Bits ‘n Pieces (Trozos y Piezas)
CL: Attack on multinational SONDA claimed by Medusa
The Chilean IT multinational SONDA, which has a presence in 11 countries, has been placed on the leaks page of the threat actor Medusa Locker. Medusa’s leak site displays some file captures from different countries where this company operates. The proof includes an affidavit from SONDA Peru, invoices from the parent company, some documents from SONDA Argentina, and identity cards. As Medusa has done with other victims, they produced a video showing what they accessed and acquired.
A countdown clock on the listing shows that SONDA has until April 15 to respond. Medusa lists three prices: $10,000.00 to add another 24 hours to the clock, or $2,000,000.00 to either delete all the data or download all the data.
In a press statement on March 31, SONDA stated that it detected the malware in its systems on March 29. SONDA also stated that client services are segmented from the internal networks and they onboarded Mandiant to help. SONDA’s notice was shared on Twitter by @1ZRR4H.
Databreaches.net sent email inquiries on April 4 and 5, asking SONDA if Medusa encrypted their files and if they received a ransom note. They were also asked if the attack affected their operations and if they were negotiating with Medusa at all. No reply was received.
DataBreaches also sent inquiries to Medusa seeking additional details, but they declined to answer the questions, saying only, “Will send the URL of the company in question, now we have too many cases open.” Medusa did provide what appeared to be a sample on their leak site, but neither the sample nor the list of files could be downloaded when DataBreaches attempted to access them.
CL: Mutual de Seguros de Chile hit by BlackCat
Mutual de Seguros de Chile is a private, non-profit corporation in the life insurance industry. It also provides other types of benefits to its 500,000 policyholders. On April 3, BlackCat added the insurer to their leaks site with some sample files as proof.
One folder contained files from 2021 with claims and queries in .csv format. The image below is from the “Nomina” folder and was redacted by DataBreaches. The unredacted file exposes the policyholders’ rut, full name, address, mobile phone, and email address. Databreaches.net was able to verify that the data is real because researching the rut identifiers matched the names and also matched what we found on social networks.
Image and redaction: DataBreaches.net
DataBreaches emailed Mutual on April 3 and April 4 to ask when the attack occurred, if they know what data was stolen, and if they have negotiated with BlackCat at all. No replies were received. When BlackCat was asked whether this attack occurred before or after the FONASA attack, their spokesperson answered, “Probably after,” but they provided no answers to our other questions.
ES: AlcaSec admits to being responsible for the Judicial Neutral Point (PNJ) breach
DataBreaches.net has previously reported that half a million Spanish taxpayers and 50,000 police had their information stolen by attackers. Now ABC reports that José Luis Huertas, aka AlcaSec, is going to provisional prison for stealing and selling the data.
AlcaSec, who pled guilty in court, illegally obtained the passwords of two Justice officials that gave him access to Judicial Neutral Point (PNJ), a system managed by the General Council of the Judiciary that connects the courts with other state institutions. ABC reported that from there, he gained access to the Tax Agency information bases in October. Stolen bank details of 575,186 taxpayers were then transferred to two servers hosted in Lithuania.
BR: The Palmeiras Club of Brazil target of a cyberattack last week
The Palmeiras Club of Brazil was the target of a cyberattack last week. Danilo Lavieri of UOL reports that the investigation is ongoing, but that the attack was on the administrative directory. Data related to the Avanti Official supporter program of Sociedade Esportiva Palmeiras and data from the facial biometrics system are stored on external servers.
The club says it will not comment on the case until it gets the results of its investigation and determines what action might be needed. They claim that there are currently no signs that data was exfiltrated.
Editing by Dissent