expected in the coming days and weeks. We will be monitoring the situation and provide updates as they become available.

DDoS Attack Hitting Monobank, Ukraine's Largest Mobile Bank

Summary:

On January 22nd, 2024, Monobank, Ukraine's largest mobile bank, faced a series of distributed denial-of-service (DDoS) attacks. These attacks flooded Monobank's servers with millions of fake requests, aiming to overwhelm them and prevent legitimate users from accessing their accounts. The attacks were unprecedented in scale, reaching 580 million service requests at one point, temporarily disrupting service for some users.

Attack Methodology:

DDoS attacks can utilize various techniques. In this case, details of the specific methods used are unclear, but possibilities include:

  • Botnets: A network of compromised computers simultaneously bombarding Monobank with requests.
  • Amplification techniques: Exploiting vulnerabilities in internet protocols to amplify the impact of fake requests.
  • Reflection attacks: Bouncing requests off other servers to disguise their origin and overwhelm Monobank with reflected traffic.

Who is Affected:

Monobank's 6.5 million customers in Ukraine were potentially affected by the disruption of online banking services and mobile app access. The attack also impacted broader financial stability in Ukraine during a critical time, raising concerns about potential escalation tactics.

Impacted Services:

  • Online banking access: Customers experienced temporary difficulties logging in, managing accounts, and making transactions.
  • Mobile app access: The Monobank app was intermittently unavailable to some users.
  • Customer support: The attack may have hampered Monobank's ability to handle customer inquiries and support requests.

Potential Implications:

  • Financial disruption: Temporary service disruptions could have hampered users' ability to access their funds and make payments.
  • Reputational damage: The attack could damage Monobank's reputation for security and reliability.
  • Geopolitical tension: The timing of the attack amidst the ongoing conflict in Ukraine raises concerns about potential state-sponsored disruption or attempts to destabilize the financial system.

Current Status:

Monobank successfully mitigated the DDoS attacks and service has been restored for most users. They are working to improve their defenses against future attacks and cooperating with law enforcement to investigate the source.

Unanswered Questions:

  • The identity and motives of the attackers remain unknown.
  • Whether the attack was related to the ongoing conflict in Ukraine is unclear.
  • The long-term impact on Monobank's infrastructure and user trust is yet to be seen.

Further Developments:

Monobank is expected to provide further updates on the situation and their ongoing efforts to strengthen their security posture. Continued monitoring is necessary to understand the full impact and potential future implications of this attack.

Cyber Attack on IT Service Provider Affecting Multiple Swedish Entities

Summary:

On January 21st, 2024, an undisclosed IT service provider in Sweden fell victim to a cyber attack impacting numerous organizations across various sectors. While the identity of the targeted service provider remains concealed, it's known that municipalities, financial institutions, healthcare facilities, and even a university were among the affected entities. The full extent of the attack and the type of data potentially compromised are still under investigation.

Attack Methodology:

Details of the attack techniques employed are currently unavailable. However, common tactics utilized in such scenarios include:

  • Social engineering and phishing: Manipulating employees through emails or phone calls to reveal sensitive information or click malicious links, providing initial access to the network.
  • Exploiting software vulnerabilities: Taking advantage of outdated software or unpatched security holes to gain unauthorized access to systems.
  • Malware deployment: Deploying malicious software like ransomware or spyware to encrypt data, steal information, or disrupt operations.

Who is Affected:

The specific number of affected organizations and individuals remains unclear. However, the wide range of sectors involved signifies a potentially significant impact on various aspects of Swedish society. Municipalities may face disruptions in critical services, financial institutions could experience data breaches or financial losses, healthcare facilities might suffer data leaks or operational issues, and educational institutions could see their networks compromised.

Impacted Services and Data:

The exact services and data compromised are yet to be determined. However, potential consequences could include:

  • Disruption of public services: Municipalities may experience disruptions in services like waste collection, public transportation, or online administration.
  • Financial data breaches: Personal and financial information of customers of affected banking and financial institutions might be compromised.
  • Healthcare data leaks: Patient data, medical records, or operational systems of healthcare facilities could be exposed.
  • Educational data compromise: Student records, research data, or online learning platforms of the affected university could be targeted.

Potential Implications:

The implications of this attack could be far-reaching:

  • Loss of trust: The affected organizations and their customers may experience a loss of trust in their digital security measures.
  • Financial losses: Organizations may incur significant costs for recovery efforts, legal fees, and potential regulatory fines.
  • Operational disruptions: Disruptions in critical services and public access to essential information could have cascading effects on daily life.
  • Reputational damage: The attacked service provider and affected organizations could suffer reputational damage due to the breach.

Current Status:

Swedish authorities are investigating the attack in collaboration with the affected organizations and the compromised IT service provider. The National Cyber Security Centre (NCSC) is providing support and guidance to mitigate the damage and prevent further attacks.

Unanswered Questions:

  • The identity of the attacker(s) and their motives remain unknown.
  • The specific type of data compromised and the number of affected individuals are yet to be revealed.
  • The long-term impact on the affected organizations and Swedish society is unclear.

Further Developments:

As the investigation unfolds, more information regarding the attack methods, compromised data, and the identities of affected entities is expected to emerge. Updates from the NCSC and affected organizations will be crucial in understanding the full scope of the attack and its long-term consequences.