Hackers go rogue: chain of attacks on tech giants

Data leaks can be very dangerous. Compromised records may allow cybercriminals to steal valuable assets such as intellectual property, financial resources, or extort multi-million ransom. Unfortunately, the last couple of weeks were eventful in terms of resonant cyberattacks. Several IT giants suffered serious data breaches.

Intel leak

For example, 20 Gb of confidential documents belonging to Intel were leaked last week. A Swiss software engineer Tillie Kottmann published the data after receiving it from an anonymous hacker. The compromised information includes technical specs, product source code, and internal documents on different CPUs and chipsets. The hacker stated that he is going to publish more details soon.

The leak includes:

• Intel ME Bringup guides + (flash) tooling + samples for various platforms
• Kabylake (Purley Platform) BIOS Reference Code and Sample Code + Initialization code (some of it as exported git repos with full history)
• Intel CEFDK (Consumer Electronics Firmware Development Kit (Bootloader stuff)) SOURCES
• Silicon / FSP source code packages for various platforms
• Various Intel Development and Debugging Tools
• Simics Simulation for Rocket Lake S and potentially other platforms
• Various roadmaps and other documents
• Binaries for Camera drivers Intel made for SpaceX
• Schematics, Docs, Tools + Firmware for the unreleased Tiger Lake platform
• (very horrible) Kabylake FDK training videos
• Intel Trace Hub + decoder files for various Intel ME versions
• Elkhart Lake Silicon Reference and Platform Sample Code
• Some Verilog stuff for various Xeon Platforms, unsure what it is exactly
• Debug BIOS/TXE builds for various Platforms
• Bootguard SDK (encrypted zip)
• Intel Snowridge / Snowfish Process Simulator ADK
• Various schematics
• Intel Marketing Material Templates (InDesign)

At the moment the Twitter account of Kottmann is suspended but the Intel data has already reached the Dark Web. The download links are regularly blocked, but the criminals constantly update them.

Later Kottmann published more stolen data that includes:

• Apollo Lake TXE Release
• Intel Automated Power Switch Software
• Intel HDCP Root Certificate
• Intel Lakefield PETS (Platform Enablement Test Suite)

This dump had also been immediately published in the Dark Web.

Interestingly enough, Intel did not report any data breach. According to the company, “the information appears to come from the Intel Resource and Design Center, which hosts information for use by … external parties… We believe an individual with access downloaded and shared this data”. Many of the documents in the leak do have links to Resource and Design Center, so this version looks plausible. The attacker, however, claims that he accessed the data through the breach: “They have a service hosted online by Akami CDN that wasn’t properly secure. After an internet-wide nmap scan I found my target port open and went through a list of 370 possible servers based on details that nmap provided with an NSE script”. The hacker also revealed that many of the zip files were password-protected, but “most of them [have] the password Intel123 or a lowercase intel123.”

This case shows that even leading companies have vulnerabilities that cybercriminals are more than willing to exploit. By the way, Breach Report’s database of leaks includes 50 200 exposed corporate emails belonging to Intel. This amount of compromised records means that there are many chances for criminals to access sensitive data, especially with social engineering methods that advance every day. Weak passwords make it even easier. This is why companies must have a pro-active data security policy and monitor breaches with the use of professional services to take immediate measures in case of an attack.

IT news website ZDNet analyzed the Intel dump with the help of experts and confirmed its authenticity. Some researchers also noted that the current leak is not critical for the corporation because it does not contain information on any new CPU vulnerabilities. But the content of other stolen data remains unclear. In any case, the company will still suffer some reputational and economic losses due to the attack.

Other high-impact cases

Financial damage connected with the breaches can be very significant. For example, US bank Capital One was fined with $80 million in 2019 after an employee of its contractor, Amazon Web Services, stole personal and financial records of more than 100 million Americans and 6 million Canadians.

Fitness brand Garmin has reportedly paid a $10 million ransom after a recent cyberattack. They received a decryption key to recover the data held hostage after their devices, apps, websites, and even a call center had been put offline. One of the biggest US travel firms Carlson Wagonlit Travel also recently paid $4,5 million after ransomware encrypted its IT systems and hackers stole terabytes of data. And there are many more incidents like this.

LG and Xerox data were also leaked last week. They were attacked by the infamous Maze gang. After several extortion attempts the hackers published source code for the firmware of some LG phones and laptops. And they have also stolen data related to customer support operations of Xerox.

This criminal group also took credit for the last week’s ransomware attack on Canon. The company faced issues with their apps, Microsoft Teams, and email. According to the hackers, they have stolen 10 terabytes of data, including some confidential databases. The criminals threaten to leak the data unless they receive a ransom.

More possible incidents

Attacks of this kind seem to gain momentum. Another serious incident that took place recently might increase the risks even more.

Last week, a hacker published plaintext usernames and passwords, as well as IP addresses for more than 900 Pulse Secure VPN corporate servers. The leak was shared on a Russian-speaking forum popular among ransomware gangs. The list also includes data on Pulse Secure VPN server firmware version, SSH keys for each server, lists of all local users and their password hashes, admin account details, last VPN logins including usernames and cleartext passwords and VPN session cookies.

Later the dump was published on another popular Dark Web forum.

We see that cyber threats are definitely becoming more frequent and impactful. This is why individuals and enterprises need to stay alert and use best-in-class tools to protect their data and financial stability. Use the Breach Report free search to find out whether your account was compromised.