Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Major US IT provider Ingram Micro has said it has restored its systems following the cyber attack it suffered over the weekend.
In its latest statement on its website, the company said it has restored operations globally as its investigation continues.
“Ingram Micro is pleased to report that we are now operational across all countries and regions where we transact business,” the company said.
“Our teams continue to perform at a swift pace to serve and support our customers and vendor partners. We are grateful for the support we’ve received from our customers and industry colleagues. This is an industry based on strong and committed relationships that make all the difference.”
The company also wrote the day before that it believes that the unauthorised access by the threat actor is completely contained.
“Based on [implemented security] measures and the assistance of third-party cyber security experts, we believe the unauthorised access to our systems in connection with the incident is contained and the affected systems remediated. Our investigation into the scope of the incident and affected data is ongoing,” the company said.
While Ingram Micro has not revealed the threat actor behind the incident, cyber publication BleepingComputer reported that employee devices had been injected with the ransom note of what claims to be the SafePay ransomware group.
“Greetings! Your corporate network was attacked by SafePay team,” the note said.
“Your IT specialists made a number of mistakes in setting up the security of your corporate network, so we were able to spend quite a long period of time in it and compromise you.”
The letter adds that a network misconfiguration allowed the group to gain access to the Ingram Micro network and that “all files of importance” have been encrypted, while the ones of most interest to the threat actors were exfiltrated.
“We have in possession on [sic] your files, such as financial statements, intellectual property, accounting records, lawsuits and complaints, personnel and customer files, as well as files containing information on bank details, transactions and other internal documentation,” the letter said.
The threat actor also said Ingram Micro has seven days to pay the ransom to ensure data is deleted from the threat actor’s servers and decrypted on Ingram Micro’s.
SafePay’s ransom note appears to be word for word the same as previous claims, besides the number of days until ransom payment is due, suggesting that the data the group claims to have stolen in the ransom note may not be accurate to what was actually stolen.
Following the discovery of the breach, Ingram Micro reportedly told employees to work from home and not to use Ingram Micro’s GlobalProtect VPN.
Palo Alto Networks told BleepingComputer that threat actors likely used the VPN gateway to gain access.
“At Palo Alto Networks, the security of our customers is our top priority. We are aware of a cyber security incident impacting Ingram Micro and reports that mention Palo Alto Networks’ GlobalProtect VPN,” Palo Alto Networks told BleepingComputer.
“We are currently investigating these claims. Threat actors routinely attempt to exploit stolen credentials or network misconfigurations to gain access through VPN gateways.”
Be the first to hear the latest developments in the cyber industry.
