Home Internet Security CompuCom MSP hit by DarkSide ransomware cyberattack

CompuCom MSP hit by DarkSide ransomware cyberattack



Replace 3/4/21: This text was initially revealed on 3/3/21 and has been up to date with new data.

US managed service supplier CompuCom has suffered a DarkSide ransomware assault resulting in service outages and clients disconnecting from the MSP’s community to forestall the unfold of malware.

CompuCom is an IT managed companies supplier (MSP) that gives distant help, {hardware} and software program restore, and different know-how companies to firms. CompuCom is a wholly-owned subsidiary of The ODP Company (Workplace Depot/Workplace Max) and employs roughly 8,000 individuals.

A number of the previous and present clients of CompuCom embrace well-known names, equivalent to Residence Depot, Goal, Citibank, Wells Fargo, Truist Financial institution, and Lowe’s.

If in case you have first-hand details about this or different unreported cyberattacks, you possibly can confidentially contact us on Sign at +16469613731 or on Wire at @lawrenceabrams-bc.

The assault occurred over the weekend

Over the weekend, CompuCom suffered an outage that prevented clients from accessing the corporate’s buyer portal to open troubleshooting tickets.

When visiting the portal, the web site greeted clients with a common error message stating, “An error occurred whereas processing your request.”

Error message on CompuCom client portal
Error message on CompuCom consumer portal

BleepingComputer was informed that CompuCom started contacting clients to alert them that they’d been compromised by malware quickly after the assault. Nevertheless, clients weren’t informed what sort of assault occurred and whether or not it was ransomware.

In later conversations with affected clients, BleepingComputer discovered that CompuCom had disconnected their entry to some clients to forestall the malware’s unfold. One other buyer informed us that they’d indifferent from CompuCom’s VDIs (Digital Desktop Infrastructure) to make sure their information was not affected by the assault.

A number of individuals additionally informed BleepingComputer that this was a ransomware assault, however we couldn’t affirm independently if that is true.

After reaching out to CompuCom concerning the assault, the corporate issued a press release to BleepingComputer stating that they suffered a ‘malware incident’ and that there isn’t any proof of it spreading to clients’ techniques.

You possibly can learn the complete CompuCom assertion under:

“Sure CompuCom data know-how techniques have been affected by a malware incident which is affecting a number of the companies that we offer to sure clients. Our investigation is in its early levels and stays ongoing. We’ve no indication presently that our clients’ techniques have been instantly impacted by the incident. 

As quickly as we grew to become conscious of the state of affairs, we instantly took steps to comprise it, and engaged main cybersecurity specialists to start an investigation. We’re additionally speaking with clients to offer updates concerning the state of affairs and the actions we’re taking. 

We’re within the strategy of restoring buyer companies and inside operations as rapidly and safely as attainable. We remorse the inconvenience attributable to the interruption and admire the continuing help of our clients.” – CompuCom


CompuConfirms DarkSide ransomware to clients

As we speak, a CompuCom buyer shared a ‘Buyer FAQ Relating to Malware Incident’ that gives extra particulars concerning the assault than the corporate shared of their press launch.

In line with the FAQ, CompuCom was breached by risk actors who put in Cobalt Strike beacons on a number of techniques of their setting. 

These beacons permit distant risk actors entry to the community to steal information, unfold to different machines, and finally deploy the ransomware, which the risk actors deployed on February twenty eighth.

“Based mostly on our professional’s evaluation thus far, we perceive that the attacker deployed a persistent Cobalt Strike backdoor to a number of techniques within the setting and bought administrative credentials. These administrative credentials have been then used to deploy the Darkside Ransomware,” the CompuCom FAQ reads.

Cobalt Strike is more and more being deployed in phishing campaigns by many Trojans, together with BazarLoader, TrickBot, ZLoader, and QBot.

Now that DarkSide Ransomware has been confirmed to be behind the assault, it’s probably that the risk actors harvested unencrypted information earlier than encrypting the units.

If information was stolen and a ransom shouldn’t be paid, we are going to probably see this information revealed on their ransomware data leak site within the subsequent few weeks.

Prior to now, different firms hit by DarkSide embrace Discount Car and Truck RentalsBrookfield Residential, and the Brazilian Eletrobras and Copel energy companies.


Source link