Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – CVE-2023-34285 – NETGEAR RAX30 Vulnerability
June 12, 2023Rewterz Threat Alert – STOP (DJVU) Ransomware – Active IOCs
June 13, 2023
Severity
High
Analysis Summary
In early June, the IT services provider Xplain, based in Bern, Switzerland, experienced a Play ransomware attack that had a more significant impact than initially anticipated. The attack not only affected Xplain, but also targeted the national railway company of Switzerland (FSS) and the canton of Aargau. Swiss police launched an investigation into the incident.
The news of the attack was first reported by Swiss newspaper Le Temps, which highlighted that several cantonal police forces, the Swiss army, and the Federal Office of Police (Fedpol) were indirectly impacted by the cyberattack. These entities shared a common IT service provider, Xplain, which had been hacked.
Threat actors initially published alleged stolen data from Fedpol and the Federal Office for Customs and Border Security (FOCBS) on a Darknet forum. Local media revealed that the attackers exploited a vulnerability in Xplain’s servers to carry out the attack.
Fedpol and the federal customs office confirmed the attack but downplayed its severity. Fedpol stated that the threat actors only accessed simulated, anonymous data used for testing purposes, ensuring that their projects remained unaffected. FOCBS acknowledged that some of their data exposed in the breach included correspondence with clients.
The FSS data leak was initially reported by NZZ am Sonntag magazine and later confirmed by the Swiss railway company. The authorities of the canton of Aargau also confirmed the data breach. Aargau authorities assumed that, in addition to company correspondence, a small amount of operational data from error logs, which were under analysis at Xplain, might have been affected.
The Aargau authorities said for their part that they assume that “in addition to company correspondence, a small volume of operational data from error logs which was at Xplain for analysis was also affected”, RSI reported.
The investigation into the security breach is still ongoing to determine the full extent of the attack and its implications for the affected organizations.
Additionally, during the same period, the website of the Swiss parliament faced a separate cyber attack. The president of the House of Representatives, reported that problems were encountered in accessing the website. However, the attack on the parliament’s website was not linked to the Xplain ransomware attack. Parliament’s services stated that the attack had been neutralized, assuring that no internal systems or data had been affected, although some access issues persisted temporarily.
Overall, the incident involving Xplain’s Play ransomware attack had far-reaching consequences, affecting not only Xplain but also the FSS, the canton of Aargau, and indirectly impacting various government entities in Switzerland.
Impact
- Sensitive Information Theft
- File Encryption
Remediation
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
- Enforce strong password policies and consider implementing multi-factor authentication (MFA) to enhance access security.
- Deploy reputable and up-to-date endpoint protection solutions that include anti-malware, intrusion detection/prevention systems, and behavior-based detection mechanisms.
- Identify and address any vulnerabilities or weaknesses in the systems that were exploited during the breach. Apply security patches and updates to ensure the systems are up-to-date.
- Implement a robust backup strategy that includes regular and automated backups of critical data. Ensure that backups are stored securely offline or in an isolated environment to prevent ransomware from encrypting backup files.
- Implement strong encryption measures for sensitive data to protect it from unauthorized access. Employ data segmentation techniques to isolate critical systems and data from less secure areas.
- Establish ongoing monitoring processes and conducting periodic security assessments to identify and address any evolving threats or vulnerabilities. Continuously improve security measures based on lessons learned from the incident.