Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Charity Organisation. Show all posts

BianLian Ransomware Gang Siphons 6.8TB of Data from Save The Children

 

One of the biggest and oldest charities in the world, Save the Children, has admitted it was a victim of a ransomware attack by the BianLian operation. The attack first came to light on Monday, September 11, when details concerning the assault were posted to the gang's leak site. 

The attack was originally tracked by VX Underground and Brett Callow of Emsisoft. VX Underground declared that the gang needed "to be punched in the face," which is a statement that is difficult to dispute. 

Save the Children was not specifically mentioned at first by BianLian, who instead claimed to have struck "the world's leading non-profit organisation, employing around 25,000 staff and operating in 116 countries" with $2.8 billion in revenue. 

The charity's own boilerplate matches some of this description, but BianLian's assessment of Save the Children's financial situation seems to be wildly off; the organisation's entire revenue in 2022 was £294m. 

It claimed to have stolen 6.8TB of data, including 800GB of the charity's financial data, along with data on its human resources department, as well as individual users' personal information, including their health and medical records and email texts.

The BianLian ransomware gang is largely unknown, and although its name refers to a type of Chinese opera from Sichuan Province, it is far more likely that the group is a Russian-speaking one. It was one of many crews that appeared during 2022, ascending around the same time as groups like Black Basta, Hive, and Alphv/BlackCat and establishing themselves as a successful criminal organisation. 

It joined the group of ransomware groups that, as of 2023, have shifted away from encrypting the data of their victims and instead prefer to just grab it and demand payment in exchange for a promise not to disclose it. 

The US Cybersecurity and Infrastructure Security Agency (CISA) claims that BianLian generally uses legitimate Remote Desktop Protocol (RDP) credentials to access its victims' systems and makes use of a number of open source tools and command-line scripting for credential harvesting. 

It uses a variety of techniques to steal their data, most commonly using File Transfer Protocol (FTP) and legal cloud storage and file transfer services like Rclone and Mega. It makes a show of printing its ransom note on printers on its networks to put pressure on its victims, and staff of victimised companies have reported receiving threatening phone calls from individuals posing as group members.

Amnesty International Takes a While to Disclose the Data Breach From December

 

Amnesty International Australia notified supporters via email last Friday that their data might be at risk owing to "anomalous activity" discovered in its IT infrastructure. 

The email was sent extremely late in the day or week, but it was also sent very far after the behaviour was discovered. The email, which Gizmodo Australia saw, claims that the activity was discovered towards the end of last year. 

“As soon as we became aware of this activity on 3 December 2022, we engaged leading external cyber security and forensic IT advisors to determine if any unauthorised access to our IT environment had occurred,” Amnesty International Australia stated.

“We acted quickly to ensure the AIA IT environment was secure and contained, put additional security measures in place and commenced an extensive investigation.” 

Amnesty International said that while it took the organisation some time to notify its supporters of a security breach, the investigation is now complete and has revealed that an unauthorised third party temporarily got access to its IT system. 

“In the course of this investigation, we identified that some low-risk information relating to individuals who made donations in 2019 was accessed, but of low risk of misuse,” the organisation added. 

Although "low risk" information was not defined, it is clear from the security advice that it offered that the data is most likely name, email address, and phone number. Despite being satisfied that the information obtained through the breach won't be used inappropriately, Amnesty International Australia advised its supporters to "carefully scrutinise all emails," "don't answer calls from unknown or private numbers," and "never click on links in SMS messages or social media messages you are not expecting to receive." 

The breach only affected the local arm of the charity, according to Amnesty International Australia, and did not affect any other branches. The statement further stated that although the scope of the "information accessed in the cyber event" did not match the requirements or level for notification under the Notifiable Data Breaches Scheme, Amnesty International Australia had decided to notify its supporters" in the interest of transparency".