Acer Taiwan and India Hit in 2nd and 3rd Attacks of 2021PC and Device Maker Appears to Have Been Targeted by DESORDEN
After being targeted by a ransomware attack in March 2021, Acer, one of the world's largest PC and device makers, has now suffered two further cyberattacks within a week.
On Monday, Acer confirmed to Information Security Media Group that it had detected an isolated attack on its local after-sales service system in India on Oct. 14, which involved user data, and it said it is notifying all potentially affected customers.
In addition, the company says that Acer Taiwan also suffered an attack, however, the company reports that the attack on its Taiwan systems does not involve any customer data.
DESORDEN threat actors are reported to have claimed responsibility for the attack according to Databreaches.net.
"To prove our point that Acer is way behind in its cybersecurity effects on protecting its data and is a global network of vulnerable servers, we have hacked and breached Acer Taiwan server, storing data on its employee and product information," the hackers told the news website, as it reported on Saturday.
Earlier in March, the REvil ransomware gang posted what it claims is Acer company data to its darknet "news" site. It demanded $50 million from the Taiwanese firm. Reportedly, the attack may have taken advantage of the ProxyLogon flaw in an unpatched on-premises Microsoft Exchange server.
Acer is one of the world's largest manufacturers of PCs, smartphones, devices and other hardware, including desktop monitors. In the fourth quarter of 2020, it ranked fifth in worldwide PC shipments, with more than 6.5 million desktops and laptops shipped during the quarter, according to a January analysis published by IDC.
On Oct. 14 the threat actors posted a note in a popular hacking forum claiming that it had exfiltrated 60 GB of files and databases from Acer's India-based servers. Acer says that this includes its customer, corporate, accounts and financial data.
"Upon detection, we immediately initiated our security protocols and conducted a full scan of our systems. We are notifying all potentially affected customers in India, while the attacked Taiwan system does not involve customer data," Acer spokesperson Steven Chung tells ISMG.
Chung further states that the company has reported the incident to local law enforcement and relevant authorities, and that it has no material impact to its operations and business continuity.
The published note in the hacking forum also claims to have access to more than 3,000 login detail sets of Acer’s retailers and distributors in India.
However, DESORDEN clarified to Databreaches.net that it did not make a demand for separate payment for the Taiwan breach and has informed Acer to close the vulnerability. However, it is still unclear if the threat actor is demanding a ransom for the India attack.
According to Databreaches.net, the threat actors in a follow-up communication described themselves as former associates of Chaos. However, the group claimed that it is DESORDEN Group, which stands for chaos and disorder.
"You might previously know us as ChaosCC but today we no longer have associations with ChaosCC," the threat actors told Databreaches.net notes. The group mainly targets supply chain networks and public services; its news website claims that if the victims fails to pay, the threat actors sell the stolen data on the black market.
Jake Williams, formerly of the National Security Agency's elite hacking team and currently CTO at BreachQuest, notes that the full details of any of the attacks on Acer's IT systems - previous or current - are not known yet. However, when there are multiple attacks on a given organization there are typically systemic security issues with the organization.
"Most incident response events trigger significant investment in security by the organization to prevent repeat occurrences. It's easy to infer in this case that investment in security didn't occur as desired," Williams says. "In the Acer case, we should also consider that they are a manufacturer and have significant OT assets. These tend to have a much longer replacement lifecycle and often run-on unsupported hardware and software, creating additional opportunities for attack. While IT is difficult to secure in any case, OT is doubly so. Their multinational footprint is also makes securing the entire network more difficult."
Acer was hit by the ransomware gang REvil, aka Sobinokibi, in March which demanded $50 million from the Taiwanese firm, according to Bleeping Computer, which first reported the attack and has since published a copy of the ransom note (see: Acer Reportedly Targeted by Ransomware Gang).
ISMG had accessed several screenshots from the REvil darknet site that show customer data, payment application forms and other information that the gang claimed it stole from Acer during an attack.
REvil is known for using a double extortion method that targets victims. Not only does the group use crypto-locking malware to encrypt data and files at a victimized organization, but the cybercrooks then steal and threaten to publish that information if demands are not met.
DESORDEN has also warned Acer that it will leak more data online soon.