South African government officials are investigating reports that a ransomware group stole 668GB of sensitive data and leaked it online. National pension data.
The alleged breach of Pensions Administration Authority (GPAA) data on March 11 has not yet been publicly confirmed, but the incident has already been reported. national news In South Africa. The South African Government Employees Pension Fund (GEPF) has stepped in to investigate allegations made by notorious cybercrime organization LockBit.
GEPF is South Africa's top pension fund and its clients include 1.2 million current civil servants as well as 473,000 pensioners and other beneficiaries.
“GEPF is working with the GPAA and its regulator National Treasury to establish the veracity and impact of the reported data breach and will provide further updates in due course,” the pension fund said in an official statement. mentioned in.
Not properly protected?
GPAA reportedly reassured GEPF that it had acted to protect its systems while the breach investigation was ongoing. However, preliminary research suggests that LockBit's claims may be related to an issue. security incident I went through GPAA in February.
The agency claimed on February 16 that an attempt to hack into the system failed, but this claim came under fire after the Rockbit leak allegations. In a public post on February 21, GPAA said it responded to an alleged attempt to “unauthorize access to the GEPF system” and shut down the system and isolated potentially affected systems.
The agency said its management systems were not compromised.
“Following the incident, it appears appropriate steps were taken to ensure the safety of data by securing the compromised server,” said Matt Aldridge, principal solutions consultant at Opentext Cybersecurity. states. “However, this incident raises concerns about the overall security posture and resilience of an organization's systems.”
Aftermath of Operation Kronos
An obvious attack on GPAA is Operation Chronos TakedownThis is a law enforcement-led effort to disrupt the operations of LockBit and its ransomware-as-a-service affiliates.
LockBit and its partners were hurt by this act, but have since resumed their attacks with new encryption equipment and rebuilt infrastructure. New spill site.
Amir Saddon, research director at incident response consulting firm Signia, said Rockbit has also launched a new data breach site and is recruiting “experienced penetration testers.”
“Rockbit's rapid adaptation highlights the challenge of permanently neutralizing cyber threats, especially those with advanced operational and organizational capabilities,” he said.
Other experts have speculated that the data breach from GPAA may actually stem from an attack prior to Operation Kronos on February 19th, leading to speculation that Rockbit has already returned to full operational capability. warns against being hasty.
“The GPAA reported the attempted breach on February 16th, prior to the takedown announcement,” said James Wilson, Cyber Threat Intelligence Analyst at ReliaQuest. “We therefore believe that LockBit is using older attacks as the basis for this claim in order to project an image that it maintains threat capabilities.”
According to Malwarebytes, LockBit is the most prolific ransomware group in the world and by far the most active ransomware group in South Africa, accounting for 42% of attacks in South Africa in the past 12 months .
Ransomware groups like LockBit are trying to build a brand to attract affiliates and ensure victims pay. “Since Operation Chronos, Rockbit has [reg]To gain the trust of affiliates, this breach will be used as a way to prove that affiliates are continuing with 'business as usual,'” said Director of Threat Intelligence and Outreach at WithSecure. says Tim West.
Ransomware attackers such as those behind LockBit primarily exploit two techniques to infiltrate businesses. These include using legitimate accounts and targeting vulnerabilities in public applications.
They typically steal a copy of the victim's data before encrypting it and use it in two forms during ransom negotiations. It then demands payment in exchange for the data and threatens to release the information through leak sites if the ransom is not paid.
Stop ransomware attacks
To protect yourself from the growing threat posed by ransomware attacks, it's important to adopt a proactive defense strategy. For example, adding multi-factor authentication (MFA) adds an additional verification step that complicates an attacker's efforts to exploit a compromised account or vulnerability.
Up-to-date backups, endpoint protection, and threat detection features that are regularly tested all harden your systems against ransomware attacks. You can also harden your systems against ransomware by managing vulnerabilities and mitigating their potential impact before they are patched.
“Firewalls and VPNs are attractive entry points for unauthorized access, so it's important to keep tabs on them,” said Christiaan Beek, senior director of threat analysis at Rapid7.
In addition, the administrative interfaces of published applications must also be secured, Beek says.
