The IT Nerd

According to a CloudNordic notice to customers, criminals have encrypted all servers and customer data and the company says it can’t and will not pay the ransom demand. 

CloudNordic has advised its customers to prepare for the possibility of complete data loss due to a recent ransomware attack. The attack, which occurred on Friday August 18, severely impacted CloudNordic’s operations, leading to a shutdown of their servers and data loss for both the company and its clients. 

During the attack, malicious actors targeted CloudNordic’s systems, resulting in the deletion of company data and customer websites and email systems. Since then, CloudNordic’s IT team, along with third-party responders, has been working to recover customer data, but the chances of success are diminishing. 

In a statement, CloudNordic explained, “Unfortunately, it has proven difficult to recover most of the data, and many of our customers have likely lost their data with us unless they have been contacted individually.” 

CloudNordic suspects that the attack occurred during a server migration from one data center to another. Some servers were infected before the move, and during the transfer, servers from different networks were connected to CloudNordic’s internal network. This allowed the attackers to access administrative systems, storage, replication backup systems, and secondary backups, which were then encrypted for ransom. 

As of now, CloudNordic is working on restoring customer web and email servers, but data recovery remains a challenge, and DNS services are still unavailable.

Steve Hahn, Executive VP, BullWall had this comment:   

“Migrations are when companies are at their most vulnerable. Whether it’s the Dallas Police a few years back, who lost terabytes of data during a migration, throwing cases and convictions into to chaos, or latent cyber attacks that are triggered during the migration, companies need a containment, backup and security plan in place long before the migration occurs. During one of these large scale migrations we often see ports opened, applications white listed, security services may be suspended and people are generally more at risk to social engineering strategies,    

“The attack vectors multiply by the100’s during these migrations and our data is at its most vulnerable state. Often companies put security projects on hold to “focus” on these migrations, when precisely the opposite should occur. The migration should be put on hold until the security controls are firmly in place and tested.”  

Willy Leichter, PV of Marketing, Cyware follows with this:    

“While it is good to see Viking toughness in refusing to pay a ransom, it’s easier to take this stance when you have no other options. This is a tragic example of how vulnerable many smaller service providers can be, and customers need to always beware – don’t depend on one service provider with your valuable data – if they get wiped out, so does your data.”

Backup, Backup, Backup! It doesn’t matter if your data is local or in the cloud. You need a backup because if you get pwned locally or in the cloud, you will need that backup.

Yesterday, as spotted by VX-Underground, the scraped data of 2.6 million users of DuoLingo, one of the largest language learning sites in the world, was re-leaked on a hacking forum and offered for just $2.23.

This past January, Duolingo had the scraped data of the 2.6 million users on a now-shutdown hacking forum for $1,500. The data included login names and full names only, which DuoLingo confirmed was data from public profiles. DuoLingo claimed they were investigating whether further precautions should be taken, but they did not address the fact that email addresses, not publicly available, were also in the dataset. 

The latest data set was scraped using an exposed API that is currently open and has been since at least March 2023, and allows anyone to submit a username and retrieve the user’s public profile information. Meanwhile, one can also feed an email address into the API and confirm if it is associated with a valid DuoLingo account.

George McGregor, VP, Approov had this to say:   

“This unfortunately makes Duolingo look extremely negligent for a number of reasons     

“Lets list out some of the issues: 

• The API returning public profile data based on a username without any other checks 
• Automated scraping was possible because scripts can be run against the API: in other words  no backend check that requests are coming from a genuine app
• The issue had actually been previously identified but not addressed

    “A good mobile security solution can be used to address these issues and restrict API access to properly validated app instances.” 

The fact that this has happened before to DuoLingo before is bad, and makes it an app to avoid. Too bad that you don’t know how good the security of other apps is before you use them. Thus all app makers have to step up on this front.