New details about Transnet cyberattack

Jan

Jan

Who's the Boss?
Staff member
Joined
May 24, 2010
Messages
14,049
Reaction score
12,100
Location
The Rabbit Hole
New details about Transnet cyberattack

Transnet has been the victim of a ransomware attack, eNCA journalist Sli Masikane has reported.

The report stated that Transnet employees received notices to disconnect all their devices from the state-owned logistics company's network and not to access their emails on their phones.
 
Security patches won't save them now, only a recent clean backup. Negotiating with these people or paying them doesn't guarantee anything, they probably don't know how to unencrypt the stuff or if those files were even encrypted in the first place.
 
A recent backup? Sure...but this doesn't consider whether or not the attackers have been inside the network for weeks or months already planning this. In which case backups mean nothing unless they're immutable. They could all be corrupt. An expert would know that.
Patches are one thing. Not securing passwords, network ports, and upgrading firmware on network devices are another and also need to be considered.
 
lol at the virgin active breach mentioned towards the end
 
JohnStarr said:
A recent backup? Sure...but this doesn't consider whether or not the attackers have been inside the network for weeks or months already planning this. In which case backups mean nothing unless they're immutable. They could all be corrupt. An expert would know that.
Patches are one thing. Not securing passwords, network ports, and upgrading firmware on network devices are another and also need to be considered.
Click to expand...

The strong emphasis on emails in the article seems to imply it wasn't a direct active hack with hackers sniffing around at leisure, more likely a ransomware malware in the email attachment that was carelessly opened and the payload propagating through the network from the infected computer. "Hacked" is just the buzzword being thrown around to encompass everything from virus/malware, to social engineering, and actual active cracking attempts at breaching security.
 
Kawak said:
Security patches won't save them now, only a recent clean backup. Negotiating with these people or paying them doesn't guarantee anything, they probably don't know how to unencrypt the stuff or if those files were even encrypted in the first place.
Click to expand...
It depends on who did it but the groups I have interacted with run it like a business. I was part of a incident response where the company did pay and they got the decryption keys to get their data back. The "hackers" aka criminals removed their backdoors and deleted the company data that they obtained.

The negotiations were so smooth basically the criminals told them it is business for them and if they paid they will get all their data back. The company paid 50% upfront and the group gave them the key and the other 50% was in escrow until they got confirmation that their data was deleted.
 

New Ransomware Variant Uses Golang Packer | CrowdStrike

CrowdStrike has observed a ransomware sample borrowing implementations from FiveHands variants and using a Golang packer with the most recent version of Golang.
www.crowdstrike.com www.crowdstrike.com

New Ransomware Variant Uses Golang Packer​

June 28, 2021
Click to expand...

Looks familiar:
image5.png
 
ActivateD said:
It depends on who did it but the groups I have interacted with run it like a business. I was part of a incident response where the company did pay and they got the decryption keys to get their data back. The "hackers" aka criminals removed their backdoors and deleted the company data that they obtained.

The negotiations were so smooth basically the criminals told them it is business for them and if they paid they will get all their data back. The company paid 50% upfront and the group gave them the key and the other 50% was in escrow until they got confirmation that their data was deleted.
Click to expand...
All the cases I've dealt with are less than civil, but can you seriously trust that they have removed all their "warez"?
 
Kawak said:
All the cases I've dealt with are less than civil, but can you seriously trust that they have removed all their "warez"?
Click to expand...
We didn't trust them but they did give us the signatures of the backdoor and gave the organisation a whole report about how they gained access to the network (LOL). We monitored the network closely for a few weeks to see if there was any abnormal traffic.
 
Kawak said:
All the cases I've dealt with are less than civil, but can you seriously trust that they have removed all their "warez"?
Click to expand...

For the big operations that have professional intermediary negotiators it's all about absolute trust
If they screwed 1 deal over the group would lose their bargaining power

That said some of them even patch vulnerabilities after getting in so no other groups can exploit it and steal their payday
 
This led to speculation regarding whether Transnet was hit with a regular ransomware attack or whether the attack is related to the recent public violence in South Africa.
Click to expand...
What sparked that speculation?
 
Fun fact, Transnet manages the lighthouses still in use. I asked why we're lighthouses still in use and it is mostly for the other African countries that do not have modern technology. Never thought it would be much of an issue to get a GPS on a boat.
 
PsyWulf said:
More supply chain sabotage isn't that far outside the realm of possibility when DCs and cell towers are burnt down
Click to expand...
If the ransomware that took down Transnet was part of the Zuma cabal's reign of terror, the cabal would have had to commission the attack via the Dark Web, unless there is some speculation that the Zuma cabal includes script kiddies, maybe Zuma's Evil Twins (I'm not referring to his m00bs).
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter