Business Continuity Management / Disaster Recovery, Cybercrime, Cybercrime as-a-service
Amedia: production partially restored, investigation in progress
A ransomware attack disrupted the operations of Norwegian media company Amedia, which publishes more than 70 newspapers for 2 million readers.
See also: Preparing CISOs for Emerging Messaging Threats in 2022 and Beyond: With Gartner® Analyst and Fox
Tuesday’s attack on the company’s computer systems forced it to shut down presses, Amedia’s executive vice president of technology said, Pål Nedregotten.
In a wednesday update, the company said it would take “time before things get back to normal.”
Although the attackers left a ransom note on the media company’s infected computers, Amedia has no intention of paying a ransom, the statement said. It says the company shared the ransom note with the police.
With the company’s central information systems still encrypted and down, further steps are being taken to restore the print newspaper’s production, and only 20 of all headlines published by the media company will be printed on Thursday, setting update adds.
“The alternative production of the paper newspaper on Thursday will apply to about twenty newspapers, while it is not yet possible for the other newspapers to release the newspaper. Efforts are made to make the solution accessible to everyone from Friday, “says Amedia.
The company did not respond to Information Security Media Group’s request for additional details, such as the ransom amount sought, the vector of infection, and the identity of the attacker.
Amedia’s initial investigation confirms that “the problems are limited to systems managed by Amedia’s central IT company, Amedia Teknologi,” and that “Amedia’s other systems are operating normally.”
If no newspaper can be published, it affects readers as well as advertisers who cannot place new ad orders or see ordered ones published, Nedregotten says.
Amedia’s latest update confirms that its central information systems, targeted by the attack, contain personal data. Subscriber data includes name, address, cell phone number, email address, and subscription history, while employee data includes employment terms / agreements, security numbers social and wages.
“We don’t yet know whether this information has actually been misused or not and we are now working to map these issues in more detail,” Amedia said. “It seems obvious that such data has been uploaded and we will notify the Norwegian Data Protection Authority.”
On Tuesday, Nedregotten said there was “no reliable information” as to whether the personal information of subscribers and employees had been compromised, but that “if any personal information has gone astray, those affected will be informed as soon as possible “.
Is the PrintNightmare vulnerability being exploited?
“People [attackers] have been in our systems for several days “, the local information platform Digi.no Nedregotten reported at a digital press conference on Wednesday. “There is a known security vulnerability in Windows that has been exploited, so it was Amedia’s Windows servers that were affected.”
Nedregotten did not mention the exploited vulnerability. Twitter user who uses the name “cyb5r3Gene” and claims to be a Norwegian security researcher claims threat actor exploited CVE-2021-1675 – the PrintNighmare vulnerability – to gain initial access and for subsequent lateral movement.
– Cyb5r3 Gene (@ cyb5r3Gene) December 30, 2021
Twitter user also said that the Vice Society ransomware group could be responsible for the attack, as the group exploited the PrintNightmare vulnerability in the past (see: Ransomware gangs attempt to exploit “PrintNightmare” flaws).
“Yes, there are backups”
While Amedia admits that it has “serious” problems, the media group says it is ready with a disaster recovery plan. “Yes, there are backups. We are looking at how we can use them,” says Amedia.
The process can take a while, as his team examines safe backup configurations while making sure that it doesn’t trigger a malicious script that re-initiates attacks. “We have engaged experts to help us in this area to ensure the security of such solutions. We will provide further information on this as soon as we are ready,” said Amedia.
Ransomware, a persistent problem
Businesses need to stop thinking that ransomware is somehow different from any other attack, Simon Edwards, CEO of security firm SE Labs, told Information Security Media Group.
“The hacker’s playbook hasn’t changed much over the years. Perform reconnaissance, access, increase privilege, and steal or destroy information. Attackers don’t use magic because they don’t. Proven and reliable hacking methods reign supreme, as appears to be the case in this particular incident, “said Edwards.
“People tend to think of hacking as involving super-secret programs and the kind of obscure knowledge known only to a handful of dark computer scientists. But you can portray yourself as a fairly proficient attacker with a handful of widely available books, some free software and access to YouTube, ”says Edwards.
Rather than focusing on a problem like ransomware, Edwards recommends that companies ensure that their environments are sufficiently locked down to prevent any type of attack, regardless of its payload. “Confirming that security measures and policies still meet business needs on a regular basis will help strengthen defenses,” he told ISMG.