InfoSec Round-Up: April 30th

Stolen Police Data, Train Cyber-Attack & Music Market Breach

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

DC Police Data Stolen

Washington DC’s Metropolitan Police Department has had a reported 250GB of unencrypted files stolen as part of a ransomware attack. Data which attackers are threatening to release.

Thought to have originally occurred on the 19th of April, attackers claim to have stolen a plethora of information relating to ongoing operations, disciplinary records and files related to gangs operating within the DC area.

Via their data leak website, the criminal syndicate has stated that should the law enforcement organisation not begin negotiations with them within three days, they intend to start contacting criminal gangs with information relating to police informants.

Babuk, the Russian-speaking gang behind the attack, is a relatively new threat actor, and although their operations were only first discovered in January of 2021, they are thought to have already launched at least five attacks against large enterprises.

Speaking to the attack, the Washington DC's police department has stated, “[we are] aware of unauthorised access on our server”. Adding, “While we determine the full impact and continue to review activity, we have engaged the FBI to fully investigate this matter.”

Music Marketplace Data Breach

The world’s largest online music marketplace, Reverb.com, has exposed the personal details of millions of customers, including those belonging to Jimmy Chamberlin of The Smashing Pumpkins and Alessandro Cortini of Nine Inch Nails.

The website, which is dedicated to selling new, used, and vintage musical equipment, has notified customers that names, phone number and email addresses are amongst the data exposed because of an unsecured Elasticsearch server.

Containing more than 5.6 million records, the exposed database was discovered by a security researcher at the beginning of this month; though by the time the researcher had linked the data back to Reverb, the database had already been secured.

While it is not known whether the information had been accessed by any malicious actors, the exposed data would have allowed cyber criminals to launch amongst other attacks, targeted phishing campaigns against the website’s customers.

Regarding his discovery, researcher Volodymyr "Bob" Diachenko noted, “At first, it wasn't immediately clear who owns this and what type of data it [was], so I put it on a shelf.”

Adding, “The fact that customer shop IDs were exposed is troublesome as these can be used to make fraudulent correspondence look legitimate.”

Merseyrail Attack

Railway company Merseyrail has confirmed that it has fallen victim to a cyber attack in which the director’s Office 365 account was compromised.

Providing train services across sixty-eight stations around the Liverpool City region, Merseyrail has reportedly been hit with a ransomware attack, as part of which the email account of company director Andy Heather was taken over by the attackers.

From the account, multiple emails were sent to various journalists and stakeholders announcing the attack, presumably as part of the ransomware syndicate’s method of extortion.

Having confirmed the cyber-attack the day after the emails were sent, Merseyrail has formally released little in the way of details, though the ‘Lockbit’ gang, who claims to be behind the attack, suggested that a recent company outage was in fact a ransomware attack in which employee and customer data was stolen.

With the UK’s data watchdog having been informed, a Merseyrail spokesperson has simply stated, “Merseyrail was recently subject to a cyber-attack.” Adding, “This does not affect the operation of our services, which will continue to run as advertised.”

Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.