Chipmaker AMD said it was investigating a data breach allegation by the RansomHouse cyber extortion group that allegedly exfiltrated 450 GB of data earlier this year.
“AMD is aware of a bad actor claiming to be in possession of stolen data from AMD. An investigation is currently underway,” the company said.
The group also published a data sample from the data trove stolen from AMD. According to a blog post by RestorePrivacy, the data includes network files, system information as well as AMD passwords.
RansomHouse attributes the AMD data breach to “simple” passwords used by employees
RansomHouse disclosed that it breached AMD’s network on January 5, 2022. The cyber extortion group claims that simple passwords such as “123456,” “password,” and “Welcome1” used by AMD employees enabled the data breach.
The group mocked security promises in the era of high-end technology as “just beautiful words” when tech behemoths like AMD allegedly still use simple passwords to protect their network.
“It is a shame those are real passwords used by AMD employees, but a bigger shame to AMD Security Department which gets significant financing according to the documents we got our our [sic] hands on – all thanks to these passwords,” the cyber extortion group wrote.
If confirmed, the data breach highlights not only the failure of AMD to create awareness of good password hygiene but also the failure to enforce strong password rules.
“AMD, and any high tech company, should require phishing-resistant MFA for all logons, or if MFA cannot be used, require strong and unique passwords,” Roger Grimes, data-driven defense evangelist at KnowBe4, said. “Any lesser practice without sufficient offsetting controls would be considered by most computer security experts as negligence.”
RansomHouse also denied that the leak was associated with the data breach that leaked AMD’s intellectual property earlier this year. The data breach was attributed to the cyber extortion group RansomEXX group that published 112 GB of stolen data after AMD refused to pay the ransom. The data breach leaked information about AMD’s Zen 4 processors.
“We haven’t yet seen evidence of the attack on AMD, but RansomHouses’ recent attack on the Shoprite Group in South Africa would indicate that they are focused on large organizations with weak security,” Darren Williams, CEO and Founder at BlackFog, said.
AMD has not disclosed whether it had received any ransomware demands and has not responded to further information requests.
RansomHouse cyber extortion gang denies being a ransomware group
The hacking group that denies being a ransomware gang targets poorly defended companies. It describes itself as a professional mediators community that does not produce or use any ransomware but intends to reduce damage incurred by data breach victims.
According to Malwarebytes Labs, RansonHouse is a “grey hats” group of “white hats” frustrated by the state of security in major organizations.
“Despite its name, the RansomHouse group doesn’t quite fit under the label of a ransomware group in the traditional sense,” said Satnam Narang, Sr. Staff Research Engineer at Tenable.
“While the group does demand a ransom as part of their operations, it would appear that they don’t distribute malicious software into victim organizations. They are considered to be a pure-play extortion group, which we’ve begun to see a renaissance of in recent months.”
However, Narang warns that the group could be attempting to shield itself from law enforcement action by publicly denouncing ransomware.
The group says the real culprits are not those who execute the breach but those who fail to enforce security, thus “inviting everyone in.”
Subsequently, RansomHouse maintains a list of companies that allegedly prioritize their financial gain over the interest of people who entrust them with their data or attempt to cover data breaches.
Based on their philosophy, RansomHouse members could potentially step into the dark side to expose companies that fail to implement proper protections.
Since its emergence in 2021, the cyber extortion group has listed six victims, including Canada’s Saskatchewan Liquor and Gaming Authority (SLGA) and Africa’s largest retailer Shoprite.
“This incident highlights a ransomware gang trend of stealing data that has grown to become as common as encrypting files,” Chris Clements, vice president of solutions architecture at Cerberus Sentinel, said.
“In some ways, mass scale data theft is even more damaging than encrypting local files as once the data has been copied off the victim’s network, there is no way for the victim to verify that the stolen data will actually be deleted and not resold or publicly leaked even if the cybercriminals’ extortion demands are met.”
According to Clements, data exfiltration incidents could expose trade secrets, source code, designs, and other intellectual property even when the victims avoid downtime.
“It’s critical that organizations implement capabilities for identifying mass-scale data exfiltration during the early stages with tools like file access audit logging with threshold triggers for alerting to outlier access events as well as traffic monitoring for unusually high data transfers that can indicate an exfiltration attack is occurring.”