OmniVision disclosed a data breach after the 2023 Cactus ransomware attack

Pierluigi Paganini May 22, 2024

The digital imaging products manufacturer OmniVision disclosed a data breach after the 2023 ransomware attack.

OmniVision Technologies is a company that specializes in developing advanced digital imaging solutions. In 2023, OmniVision employed 2,200 people and had an annual revenue of $1.4 billion. OmniVision Technologies Inc. is an American subsidiary of Chinese semiconductor device and mixed-signal integrated circuit design house Will Semiconductor. The company designs and develops digital imaging products for use in mobile phones, laptops, netbooks and webcams, security and surveillance cameras, entertainment, automotive and medical imaging systems.

In 2023, the imaging sensors manufacturer was the victim of a Cactus ransomware attack.

Last week, OmniVision notified the California Office of the Attorney General. The threat actors had access to the company systems between September 4 and September 30, 2023, when they deployed ransomware.

“On September 30, 2023, OVT became aware of a security incident that resulted in the encryption of certain OVT systems by an unauthorized third party. In response to this incident, we promptly launched a comprehensive investigation with the assistance of third-party cybersecurity experts and notified law enforcement. At the same time, we took proactive measures to remove the unauthorized party and ensure the security of OVT systems.” reads the data Breach Notification. “This in-depth investigation determined that an unauthorized party took some personal information from certain systems between September 4, 2023, and September 30, 2023. On April 3, 2024, after completion of this comprehensive review, we determined that some of your personal information was involved.”

At this time is unclear the number of the impacted individuals.

In October, 2023, the Cactus ransomware group added OmniVision to the list of victims on its Tor leak site. As proof of the data breach, the extortion group published data samples, including passport images, NDAs, contracts, and other documents.

Then, after the failure of the alleged negotiation, the gang released all the stolen data for free, however, OmniVision is currently no longer listed on the Cactus ransom leak site.

As a result of the incident, OmniVision implemented more monitoring solutions to detect suspicious activity and prevent recurrence. The company is also updating security policies, migrating some systems to the cloud, and requiring additional security awareness training. Although there is no evidence of fraudulent use of the personal information of the impacted individuals, the company is offering complimentary credit monitoring and identity restoration services for 24 months.

The Cactus ransomware operation has been active since March 2023, Kroll researchers reported that the ransomware strain is notable for the use of encryption to protect the ransomware binary.

Cactus ransomware uses the SoftPerfect Network Scanner (netscan) to look for other targets on the network along with PowerShell commands to enumerate endpoints. The ransomware identifies user accounts by viewing successful logins in Windows Event Viewer, it also uses a modified variant of the open-source PSnmap Tool.

The Cactus ransomware relies on multiple legitimate tools (e.g. Splashtop, AnyDesk, SuperOps RMM) to achieve remote access and uses Cobalt Strike and the proxy tool Chisel in post-exploitation activities.

Once the malware has escalated the privileges on a machine, the threat actors use a batch script to uninstall popular antivirus solutions installed on the machine.

Cactus uses the Rclone tool for data exfiltration and used a PowerShell script called TotalExec, which was used in the past by BlackBasta ransomware operators, to automate the deployment of the encryption process.

In early January, the Cactus ransomware group claimed to have hacked Coop, one of the largest retail and grocery providers in Sweden.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, data breach)

you might also like

leave a comment