In a recent turn of events, Sony has experienced two data breaches in the past few months. Two different threat actors—RansomedVC and MajorNelson—claim responsibility for one breach, while the Clop ransomware gang is responsible for the other.
The RansomedVC and MajorNelson Breach
According to Ax Sharma of Bleeping Computer, during the last week of September 2023, RansomedVC claimed to have hacked Sony. RansomedVC, an extortion group, boldly declared their successful compromise of Sony’s systems, vowing to sell the data after Sony’s refusal to pay a ransom. According to Olivia Powell of Cyber Security Hub, the sample data RansomedVC released was a mere 2 MB, including a PowerPoint presentation, Java source code files, Eclipse IDE screenshots, and various assets. They asserted their acquisition of a substantial 260 GB of data, valuing it at $2.5 million.
In a surprising twist, another actor, MajorNelson, emerged on the scene, contesting RansomedVC’s claims and denouncing them as scammers. According to Vishwa Pandagle of The Cyber Express, MajorNelson went further by publicly releasing a 2.4 GB archive containing 3.14 GB of purportedly Sony’s data, challenging the legitimacy of RansomedVC’s assertions.
The leak allegedly includes a wealth of sensitive information, ranging from credentials for internal systems to critical assets like SonarQube, Creators Cloud, Sony’s certificates, a device emulator for license generation, Qasop security, and incident response policies. The conflicting claims from RansomedVC and MajorNelson have created a web of uncertainty around the true perpetrators and the extent of the data breach.
Sony has acknowledged the incident and is actively investigating the situation. They confirmed the compromise of a single server in Japan used for internal testing for the Entertainment, Technology, and Services business, taking it offline pending the outcome of the investigation. Importantly, Sony assured that there is no indication that customer or business partner data was stored on the affected server, and no adverse impact on Sony’s operations has been reported.
This cyberattack represents a power struggle between RansomedVC and MajorNelson, both vying for recognition and influence within the hacking community. The conflicting claims and public challenges suggest a competitive landscape among cybercriminals. It remains uncertain which group is truly responsible for the breach, emphasizing the complexity of attribution in the world of cyber threats. Both groups are likely to face increased scrutiny from law enforcement agencies and cybersecurity experts, which may impact their future activities.
The Clop Gang Breach
In addition to the compromise of the server in Japan, Sony experienced a breach conducted by the Clop ransomware gang. The gang exploited CVE-2023-34362, a zero-day found in the MOVEit Transfer platform. According to Bill Toulas of Bleeping Computer, the Clop gang added Sony to its victim list in June 2023, and the breach impacted approximately 6,800 individuals and their family members in the U.S. Sony promptly took action upon discovery, immediately taking the platform offline, remediating the vulnerability, and initiating an investigation with the assistance of external cybersecurity experts. Law enforcement agencies were also notified.
This breach raises concerns for the affected individuals and their families. With personal information exposed, there is a potential risk of identity theft and other cyber-related crimes. Sony’s offer of credit monitoring and identity restoration services through Equifax is a positive step in mitigating these risks. Customers should actively take advantage of this service to safeguard their financial and personal information. It’s also advisable for them to monitor their accounts and be vigilant for any suspicious activity.
The Clop gang’s breach is a significant blow to Sony’s reputation and security posture. The fact that this is the second security breach in a span of four months is concerning. Sony will need to reevaluate its security infrastructure and protocols to prevent future incidents. The company’s swift response in taking the affected server offline and involving external cybersecurity experts is commendable. However, they must now focus on reinforcing their cybersecurity measures across all aspects of their operations to restore trust and protect their systems from future attacks.
In the wake of this breach, Sony must not only fortify its security infrastructure but also invest in proactive threat intelligence and monitoring. Continuous training and awareness programs for employees are essential in preventing future incidents. Additionally, cooperation with law enforcement agencies and sharing threat intelligence within the cybersecurity community can help identify and neutralize threats more effectively. Sony may also explore partnerships with cybersecurity firms for ongoing monitoring and incident response capabilities.
For customers, vigilance in monitoring personal accounts and adopting strong security practices, such as two-factor authentication, remains crucial. They should also be cautious of phishing attempts and stay informed about cybersecurity best practices.
The cybersecurity landscape is constantly evolving, and as demonstrated by this incident, the threat actors are becoming more sophisticated. It’s imperative for organizations, including Sony, to remain adaptive and proactive in their approach to cybersecurity to stay ahead of potential threats.