Chilean telecom giant GTD hit by the Rorschach ransomware gang

Trending 1 month ago

GTD logo complete a information center

Chile's Grupo GTD warns that a cyberattack has impacted its Infrastructure arsenic a Service (IaaS) platform, disrupting online services.

Grupo GTD is simply a telecommunications institution offering services passim Latin America, pinch a beingness successful Chile, Spain, Columbia, and Peru. The institution provides various IT services, including net access, mobile and landline telephone, and information halfway and IT managed services.

On nan greeting of October 23rd, GTD suffered a cyberattack that impacted galore services, including its information centers, net access, and Voice-over-IP (VoIP).

"We understand nan value of proactive and fluid connection successful nan look of incidents, therefore, successful accordance pinch what we antecedently discussed connected nan phone, I would for illustration to pass you that we are experiencing a partial effect connected services arsenic a consequence of a cybersecurity incident," sounds a GTD information incident notification.

"This effect is constricted to portion of our laas level and immoderate shared services (IP telephony services, VPNs and OTT tv system). Our connection COR, arsenic good arsenic our ISP, are operating normally."

To forestall nan attack's spread, nan institution disconnected its IaSS level from nan internet, starring to these outages.

Today, Chile’s Computer Security Incident Response Team (CSIRT) confirmed that GTD suffered a ransomware attack.

"The Computer Security Incident Response Team (Government CSIRT) of nan Ministry of nan Interior and Public Security was notified by nan institution GTD astir a ransomware that affected portion of its IaaS platforms during nan greeting of Monday, October 23," sounds a machine-translated connection connected the CSIRT website.

"As a consequence, immoderate nationalist services successful our state person presented unavailability connected their websites."

The CSIRT is requiring each nationalist institutions who are utilizing GTD's IaaS services to notify nan authorities nether decree No. 273, which requires each State agencies to study erstwhile a cybersecurity incident whitethorn effect them.

Ransomware IOCs released

While CSIRT has not disclosed nan sanction of nan ransomware cognition down nan onslaught connected GTD, BleepingComputer has learned that it progressive the Rorschach ransomware variant previously seen utilized successful an onslaught connected a US company.

Rorschach ransomware (aka BabLock) is simply a comparatively caller encryptor seen by Check Point Research successful April 2023. While nan researchers could not nexus nan encryptor to a peculiar ransomware gang, they warned that it was some blase and very fast, capable to encrypt a instrumentality successful 4 minutes and 30 seconds.

In a study connected nan GTD onslaught seen by BleepingComputer, nan threat actors are utilizing DLL sideloading vulnerabilities successful morganatic Trend Micro, BitDefender, and Cortex XDR executables to load a malicious DLL.

This DLL is nan Rorschach injector, which will inject a ransomware payload called "config[.]ini" into a Notepad process. Once loaded, ransomware will statesman encrypting files connected nan device.

CSIRT has shared nan pursuing IOCs related to nan onslaught connected GTD below, pinch u.exe and d.exe being morganatic TrendMicro and BitDefender executables utilized successful nan onslaught and nan DLLs containing nan malware.

SHA256 File Name Description
58c20b0602b2e0e6822d415b5e8b53c348727d8e145b1c096a6e46812c0f0cbc log.dll DLL Ransomware
5822b7c0b07385299ce72788fd058ccadc5ba926e6e9d73e297c1320feebe33f TmDbgLog.dll DLL Ransomware
43a3fd549edbdf0acc6f00e5ceaa54c086ef048593bfbb9a5793f52a7cc57d1c u.exe Execution Vector (TrendMicro AirSupport)
3476f0e0a4bd9f438761d9111bccff7a7d71afdc310f225bfebfb223e58731e6 d.exe Execution Vector (BitDefender Update Downloader)

Chile’s CSIRT recommends that each organizations connected to GTD’s IaaS spell done nan pursuing steps to corroborate they were not breached successful nan attack:

  • Perform a complete scan of your infrastructure pinch antivirus.
  • Verify that location is nary suspicious package connected your systems.
  • Review existing accounts connected your server and corroborate that nary caller accounts person been created.
  • Analyze processing and difficult thrust capacity to guarantee it is not altered.
  • Check if location is immoderate type of variety successful nan accusation aliases information leak of nan institution and its databases.
  • Check your web traffic.
  • Maintain an up-to-date grounds of your systems to guarantee effective monitoring.
  • Restrict entree via SSH to servers, only if strictly necessary.

Earlier this year, the Chilean subject suffered a Rhysida ransomware attack, where BleepingComputer was told that nan threat actors released 360,000 documents stolen from nan government.

BleepingComputer reached retired to Grupo GTD pinch further questions astir nan onslaught this greeting but did not person a response.