Taiwanese global electronics giant Acer suffered a cyber attack on its Taiwan servers by the same hacking group responsible for hacking Acer’s Indian servers a few weeks ago.
The incident came to light after a threat actor advertised 60GB of data stolen from Acer on an underground hacking forum.
Later, the company confirmed the cyber attack, claiming that it had “detected an isolated attack” that did not involve customer data.
Acer confirms a subsequent cyber attack but downplays the effects
Acer released a statement on its website acknowledging “an isolated attack on our local after-sales service system in India and a further attack in Taiwan.”
“Upon detection, we immediately initiated our security protocols and conducted a full scan of our systems. We are notifying all potentially affected customers in India, while the attacked Taiwan system does not involve customer data,” Acer spokesman Steven Chung said.
The company also took offline the vulnerable servers and informed local law enforcement and relevant authorities, according to the statement.
However, Acer clarified that the cyber attack had no material impact on its operations or business continuity.
“Sometimes security breaches are freak one-off occurrences that happen despite serious and concerted efforts around information security, but more often than not are merely symptoms of deep systemic organizational issues around security protection, monitoring, and response,” said Chris Clements, VP of Solutions Architecture, Cerberus Sentinel.
Desorden hacking group says Acer’s servers in Asia are vulnerable
The Desorden group took responsibility for both cyber attacks on the electronics giant.
Additionally, Desorden hackers claimed that Acer’s servers in Malaysia and Indonesia were vulnerable because the company had neglected cybersecurity. They also disclosed that they no longer had access to Acer’s servers in India.
Acer had initially suffered a REvil ransomware attack in March where hackers demanded $50 million in ransom. Acer offered a counteroffer of $10 million, but the ransomware group rejected the proposal. It remains unclear if Acer eventually paid the ransom.
In 2012, the Taiwanese tech giant suffered another cyber attack by a Turkish cybercrime group that stole 20,000 user credentials.
However, the Desorden group said it only intended to make a statement about Acer’s alleged poor cybersecurity posture in the second data breach. Consequently, they did not demand an additional ransom payment from the mid Oct 2021 cyber attack.
“Enterprises affected by frequent cyberattacks not only have compromised and exposed data to consider, but also the overarching success of their businesses. When critical servers and IT infrastructures are repeatedly forced offline, day-to-day operations are significantly impacted: The average cost of IT downtime is $5,600 per minute,” noted Nick Tausek, Security Solutions Architect at Swimlane.
The hacking group claims that it only stole employee data in the Taiwan data breach. They also shared a sample of Acer employees’ login credentials and screenshots of Acer’s Taiwan internal portal.
Previously, Desorden claimed to have exfiltrated about 60GB of customer information, login credentials for retailers and distributors, and corporate and financial documents in the India data breach. The group later auctioned the data on an underground hacking forum.
Hacking group’s modus operandi
The Desorden hacking group was also responsible for the ABX Express cyber attack in Malaysia that leaked 200 GB of data.
The group extorts victims by threatening to sell their data on underground hacking forums if they refuse to cooperate. Its name translates to “chaos and disorder” reflecting the hacking group’s philosophy of creating disorder by disrupting commercial operations.
Desorden does not currently deploy ransomware when executing cyber attacks. However, the group plans to carry out massive supply chain attacks that would live up to its name. However, cybersecurity experts have not determined which tools, techniques, and procedures (TTPs) the group used to compromise Acer.
“Any cyber attack at the time of the incident is only one piece of the puzzle. There is work to be done prior to an incident, and perhaps more importantly, work needs to be done in the aftermath of an attack,” added Javvad Malik, Security Awareness Advocate, KnowBe4.
“Once an organization is breached, a thorough investigation needs to be undertaken to determine the root cause of the attack, and identify any backdoors that the attackers may have left in. Not only is there a risk that the same criminals can break into the organization again, but a breach can act as a signal that attracts other attackers.