Cybersixgill observed the ‘ALPHV/BlackCat’ ransomware operation announcing a recent attack on fintech company Tipalti. ALPHV said it plans to extort two high profile Tipalti customers, Twitch and Roblox, which illustrates the dangers of supply chain attacks on vendors who possess sensitive client information. Cybersixgill detected ALPHV detailing its strategy, referencing previous attacks on the gaming industry giant.
THE HEADLINE
On December 3, 2023, the ALPHV/BlackCat[1] ransomware group announced an attack on financial/accounting software developer Tipalti,[2] adding the company to the ransomware-as-a-service (RaaS) operation’s dedicated leak site (DLS). In the announcement, ALPHV claimed that it exfiltrated more than 265 GB of confidential business data belonging to Tipalti and two of its high-profile customers: live-streaming platform Twitch and online game-creation site Roblox. The ransomware group announced that it planned to extort Roblox and Twitch individually.
The Tipalti-Roblox-Twitch episode reflects the ultimate danger of supply chain attacks, a significant cybersecurity threat that involves targeting networks of tech-related vendors and partner organizations. While supply chain attacks affect a variety of industries, the most impactful attacks target software and IT vendors, such as Tipalti. Such victims have the potential to provide access to valuable data from industry leaders, such as Roblox and Twitch.
By compromising weak links within the supply chain, threat actors can gain unauthorized access to sensitive information, inject malicious code, or tamper with critical components. The repercussions range from data breaches and financial losses to widespread disruption and reputational damage. In perhaps the most famous supply chain attack in recent history, the state-sponsored Russian hacking group Nobelium infiltrated SolarWinds' Orion platform, which was used by tens of thousands public and private organizations worldwide.
Nobelium injected malicious code into Orion software updates, infecting around 18,000 customers, compromising government agencies, technology firms, and other high-profile entities, resulting in unauthorized access and exfiltration of sensitive data. While supply chain attacks are a tried-and-true strategy at this point, ALPHV remains an innovator in extortionary strategies.
Most recently, the RaaS reported a victim, MeridianLink, to the Securities and Exchange Commission (SEC) for allegedly failing to file Form 8-K,[3] which requires public disclosures after certain data breaches. ALPHV accused MeridianLink of running afoul of SEC and reported the company to the Commission. In December 2022, ALPHV debuted an extortion strategy that involved cloning victims’ websites and posting their stolen data there. The cloned sites appeared to be an attempt to embarrass victims and highlight their lack of adequate security.
DIVING DEEPER
Cybersixgill collected information related to the Tipalti attack, in which the group declared its intention to extort Twitch and Roblox. The message contained a number of allegations, including the group’s claim that the Tipalti breach leveraged an insider threat, an umbrella term for employees, contractors, or other trusted individuals with authorized access to sensitive data, systems, or networks.
ALPHV referenced Tipalti’s alleged insurance policy, indicating that it lacked extortion coverage and hinted at plans to extort companies Roblox and Twitch. The post alluded to a previous breach targeting Roblox, claiming the company engaged in excessive stalling and ultimately did not pay a ransom. At the time, an open source (OSINT) news site reported that there were “high-profile” Roblox users impacted by the leak, who received malicious calls, texts, and emails. While the initial breach may have occurred as early as December 2020, Roblox did not publicly disclose it until July 2023. According to some reports, this raised red flags because Roblox users include a significant amount of minors, with 43% of the platform’s 66.1 million daily active users under 13-years-old.[4]
TAKEAWAYS
ALPHV continues to evolve as an innovative ransomware operation, amassing a growing list of victims. The gang regularly introduces new extortion strategies to pressure, shame, and intimidate victims.
With the threat posed by gangs such as ALPHV, all organizations should implement robust security standards on their corporate environments to safeguard against attacks. This includes multi-factor authentication (MFA) processes to add another layer of security, making it more difficult for cybercriminals to access corporate devices and accounts.
Organizations should also instruct employees not to click suspicious links or attachments and implement regular security training to raise employees’ awareness so that social engineering attacks can be thwarted. Finally, organizations should evaluate risks of all third-party vendors, contractors and partners that manage data by monitoring their assets on the Cybersixgill Investigative Portal for a more proactive detection approach.
[1] ALPHV/BlackCat is a financially motivated Russian RaaS operation that has used the quadruple extortion scheme, which involves: (1) encryption and/or theft of victims’ data; (2) blackmail (victims must pay or face leaks); (3) Distributed-Denial-of-Service (DDoS) attacks after data extraction to pressure victims; and (4) additional threats to expose victims’ sensitive data to third parties, such as customers and competitors.
[2] Tipalti is a California-based provider of accounts payable, procurement and global payments automation software.
[3] Publicly traded companies in the U.S. are required to make Form 8-K SEC filings to report significant events or corporate changes deemed material to investors.
[4] According to the company’s Q1 earnings report for 2023.