Exclusive: Australian Compass Group confirms second hack

A member of the Medusa ransomware gang has targeted the Sydney food company for the second time this month.

Despite falling victim to a Medusa ransomware spin-off earlier this month, North Sydney-based Compass Group has now been listed on the gang's darknet leak site for the second time.

According to a post written late on the evening of September 18, an affiliated company (it is unknown whether it was the same or a second actor) was able to exfiltrate another tranche of data.

“Our partner penetrated this weak network this morning and brought the computers down again!” the post said.

While the first attack, which likely occurred on or before September 4, reportedly stole 785.5 gigabytes of data, the subsidiary did not list the amount of data stolen this time. However, a screenshot of the affected machine's file system suggests that more than a terabyte of data may have been affected in this second attack, and a file tree of the data contains more than 170,000 rows of records.

The file tree includes dozens of passports and other identification documents, medical certificates, salary details and other employee data. There appears to be some overlap with the dataset exfiltrated in the first incident, but the extent of this overlap is difficult to say.

The first batch of data demanded a ransom of two million dollars, but for this second incident, the ransom is $100,000. This could also indicate some overlap, as the data is already compromised and therefore no longer as valuable.

Compass Group Australia confirmed it was aware of the second incident.

“The investigation is ongoing and we continue to work closely with leading global cybersecurity experts, specialized legal advisors and regulators,” a Compass Group spokesperson told Cyber ​​Daily on September 20.

“Yesterday, our security measures detected unauthorized activity on a server that recently came back online. In accordance with our security protocols, we disabled this system and contained the threat.

“Our priority is to ensure the ongoing security and stability of our systems and to provide support to those whose high-risk information is affected.”

The spokesperson added that the company was making progress in analyzing the stolen data and had already begun notifying people whose data was at “high risk.”

“We sincerely apologize for any impact on our employees, customers or suppliers,” the spokesman said.

“We have put in place a range of support measures for those affected, including access to external professional support and advice on the precautions people can take to protect their personal information.

We will continue to keep our employees, customers and suppliers updated as new details become available.”

Shannon Sedgwick, partner for National Cyber ​​Security Practice at MinterEllison Consulting, said that while it was not uncommon to be hit a second time, it was unfortunate.

“Medusa is a ransomware-as-a-service (RaaS) group that employs living-off-the-land techniques by using legitimate software tools for malicious purposes that are difficult to detect in the context of regular network traffic because they mimic normal behavior,” Sedgwick told Cyber ​​​​Daily.

“Medusa is adept at evading detection by security teams and remaining persistent on victims' networks after detection, using remote management and monitoring tools to remotely execute a payload and install vulnerable drivers to compromise defenses, such as shutting down Microsoft Defender. They also move laterally through networks by modifying registry keys and creating scheduled tasks.”

“Secondary attacks, where a threat actor remains persistent, underscore the importance of ensuring malware is removed from infected systems and organizations restore from verified and tested clean backups. Likewise, segmenting networks and limiting connections to critical systems is necessary to reduce the attack surface for both discovery and lateral movement of incidents, as well as patching software to fix vulnerabilities, as Medusa typically penetrates its victims' networks through vulnerable, publicly accessible services.”

Compass Group is a subsidiary of the UK-based company of the same name and, according to the Australian company’s website, is “Australia’s largest food and support services company”.

The company employs 13,000 people and provides food services to companies in the education, mining and defense sectors, as well as hospitals and elderly care facilities.