Chile's Grupo GTD has issued a warning that a hack has disrupted its Infrastructure as a Service (IaaS) infrastructure.
Grupo GTD is a telecommunications firm based in Chile, Spain, Columbia, and Peru which offers services throughout Latin America.
The company delivers a variety of IT services, such as internet access, mobile and landline phone service, and data centre and IT managed services.
On October 23rd, GTD was the victim of a cyberattack that disrupted multiple services, including its data centres, internet access, and Voice-over-IP (VoIP).
"We understand the importance of proactive and fluid communication in the face of incidents, therefore, in accordance with what we previously discussed on the phone, I would like to inform you that we are experiencing a partial impact on services as a result of a cybersecurity incident," states a GTD security incident notification.
"This impact is limited to part of our laas platform and some shared services (IP telephony services, VPNs and OTT television system). Our communication COR, as well as our ISP, are operating normally."
To prevent the spread of the attack, the company isolated its IaSS platform from the internet, resulting in the outages.
Chile's Computer Security Incident Response Team (CSIRT) revealed today that GTD was the victim of a ransomware attack.
"The Computer Security Incident Response Team (Government CSIRT) of the Ministry of the Interior and Public Security was notified by the company GTD about a ransomware that affected part of its IaaS platforms during the morning of Monday, October 23," reads a machine-translated statement published on the CSIRT website.
Although the ransomware operation behind the GTD attack has not been named by CSIRT, the researchers have discovered that it was the Rorschach variation, which was previously identified in an attack on a US corporation.
In April 2023, Check Point Research discovered the relatively new Rorschach ransomware, also known as BabLock. The researchers cautioned that the encryptor was extremely fast and smart, with the ability to encrypt a device in 4 minutes and 30 seconds, even if they were unable to connect it to a specific ransomware group.
The threat actors are using DLL sideloading vulnerabilities in genuine Trend Micro, BitDefender, and Cortex XDR executables to load a malicious DLL, according to a report on the GTD attack seen by researchers.
This is the Rorschach injector DLL, which will inject a "config[.]ini" ransomware payload into a Notepad process. Ransomware will start encrypting files on the device as soon as it loads.
The CSIRT has published a set of recommendations to make sure that companies linked to GTD's IaaS were not compromised. Antivirus scans, software safety checks, server account reviews, hard drive and processor performance analysis, network traffic monitoring, and keeping current system records are a few of these.
The attack on GTD comes after a similar incident that took place earlier this year, when the Rhysida ransomware targeted the Chilean military and thousands of stolen government documents were made public. Regarding the recent attack, GTD has not yet responded to inquiries, and the incident is still being investigated.