[BreachExchange] LG Electronics allegedly hit by Maze ransomware attack

Destry Winant destry at riskbasedsecurity.com
Fri Jun 26 10:20:57 EDT 2020


Maze ransomware operators have claimed on their website that they
breached and locked the network of the South Korean multinational LG

The details of the attack have not been released but the hackers
stated that they have stolen from the company proprietary information
for projects that involve big U.S. Companies.

Proprietary code stolen

This ransomware operator, like many others, publishes information on
their victims when their ransom demands are not accepted or contact
with the breached entity halts.

In a "press release" posted their data leak site on Monday, the threat
actors announced that they would provide information on an alleged LG
Electronics breach and the source code they stole.

Yesterday, Maze told BleepingComputer that they had breached LG
electronics and stole 40GB of source code from the manufacturer.

"Also, we would like to announce that in case of not contacting us
today we will share information about attack on Lg. We downloaded 40GB
of Python source codes from Lg. Developments for a biggest companies
in US, we will share part of source code on Lg later" - Maze

When asked how many devices were encrypted, the Maze operators told
BleepingComputer that this "information currently is private and will
be provided only to Lg negotiators."

In a new entry on their data leak site today, though, they published
alleged proofs of their attack on LG.

This includes a screenshot of a file listing from a Python code repository.

Another screenshot published by Maze shows a split archive for a .KDZ
file, which is the format for official stock firmware code from LG.

It appears from the image below that the firmware was developed for
AT&T. The mobile carrier currently lists 41 phones and four tablets
from LG on its device support page.

A third screenshot from the attackers shows a snippet of Python code
for an email forwarding project.

This source code indicates that the owner is from the domain
lgepartner.com, which is owned by LG Electronics.

Since yesterday morning, BleepingComputer has reached out to multiple
LG Electronics email addresses with a request to comment on this
alleged attack but the company had not answered by publishing time.

When sending an email to one email address listed publicly for general
media inquiries and corporate communications we received an automated
reply informing that the message could be delivered because the user
does not exist.

There is no information on how Maze was able to breach LG Electronics’
network but initial access methods used by the actor include
connecting via an exposed remote desktop connection and pivoting to
valuable hosts via compromised Domain Administrator accounts.

Some companies that fell victim to a Maze ransomware attack also had
vulnerable systems reachable over the public internet.

Regardless of how they got in, Maze has made a reputation of
publishing stolen files if they don’t reach an agreement with their
victims for a ransom payment.

Update [June 25, 08:56 EDT]: Article updated with quote from Maze
ransomware operators.

More information about the BreachExchange mailing list