Australian domain registrar auDA apparently hacked, in talks with ACSC | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker

Australian domain registrar auDA apparently hacked, in talks with ACSC

An Australian internet company fell foul of a relatively new player on the hacking scene late last week when the NoEscape ransomware gang claimed to have stolen 15 gigabytes of sensitive data.

At first, .au Domain Administration Limited – better known as auDA – denied the claims of the gang, saying in a statement on 18 August that despite being notified of the incident, “so far found no evidence of such a breach”.

The company posted a statement on 20 August, admitting that the threat actor had shared limited proof of the attack.

“Today, the cyber criminal has provided evidence of a small sample of data they say is in their possession,” auDA said. “It includes screenshots of a file list from a computer.”

The not-for-profit is continuing to investigate the incident, and the Australian Cyber Security Centre, the Office of the Australian Information Commissioner, and the Department of Home Affairs have been informed.

According to NoEscape’s leak site, the group posted about the breach on 11 August, saying that it had 15 gigabytes of data, including a long list of sensitive personal information.

“We have 15GB of stolen data, namely: powers of attorney and legal documents with seals, passports, personal data, medical reports, loan repayment, dismissal documents, declarations, death certificates, access to customer bank accounts (name pw bsb acc number), taxes, projects, and much more confidential information,” NoEscape said.

“Allocate a person to the place of the negotiator and let him contact us,” the group added, “we will explain everything and help to you [sic] avoid these problems.”

(Cyber Security Connect has not seen the leak site since the onion addresses seem to resolve to a blank page, but threat monitoring site Falcon Feeds has a reliable screenshot.)

NoEscape itself seems to be a relatively new group, first appearing in May 2023. It operates both as a ransomware-as-a-service operation, providing affiliates with custom payloads and the infrastructure to manage their campaigns. The group also runs its own extortion operations, which the auDA incident appears to be.

The gang has set a date for posting its next update about 10 days after its initial 11 August notice.