Capcom has released the final update on their investigation into the major ransomware attack they suffered last year. The investigation has found that the attackers accessed the company through an outdated VPN device. Through this avenue, the attackers were able to access the companies network, as well as any compromised devices in the network.
The attack took place in November 2020, when Capcom was targeted by the Ragnar Locker ransomware. The attack resulted in Capcom having to shut down a percentage of their network as the attackers accessed the company’s systems, stole sensitive information, and encrypted network devices.
On November 4th 2020, Capcom issued a public statement confirming the attack. The statement said, “beginning in the early morning hours of November 2, 2020 some of the Capcom Group networks experienced issues that affected access to certain systems, including email and file servers. The company has confirmed that this was due to unauthorized access carried out by a third party and that it has halted some operations of its internal networks as of November 2.” The announcement claimed that there were no indications that any customer information had been affected by the breach and that Capcom was consulting with authorities about the incident.
The investigation has found that an old VPN used by staff from Capcom’s North American branch was compromised by attackers. The VPN was used as an emergency backup due to pressure caused by Covid-19. Fortunately, only the North American subsidiary was using this VPN, with other Capcom Group subsidiaries already using newer versions. Since the incident, the VPN has been removed from the network.
Following the news, security experts have been commenting on the incident:
Lewis Jones, Threat Intelligence Analyst at Talion:
“This was one of the biggest Ransomware attacks of 2020, with an estimated 390,000 users affected. The fact it has taken Capcom nearly 6 months to restore its systems and fully investigate the attack is a warning for organisations across the world that Ransomware should be taken seriously. Despite this, Capcom state that whilst a ransom demand was made it never communicated with the attackers and didn’t pay the demand. Therefore it is expected that the breached data could be made public, if not already.
Interesting the company confirmed that the attackers targeted an “older backup VPN” which remained in use due to increased demand arising from the Covid-19 pandemic. This highlights the importance of organisations patching against vulnerabilities and keeping systems up to date.
The company does appear to have managed the situation as well as possible in terms of keeping customers up to date with regular statements and set up a Japan-only phoneline for individuals who wish to inquire about the personal information that has potentially been compromised (0120-400161). North American and European customers are advised to contact its customer support.
Capcom has now confirmed that no credit card details have been breached, however, a large number of former staff and customer details have been stolen. For customers of Capcom who may be affected by the breach, be cautious and act as if your personal details have been breached until notified otherwise. Be alert to incoming texts, calls and emails utilising the information shared in this incident from unknown sources demanding further personal information or payment. Also, consider the password you utilise for this account, if this has been duplicated on other personal accounts, this should be changed promptly.”
Eoin Keary, CEO and Founder of edgescan:
“Unfortunately, this is a case of poor visibility in terms of attack surface. The hosting of old, deprecated or unpatched systems on corporate networks is an extremely common vector for system and data breach. The root cause of the majority of attacks against both small and enterprise organisations is known or old vulnerabilities and systems. An attacker simply needs to find one critical risk issue to be successful. This comes down to fundamentals: visibility and continuous maintenance. We can’t secure what we can’t see. Assuming staff at Capcom knew there was an “old” VPN present, the system may have been updated or addressed to maintain a secure posture.
Continuous Visibility and vulnerability management across the full stack would help detect such weaknesses and implementing such programmes is generally much more cost-effective than recovering from a ransomware attack or data breach.”
Bryan Embrey, director of product marketing at Zentry Security:
“The attack on Capcom spotlights both the vulnerability of aging security systems as well as the difficulty of configuring them to meet the demands of today’s users. Capcom is to be commended for issuing a comprehensive statement of actions taken to remediate this attack by Ragnar Locker, but also admits that it has improved its “management methods of VPN and other devices”. Implementing a modern zero trust secure access solution can significantly reduce the complex configuration of a traditional VPN while enabling easier log reviews for user behavior and application-specific access. Moreover, policy enforcement and multi-factor authentication are inherent in a zero trust system, ensuring that only authorized users get access to sensitive information.”
Jamie Akhtar, CEO and co-founder of CyberSmart:
“The fact that a major breach such as this resulted due to the use of an old VPN server is unfortunate, particularly as this was done simply to accommodate for the Covid-19 pandemic. Organisations can have all the latest tech and defences but just one oversight can lead to significant consequences. As the saying goes, security teams need to get it right 100% of the time, while bad actors only need to get it right once. It is highly likely that many organisations are in a similar position, making compromises to enable remote working. There is no denying the difficulty of this situation, but businesses can get started by ensuring they are meeting basic cyber hygiene measures. This includes keeping software up to date, changing passwords to be complex and unique, and encouraging regular security awareness training.”