Bits ‘n Pieces (Trozos y Piezas)

CL: Saville Row attacked by BlackCat Saville Row, a Chilean clothing store, was added to BlackCat’s leak site on April 21. Sample files provided by the threat actors included internal Saville Row documents such as invoices and purchase orders. DataBreaches found no notice of any incident on the store’s website or social networks. They did not respond to DataBreaches’ email on April 21 asking them to confirm or deny BlackCat’s claimed attack. In its post, BlackCat threatened them: In the very near future all personal data of SAVILLEROW customers will be exposed and very soon the sensitive and confidential data of customers will be sold on the black market for the purpose of money laundering and other criminal activities. SAVILLEROW has 72 hours to prevent the sale of its customers’ data. The threat has become almost standard messaging for BlackCat recently. Despite their attempts to pressure their victim, their deadline for Saville Row came and went. VE: Banco de Venezuela added by LockBit — DISPUTED Banco de Venezuela was added to LockBit’s leak site on April 19 with some alleged proof of claims that included identity cards and documents. No notice of any incident could be found on bancodevenezuela.com, but an announcement was posted on their Twitter account. In machine translation, it read: Do not echo or fall victim to Internet pirates! We inform you that our platform and electronic channels are completely normal and providing the usual service, with absolute integrity and security. Do not pay attention to network pirates who are part of criminal organizations that are dedicated to reputationally attacking institutions and companies. Your safety is our priority and commitment. Follow us on our official networks and stay duly informed.” The bank did not respond to email inquiries sent on April 19 and April 21, but their tweets forcefully denied any attack. We have found no update since those tweets. Inspection of LockBit’s proof of claims did not support their claim that the bank’s system was compromised. DataBreaches is therefore treating this claim as disputed for now. BR: Valid Certificadora Digital claimed by CrossLock group Valid Certifcadora is a Brazilian firm that issues digital certificates used by both businesses and public entities. CrossLock added the firm to its leak site on April 16. DataBreaches found no notice of any incident on the validcertificadora.com.br website, but there was an announcement on their Facebook page: “Ola! A Valid Certificadora informa que restabeleceu os serviços da unidade de Certificados Digitais. Pedimos desculpas pela instabilidade temporária dos nossos certificados digitais. Alguns serviços estão sendo recuperados gradativamente e estamos trabalhando para normalizar a situação o mais rápido possível. Agradecemos a sua compreensão.” Machine translation: “Hello, Valid Certificadora informs that it has restored the services of the Digital Certificates unit. We apologize for the temporary instability of our digital certificates. Some services are being recovered gradually and we are working to normalize the situation as soon as possible. We thank you for your understanding.” The announcement makes no mention of ransomware or any ransom demands. CrossLock claims, “We encrypted the entire network including their VMs and downloaded all their sensitive data.” According to the spokesperson, their attack had focused on just some types of files: “SSL certificates, Servers DBs, and DOcs, Images.” DataBreaches tried to contact Valid, but the emails bounced. The most recent email attempt of April 30 was returned with a 550 5.4.1 error: Recipient address rejected: Access denied. DataBreaches was able to make contact with CrossLock, however. They told us they are not a new group and use chacha20 and ECC. When asked whether VALID had attempted to negotiate with them, CrossLock’s spokesperson replied that they had, but no agreement had been reached. CrossLock subsequently leaked 1.5GB of files with a note: “For those who are interested in buying legit valid certificates, we are selling valid certificates that can be used to sign your malwares or anything. contact us on tox” Crosslock also told DataBreaches that they informed VALID of the potential sale of certificates in a message that said: “I’d like to metion that we already have some offers for the certificates from some gangs that want to sign their malware tools with real and valid certificates, the offers are kinda nice. However, we will not sell the certificates unless Valid company didn’t pay.” (sic) VE: Seguros la Occidental attack claimed by BlackCat Seguros la Occidental is a Venezuelan insurer that offers general and life insurance products. The firm was added to BlackCat’s leak site on April 21 with samples containing 27 screenshots of images of various insurance company documents that included ID cards. DataBreaches found no notice of any incident on the insurer’s website or their social networks. Nor did they respond to DataBreaches’ email inquiries of April 21 and April 25. GT: Cementos Progreso attack claimed by BlackCat On April 20, DataBreaches reported that BlackByte had claimed an attack on Cementos Bio-Bio S.A, a Chilean cement company. This week, we found that another cement company, Cementos Progreso, a Guatemalan firm with a presence in 7 Latin American countries, had been added to BlackCat’s leak site on April 21. As proof, they offered some samples with internal documents. DataBreaches found no notice of any incident on Cemento Progreso’s website or social networks. Cementos Progreso did not respond to emailed inquiries from DataBreaches on April 21 and April 24, but then, on April 27, the listing disappeared from BlackCat’s leak site. Edited by Dissent