[BreachExchange] Leading US video delivery provider confirms ransomware attack

[Destry Winant]

https://www.bleepingcomputer.com/news/security/leading-us-video-delivery-provider-confirms-ransomware-attack/

SeaChange International, a US-based leading supplier of video delivery
software solutions, has confirmed a ransomware attack that disrupted
its operations during the first quarter of 2020.

The company is traded on NASDAQ as SEAC and it has locations in Poland
and Brazil. Its customer list includes telecommunications companies
and satellite operators such as the BBC, Cox, Verizon, AT&T, Vodafone,
Direct TV, Liberty Global, and Dish Network Corporation.

SeaChange also says that its Framework Video Delivery Platform
currently powers hundreds of on-premise and cloud live TV and video on
demand (VOD) platforms with more than 50 million subscribers in over
50 countries.

April ransomware attack now confirmed

BleepingComputer learned of the attack on SeaChange's servers during
April 2020 when a ransomware gang posted screenshots of files they
claimed to have stolen from the company's servers.

Among those screenshots, we found a cover letter with a Pentagon
video-on-demand service proposal.

When BleepingComputer reached out to the US Department of Defense
(DoD) to ask if they were aware of a SeaChange breach, the DoD
declined to comment saying that it doesn't share info on potential
network intrusions or related investigations.

"In accordance with policy, we will have no information to provide on
possible network intrusions or investigations into possible network
intrusions in either DOD or contractor networks," Department of
Defense spokesman Lt. Col. Robert Carver told BleepingComputer.

BleepingComputer also reached out to SeaChange multiple times to find
if they were aware of the ransomware group's claims but our emails
went unanswered.

However, today, SeaChange finally confirmed the ransomware attack in a
10-Q quarterly report filed with the US Securities and Exchange
Commission (SEC).

"In the first quarter of fiscal 2021 [sic], we experienced a
ransomware attack on our information technology system," the company
reported.

"While such attack did not have a material adverse effect on our
business operation, it caused a temporary disruption. A forensic
investigation is being conducted to determine if any data was
compromised."

Attack claimed by the REvil ransomware gang

As BleepingComputer previously reported, the SeaChange ransomware
attack acknowledged by the company today was claimed at the time by
the REvil (aka Sodinokibi) ransomware group.

They created a new victim page for SeaChange, which was used to
publish snapshots of documents the REvil operators said were during
the attack.

REvil is a ransomware-as-a-service (RaaS) operation known for
breaching corporate networks using exposed remote desktop services,
exploits, spam, as well as via hacked Managed Service Providers.

Although details regarding the attack on SeaChange are scarce, cyber
threat intelligence firm Bad Packets discovered that the company was
using a Pulse Secure VPN server unpatched against the CVE-2019-11510
vulnerability before it got hit by ransomware.

After gaining access to a targeted enterprise's network, REvil's
operators spread laterally while stealing sensitive data from servers
and workstations to be used as leverage to convince the victim to pay
the ransom under the threat of publicly leaking all the stolen info.

They later encrypting all the devices on the company's compromised
network after gaining administrative access to a domain controller.

Brown-Forman is one of REvil's latest victims, a company that owns the
world-known Jack Daniel's whiskey and Finlandia vodka brands.