IOTW: HTC confirms cyber attack as BlackCat ransomware gang teases stolen data

HTC Global Services admits suffering a cyber security incident

Add bookmark

Michael Hill
12/08/2023

HTC Global Services has confirmed it suffered a cyber attack after the BlackCat ransomware group (also known as ALPHV) recently leaked photos of what it claimed to be data stolen from the IT services and business consulting company. The data includes passports, contact lists, emails and confidential documents. In a short statement posted on X (formerly Twitter), HTC said it has encountered a “cyber security incident” which it is investigating.

While there is currently little known detail about the nature and extent of the incident, cyber security researcher Kevin Beaumont suggested that HTC was breached as a result of the Citrix Bleed vulnerability.

HTC investigating incident to ensure “security and integrity” of user data

“HTC has experienced a cyber security incident. Our team has been actively investigating and addressing the situation to ensure the security and integrity of user data,” the firm’s statement read. “We’ve enlisted cyber security experts and are working to resolve it. Your trust is our priority.”

Commenting on the incident, Kennet Harpsøe, senior cyber analyst at cyber security company LogPoint, said that it appears that HTC is being actively extorted by the BlackCat/ALPHV group. “It’s unclear if BlackCat has hit HTC with ransomware and is thus engaging in double extorsion or if they have simply skipped the ransomware and gone straight to extortion with leaked data. A strategy we have seen others employ lately.”

The probable initial attack vector – the Citrix Bleed vulnerability – was published in mid-October but has been actively exploited since at least August of this year, making it a zero day vulnerability, Harpsøe said. “This underscores the importance of patching published vulnerabilities but also that zero days are unavoidable, underscoring the need for defense in depth.”

BlackCat/ALPHV ransomware gang continues to amass victims

The BlackCat/ALPH ransomware group – known for employing some of the most ruthless extortion tactics ever seen including leaking clinical photos of breast cancer patients – has been prolific in its malicious activity recently. Last month, the gang reported one of its victims to the US Securities and Exchange Commission (SEC) for failing to comply with a four-day cyber attack disclosure rule. The unprecedented move was an effort to exert more pressure on software company MeridianLink, from which BlackCat/ALPHV claimed to have stolen customer data and operational information.

In the same week, the group was tracked attacking corporations and public entities in the Americas and Europe in a malvertising campaign. A Russian-speaking affiliate of the gang adopted new attack tactics to infect targets – using Google Ads to deliver Nitrogen malware – according to eSentire research. The group was also behind the $100 million MGM Resorts cyber attack in September.