New Incidents
Co: Universidad Piloto de Colombia Hit by ALPHV
This week, the Universidad Piloto de Colombia was added to the ALPHV (aka “BlackCat”) leak siteUniversidad Piloto de Colombia was added to the ALPHV (aka “BlackCat”) leak site this week. ALPHV claims to have 300 GB of files from students, faculty, and administration, and they provide samples as proof.
On October 21, the University’s Facebook page disclosed an attack. A translation reads:
“The Universidad Piloto de Colombia informs that a computer security incident has occurred, once the incident was detected, the established security protocol was activated, some technological services were disabled to protect the information of the institution and the university community.
The specialized team is working to maintain the University’s computer systems protected, secure and stable.
It is important to point out that there is no evidence of leakage or loss of information.”
There has been no update to the Facebook page about the incident since then or since ALPHV started leaking data.
DataBreaches sent an email to the university asking them to confirm or deny ALPHV’s claims but received no reply. DataBreaches also contacted ALPHV to ask whether the university had contacted them but received no response.
Ec: Comando Conjunto de las Fuerzas Armadas Del Ecuador Hit by ALPHV
The joint armed forces command of Ecuador (Comando Conjunto de las Fuerzas Armadas Del Ecuador) was also added to ALPHV’s leak site this week. Sample files include what appears to be personal data of military personnel in a very small sample. DataBreaches found some open source information confirming that one named individual had a military background.
The joint command has not posted any notice or disclosure about any incident, and their website is currently unreachable.
BlackByte talks about LATAM victims
This week, DataBreaches was able to have a brief conversation in ToxChat with BlackByte about two of their victims in Latin America. Some typographical errors in the chat below have been edited for clarity.
The first victim was the Universidad Nacional De Educacion de Peru, which was added this week to the group’s leaks page with a sample of files that included affidavits of employees. DataBreaches contacted the Universidad Nacional De Educacion by email. No reply was received and we can find no notice on their website or social media channels. When DataBreaches asked BlackByte whether they had any negotiations with the university, BBSupport answered, “No they didn’t write us . Seems like they don’t really care.” When asked how many GB of data BlackByte had acquired from the university, BBSupport said they could not share information about the university right now.
The municipality of Chihuahua in Mexico was also added to BlackByte’s leak site. On October 25, the municipality announced (machine translated):
“Our web portal and telecommunications system are out of service, we continue with the attention as usual in our offices and dependencies.
We thank you for your understanding.”
An update on the Chihuahua City Hall Facebook page on October 26 reported that the website and phone number were up and running. Their update does not mention any personal information being stolen, but BlackByte appears to have exfiltrated data with personal information. The proof of claims includes documents such as voting credentials, driver’s licenses, and vaccination documents.
There is no notice or press release on the municipality’s website about any attack or any mention of personal information compromised. A message sent to their Facebook chat asking for an update or confirmation of BlackByte’s claim received no immediate reply.
When asked about this attack, BBSupport replied, “They also didn’t contact us yet, but they still have few days in their timer.” In response to additional questions by DataBreaches, BBSupport indicated that they had about 100 GB of files from Chihuahua.
“Do you think they knew you were inside the system?,” DataBreaches asked. BBSupport replied:
“Both of them [the university and Chihuahua] already know about this incident. After we downloading the data we are starting to encrypt the systems. You have to be really blind to miss that.”
Updates on Previous Reports
Gt: Minex classifies all information as confidential
DataBreaches.net previously reported on the ransomware attack by the VSOP group on the Guatemalan Ministry of Foreign Affairs (Minex). At the time of our first report, we had not received any reply from the ministry to our questions because the ministry had requested an extension of response for 10 days. DataBreaches received their response on October 24, which boiled down to, “The Ministry is not yet in a position to respond to your request, by virtue of the fact that it is in the investigation phase.”
Minex subsequently announced that it decided to classify the information handled by the ministry as reserved with respect to the hacking that its computer system recently suffered. As reported by Emisora Unidas, through Resolution Number 2-2022, the government entity established that for a period of seven years, the content of the communications, files, files or documentation related to the intrusion incident may not be disseminated.
DataBreaches does not claim to understand what this accomplishes as the files have already been dumped publicly. Are they trying to intimidate news outlets from reporting? Perhaps. But what about non-Guatemalan entities?
Cr: Data from the Municipality of Belen Leaked
DataBreaches.net previously reported that the Municipality of Belen in Costa Rica was the victim of an attack by Karakurt. The most recent update by the municipality was posted on its Facebook page on October 25 (machine translation):
Two weeks after the cyber attack, we continue to carry out forensic analytics tasks and constantly monitor them in conjunction with the Ministry of Science and Technology (MICITT). The first analyses carried out internally of the four critical servers (municipal system, collections, web page and database) give us positive news so far of what has been analyzed, however, revisions continue.
The IT Unit makes every effort to quickly establish a date for the entry into operation of the collection and web page; We will keep you informed by this means in accordance with the protocol and guide to follow.
Yesterday, Karakurt dumped 39GB of files. The files included transaction documents with paid receipts, bills due, and images. Prior to this, we had not seen much personal data. Since Karakurt’s update, the municipality has not provided any update or response to the leak. Attempts to get more details from the municipality once again resulted in them only pointing us to the same updates we had already seen.
Apart from the issue of leaked information, looking at the municipality’s Facebook page reveals that upset users have been reporting problems in paying for municipal services.
Editing by Dissent