Chile's Grupo GTD warns that a cyberattack has impacted its Infrastructure as a Service platform, disrupting online services. Grupo GTD is a telecommunications company offering services throughout Latin America, with a presence in Chile, Spain, Columbia, and Peru. The company provides various IT services, including internet access, mobile and landline telephone, and data center and IT managed services. On the morning of October 23rd, GTD suffered a cyberattack that impacted numerous services, including its data centers, internet access, and Voice-over-IP. "We understand the importance of proactive and fluid communication in the face of incidents in accordance with what we previously discussed on the phone, I would like to inform you that we are experiencing a partial impact on services as a result of a cybersecurity incident," reads a GTD security incident notification. To prevent the attack's spread, the company disconnected its IaSS platform from the internet, leading to these outages. Today, Chile's Computer Security Incident Response Team confirmed that GTD suffered a ransomware attack. "The Computer Security Incident Response Team of the Ministry of the Interior and Public Security was notified by the company GTD about a ransomware that affected part of its IaaS platforms during the morning of Monday, October 23," reads a machine-translated statement on the CSIRT website. "As a consequence, some public services in our country have presented unavailability on their websites." The CSIRT is requiring all public institutions who are utilizing GTD's IaaS services to notify the government under decree No. 273, which requires all State agencies to report when a cybersecurity incident may impact them. While CSIRT has not disclosed the name of the ransomware operation behind the attack on GTD, BleepingComputer has learned that it involved the Rorschach ransomware variant previously seen used in an attack on a US company. Rorschach ransomware is a relatively new encryptor seen by Check Point Research in April 2023. While the researchers could not link the encryptor to a particular ransomware gang, they warned that it was both sophisticated and very fast, able to encrypt a device in 4 minutes and 30 seconds. In a report on the GTD attack seen by BleepingComputer, the threat actors are utilizing DLL sideloading vulnerabilities in legitimate Trend Micro, BitDefender, and Cortex XDR executables to load a malicious DLL. This DLL is the Rorschach injector, which will inject a ransomware payload called "Config[.]ini" into a Notepad process. Once loaded, ransomware will begin encrypting files on the device. CSIRT has shared the following IOCs related to the attack on GTD below, with u.exe and d.exe being legitimate TrendMicro and BitDefender executables used in the attack and the DLLs containing the malware. Earlier this year, the Chilean military suffered a Rhysida ransomware attack, where BleepingComputer was told that the threat actors released 360,000 documents stolen from the government. BleepingComputer reached out to Grupo GTD with further questions about the attack this morning but did not receive a response. Ransomware isn't going away - the problem is only getting worse. Meet LostTrust ransomware - A likely rebrand of the MetaEncryptor gang. Building automation giant Johnson Controls hit by ransomware attack.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000