There were many cyber incidents this past month from data breaches and ransomware to exposed zero-day vulnerabilities. We are sharing some of the top cyber incidents from August to raise awareness and look back on the open vulnerabilities these cybercriminals exploited.
Conti Ransomware Group Capitalizing on Microsoft Exchange Vulnerabilities
Our research team uncovered that the Conti ransomware group has been obtaining access to environments stemming from the Hafnium exploits that occurred back in February and March 2021 within Microsoft Exchange. These zero-day vulnerabilities could affect hundreds of thousands of systems. The team identified that on-premises Microsoft Exchange servers still have web shells installed that stemmed from the Hafnium vulnerability.
Pondurance also identified that the Hafnium exploitation chain resulted in the installation of an unauthorized and abused remote monitoring and management (RMM) agent. The unauthorized RMM tool remained present on the victim machine for approximately four months and granted the ability for remote interaction with it. In July, the RMM tool was utilized by outside actors to install additional malicious frameworks, including Cobalt Strike. The resulting actions concluded with the installation of Conti ransomware.
Attack Discovered: August 2021
Impact: The zero-day vulnerabilities discovered could affect hundreds of thousands of systems.
Learn more about the discovery in this blog.
Cyberattack Against Telecommunications Giant T-Mobile
T-Mobile, one of the biggest telecommunications companies, discovered it was the victim of a massive data breach after the cybercriminals responsible for the breach made claims on an online forum. The cybercriminals claimed they originally reached T-Mobile’s network through an unprotected router in July. They infiltrated a data center in East Wenatchee, Washington, where they gained access to hundreds of T-Mobile production, staging, and development servers. T-Mobile was able to eventually close the access port, but the data was already stolen.
Attack Discovered: August 16, 2021
Impact: Over 50 million customers’ data was compromised including names, driver’s licenses, government identification numbers, Social Security numbers, dates of birth, T-Mobile prepaid PINs (which T-Mobile has reset), addresses, and phone numbers.1
Learn more about the breach on T-Mobile’s website.
Consulting Group Accenture Victim of Lockbit Ransomware
A CNBC reporter notified Accenture on Twitter that it was the victim of LockBit ransomware. The CNBC source found the below cybercriminals’ note on the dark web as well as a statement that they would release the data they obtained in several hours.
“These people are beyond privacy and security. I really hope that their services are better than what I saw as an insider. If you’re interested in buying some databases, reach us.”
Accenture worked quickly to contain the matter and isolate the affected servers. They also stated that there was no impact to operations or client systems.
Attack Discovered: August 11, 2021
Impact: The cybercriminals shared 2,400 files including PowerPoint presentations, case studies, quotes, and more on the dark web.
Learn more about the attack from The Hill.
Sources:
- T-Mobile says cyberattack impacted more customer data than initially thought, ABC News, Aug. 20, 2021.
