Chilean telecom giant GTD hit by the Rorschach ransomware gang


Chile’s Grupo GTD warns that a cyberattack has impacted its Infrastructure as a Service (IaaS) platform, disrupting online services.

Grupo GTD is a telecommunications company offering services throughout Latin America, with a presence in Chile, Spain, Columbia, and Peru. The company provides various IT services, including internet access, mobile and landline telephone, and data center and IT managed services.

On the morning of October 23rd, GTD suffered a cyberattack that impacted numerous services, including its data centers, internet access, and Voice-over-IP (VoIP).

“We understand the importance of proactive and fluid communication in the face of incidents, therefore, in accordance with what we previously discussed on the phone, I would like to inform you that we are experiencing a partial impact on services as a result of a cybersecurity incident,” reads a GTD security incident notification.

“This impact is limited to part of our laas platform and some shared services (IP telephony services, VPNs and OTT television system). Our communication COR, as well as our ISP, are operating normally.”

To prevent the attack’s spread, the company disconnected its IaSS platform from the internet, leading to these outages.

Today, Chile’s Computer Security Incident Response Team (CSIRT) confirmed that GTD suffered a ransomware attack.

“The Computer Security Incident Response Team (Government CSIRT) of the Ministry of the Interior and Public Security was notified by the company GTD about a ransomware that affected part of its IaaS platforms during the morning of Monday, October 23,” reads a machine-translated statement on the CSIRT website.

“As a consequence, some public services in our country have presented unavailability on their websites.”

The CSIRT is requiring all public institutions who are utilizing GTD’s IaaS services to notify the government under decree No. 273, which requires all State agencies to report when a cybersecurity incident may impact them.

Ransomware IOCs released

While CSIRT has not disclosed the name of the ransomware operation behind the attack on GTD, BleepingComputer has learned that it involved the Rorschach ransomware variant previously seen used in an attack on a US company.

Rorschach ransomware (aka BabLock) is a relatively new encryptor seen by Check Point Research in April 2023. While the researchers could not link the encryptor to a particular ransomware gang, they warned that it was both sophisticated and very fast, able to encrypt a device in 4 minutes and 30 seconds.

In a report on the GTD attack seen by BleepingComputer, the threat actors are utilizing DLL sideloading vulnerabilities in legitimate Trend Micro, BitDefender, and Cortex XDR executables to load a malicious DLL.

This DLL is the Rorschach injector, which will inject a ransomware payload called “config[.]ini” into a Notepad process. Once loaded, ransomware will begin encrypting files on the device.

CSIRT has shared the following IOCs related to the attack on GTD below, with u.exe and d.exe being legitimate TrendMicro and BitDefender executables used in the attack and the DLLs containing the malware.

SHA256 File Name Description
58c20b0602b2e0e6822d415b5e8b53c348727d8e145b1c096a6e46812c0f0cbc log.dll DLL Ransomware
5822b7c0b07385299ce72788fd058ccadc5ba926e6e9d73e297c1320feebe33f TmDbgLog.dll DLL Ransomware
43a3fd549edbdf0acc6f00e5ceaa54c086ef048593bfbb9a5793f52a7cc57d1c u.exe Execution Vector (TrendMicro AirSupport)
3476f0e0a4bd9f438761d9111bccff7a7d71afdc310f225bfebfb223e58731e6 d.exe Execution Vector (BitDefender Update Downloader)

Chile’s CSIRT recommends that all organizations connected to GTD’s IaaS go through the following steps to confirm they were not breached in the attack:

  • Perform a complete scan of your infrastructure with antivirus.
  • Verify that there is no suspicious software on your systems.
  • Review existing accounts on your server and confirm that no new accounts have been created.
  • Analyze processing and hard drive performance to ensure it is not altered.
  • Check if there is any type of variation in the information or data leak of the company and its databases.
  • Check your network traffic.
  • Maintain an up-to-date record of your systems to ensure effective monitoring.
  • Restrict access via SSH to servers, only if strictly necessary.

Earlier this year, the Chilean military suffered a Rhysida ransomware attack, where BleepingComputer was told that the threat actors released 360,000 documents stolen from the government.

BleepingComputer reached out to Grupo GTD with further questions about the attack this morning but did not receive a response.



Source link