Entertainment giant Sony has alerted 6,800 current and former employees and their families that their personal information was compromised in a security breach.
The attackers apparently exploited a zero-day vulnerability in the MOVEit (CVE-2023-34362), a critical-severity SQL injection vulnerability that can allow remote code execution.
The Cl0p ransomware gang had listed Sony as being a victim in late June, but Sony had made no announcements about a potential breach until now.
Then in September, reports circulated that Sony had been breached a second time by ransomware operator dubbed Ransomed.vc who claimed to have exfiltrated 3.14 GB of data from the company.
A Sony spokesperson the following statement which appears to confirm Sony has in fact suffered two security breaches in the past four months:
“Sony has been investigating recent public claims of a security incident at Sony. We are working with third-party forensics experts and have identified activity on a single server located in Japan used for internal testing for the Entertainment, Technology and Services (ET&S) business,” the statement reads.
“Sony has taken this server offline while the investigation is ongoing. There is currently no indication that customer or business partner data was stored on the affected server or that any other Sony systems were affected. There has been no adverse impact on Sony's operations.”
Takeaway: With regard to the first attack, Cl0p ransomware operators continue to exploit a known vulnerability (CVE-2023-34362) in the MOVEit managed file transfer software to compromise numerous high-value targets in rapid succession.
More than 100 organizations have victims have fallen prey to the attacks, including Oregon’s Department of Transportation, the government of Nova Scotia, British Airways, the BBC, Aer Lingus, the Illinois Department of Innovation & Technology, the Minnesota Department of Education - and Sony.
Companies like Sony – as well as agencies that govern critical infrastructure like the DoE – typically have very mature security programs. Yet, as evidenced by this spate of attacks, having a robust security program does not make you immune from a successful attack.
No one is immune from the fact that one vulnerability in one piece of software can expose the organization to a disruptive and potentially devastating ransomware attack.
Even if an organization is prepared and is able to recover systems after a ransomware attack, they still have to contend with being extorted due to sensitive data being infiltrated.
Cl0p has been extremely active this year in campaigns exploiting vulnerabilities in the GoAnywhere and MOVEit file transfer programs, which is strong evidence that these ransomware operators are using automation to identify exposed organizations.
As for the second attack, while Sony has not released many details, we can assume that RansomedVC likely presented a ransom demand that was not met, which is why the data is being offered for sale on the dark web.
The attackers are also threatening to expose Sony to possible regulatory sanctions under GDPR as yet another twist on the double extortion scheme.
The threat to expose victim organizations to regulators if they fail to pay could put victims in a tricky situation when considering the best course of action following a successful ransomware attack.
For example, if a victim organization did decide to pay a ransom because they believe that the attack would subject them to regulatory fines, they could be putting themselves in legal jeopardy for withholding material information from regulators, from their insurer, and from stakeholders
No organization should ever entertain any offer of collusion with attackers. By doing so they would expose their organizations to a degree of legal jeopardy that simply is not worth contemplating.
Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile (PDF).