Blackshadow group breaches Israeli company; Cyberserve.

Iranian hacking group Blackshadow succeeded in penetrating the infrastructure of Israeli webhosting firm Cyberserve and proceeded to leak confidential client data on Telegram as proof of the breach. Blackshadow had posted a 1 million USD bounty as the ransom, stipulating a 48 hour time limit for payment. Cyberserve chose not to make the payment, and in response the group started leaking more documents to the public. The leak included 290000 medical records, as reported by i24news.tv, from the Machon Mor medical institute. It appears that of the known affected clients from Cyberserve, are Israeli based companies; Blackshadow has been known to use ransomware in the past against Israeli firms, and there is a strong suspicion that these companies are now at risk.

Jerusalem Post reported that Israeli authorities have pushed search engines and ISPs to block access to content related to Blackshadow and its posted/leaked documents. The secure message service from Telegram unsuccessfully blocked the group, and despite deleting Blackshadows Telegram account, the group made a new account and leaked even more captured data in response. The new leaked data included personal information from a Cyberserve travel agency client.

After researching Cyberserve, I have found that Cyberserve uses Tucows as their DNS registrar, and Cloudflare is their cloud services provider. This is important because Cloudflare has a history of being breached, with one of their most highly publicized events being the Cloudbleed vulnerability in 2017. To quote Tavis Ormandy of Googles Security Team at the time.Project Zero

"We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users."

Why this attack matters: this is just another example of what happens when providers do not implement and maintain minimum security controls and/or training to assist in mitigation of the timeframes an attack vector is available. As this was a ransomware attack, concerns and diligence needs to be maintained as social engineering attacks are likely from the released data, emphasizing the importance of strong social engineering awareness training every organization, big or small, should undertake on a regular schedule.

The above quote also raises concerns towards the security of Cloudflare. If a 3rd party cloud provider using virtually pooled resources such as virtual machines, containers or dockers either fails to protect confidential information within their own ecosystem as a prior article explains for Microsoft Azure and OMIGOD, or if data is leaked externally, like the issues faced on Cloudflare with Cloudbleed using a shared connection such as a reverse proxy, then organizations should think twice before using shared services when hosting sensitive data.

We recommend where the data is sensitive in nature, dedicated hardware is engaged in a secure cloud environment.