Article Details

Chilean telecom giant GTD hit by the Rorschach ransomware gang. Chile's Grupo GTD warns that a cyberattack has impacted its Infrastructure as a Service (IaaS) platform, disrupting online services. Grupo GTD is a telecommunications company offering services throughout Latin America, with a presence in Chile, Spain, Columbia, and Peru. The company provides various IT services, including internet access, mobile and landline telephone, and data center and IT managed services. On the morning of October 23rd, GTD suffered a cyberattack that impacted numerous services, including its data centers, internet access, and Voice-over-IP (VoIP). "We understand the importance of proactive and fluid communication in the face of incidents, therefore, in accordance with what we previously discussed on the phone, I would like to inform you that we are experiencing a partial impact on services as a result of a cybersecurity incident," reads a GTD security incident notification. "This impact is limited to part of our laas platform and some shared services (IP telephony services, VPNs and OTT television system). Our communication COR, as well as our ISP, are operating normally." To prevent the attack's spread, the company disconnected its IaSS platform from the internet, leading to these outages. Today, Chile’s Computer Security Incident Response Team (CSIRT) confirmed that GTD suffered a ransomware attack. "The Computer Security Incident Response Team (Government CSIRT) of the Ministry of the Interior and Public Security was notified by the company GTD about a ransomware that affected part of its IaaS platforms during the morning of Monday, October 23," reads a machine-translated statement on the CSIRT website. "As a consequence, some public services in our country have presented unavailability on their websites." The CSIRT is requiring all public institutions who are utilizing GTD's IaaS services to notify the government under decree No. 273, which requires all State agencies to report when a cybersecurity incident may impact them. Ransomware IOCs released While CSIRT has not disclosed the name of the ransomware operation behind the attack on GTD, BleepingComputer has learned that it involved the Rorschach ransomware variant previously seen used in an attack on a US company. Rorschach ransomware (aka BabLock) is a relatively new encryptor seen by Check Point Research in April 2023. While the researchers could not link the encryptor to a particular ransomware gang, they warned that it was both sophisticated and very fast, able to encrypt a device in 4 minutes and 30 seconds. In a report on the GTD attack seen by BleepingComputer, the threat actors are utilizing DLL sideloading vulnerabilities in legitimate Trend Micro, BitDefender, and Cortex XDR executables to load a malicious DLL. This DLL is the Rorschach injector, which will inject a ransomware payload called "config[.]ini" into a Notepad process. Once loaded, ransomware will begin encrypting files on the device. CSIRT has shared the following IOCs related to the attack on GTD below, with u.exe and d.exe being legitimate TrendMicro and BitDefender executables used in the attack and the DLLs containing the malware. Chile’s CSIRT recommends that all organizations connected to GTD’s IaaS go through the following steps to confirm they were not breached in the attack: Earlier this year, the Chilean military suffered a Rhysida ransomware attack, where BleepingComputer was told that the threat actors released 360,000 documents stolen from the government. BleepingComputer reached out to Grupo GTD with further questions about the attack this morning but did not receive a response.