Play Ransomware Lists A10 Networks on Its Leak SiteGroup Says It Has Confidential Data, Tech Docs; A10 Says Operations Not Affected
The Play ransomware group listed networking firm A10 Networks on its leak site after briefly gaining access to the company's IT infrastructure, according to data breach notifications firm BetterCyber.
BetterCyber says that the leak site claims the group has "private and personal confidential data, a lot of technical documentation, agreements, employee and client documents."
The San Jose, California-based networking hardware manufacturer earlier said it had identified a cybersecurity incident on Jan. 23, in its corporate IT infrastructure, and said the attack was not related to any of the products or solutions used by its customers.
"Upon detecting the incident, the company launched an investigation and engaged the services of cybersecurity experts and advisors, incident response professionals and external counsel to support the investigation," the company said in a filing with the Securities and Exchange Commission.
A10 Networks specializes in the manufacture of application delivery controllers and provides secure, scalable application solutions for on-premises, cloud and edge-cloud environments. It also offers firewall and DDoS threat intelligence and mitigation services.
A10 Networks serves customers in 117 countries worldwide - including Yahoo, Alibaba, Deutsche Telekom, Softbank, GE Healthcare, Twitter, LinkedIn, Samsung, Uber, Sony Pictures, Windows Azure, Xbox and others.
A spokesperson for A10 Networks was not immediately available to provide additional details. The company has yet to provide details on the impact, initial attack vector and if there is any ransom demand.
The company in the SEC filing says it contained the attack in its network with the help of outside experts and notified the appropriate law enforcement authorities of the incident.
"The company has comprehensive security protocols in place, which helped address this incident in an expedited manner, and is reviewing additional steps to further strengthen its security posture," says Brian Becker, chief financial officer at A10 Networks. "The company currently does not expect this incident to have a material impact on its operations."
Play ransomware, also known as PlayCrypt, is a fairly new ransomware group that came to light in June 2022. It gained massive attention for attacking Argentina's Judiciary of Córdoba and the German hotel chain H-Hotels. Play mainly focuses on organizations in the Latin American region, especially Brazil.
The recent ransomware attack targeting hosting giant Rackspace was conducted by Play group, and it used a new exploitation method in that attack.
On Dec. 20, 2022, CrowdStrike released a blog post detailing findings from multiple intrusions that it tied to the Play ransomware group (see: Rackspace Finds Ransomware Group Accessed 27 Customers' Data).
While that blog post does not name Rackspace as one of the victims, Rackspace later confirmed that CrowdStrike's findings apply to it as well.
CrowdStrike's blog post reports that Play didn't use ProxyNotShell against Rackspace and others. Instead, it first targeted a different Exchange vulnerability, CVE-2022-41080, also patched by Microsoft in November.
After that, attackers were able to trigger the second vulnerability comprising ProxyNotShell, CVE-2022-41082, even if Exchange users had applied the mitigation advice Microsoft provided in November. Attackers then remotely executed code on Exchange servers.