VPN vulnerability linked to Singapore ransomware attack
A VPN vulnerability has been identified as the key to a ransomware attack on the Law Society of Singapore.
The attack took place on January 27, 2021 and compromised the personal information of over 16,000 members by exploiting a vulnerability in the VPN service to obtain access credentials if not fixed.
An investigation by the Singapore Data Protection Commission (PDPC) also found the Society guilty of using an easy-to-guess password and failing to perform the periodic security reviews required by law. The organization now has 60 days to finalize the internal audit and fix any security vulnerabilities.
Breach of data protection obligations
Despite the leak of many members’ personal information, including names, addresses, and dates of birth, PDHR Deputy Commissioner Zee Kin Yeong stated that: “There was no evidence of any exfiltration or misuse of members’ personal information and took prompt remedial action” in response to an incident,” Asia News Channel reported.
The company’s antivirus software detected the attack on the same day. He quickly deleted the account of the cybercriminal actor used to inject the malware while restoring the servers from previous data backups.
As disclosed by VPN provider Fortinet, developers informed their customers about the VPN vulnerability on May 24, 2019. However, there were no updates available to fix the bug prior to the incident.
For this reason, Mr. Yeong absolved the Law Society of all responsibility in this matter.
However, this was not the end of the problems of organizations representing all lawyers in Singapore.
The PDPC actually found that the Society violated Section 24 of the National Data Protection Act because it failed to fulfill some of its data protection obligations.
In particular, the use of a weak password – “Welcome2020lawsoc” – for the hacked account was to blame. To make matters worse, this was used for over 90 days when the law required it to be changed every three months as a minimum requirement. The Law Society was also found guilty of failing to conduct a security review in the three years leading up to the attack.
Despite the importance of the vulnerabilities, they were not directly related to the ransomware attack. The Law Society is currently finalizing an internal audit to strengthen its security position.
“Over the past two years since the incident, we have already taken a number of proactive steps to improve our cybersecurity infrastructure,” the Society said in an official statement.
“These include implementing multi-factor authentication for all VPN access and strengthening our internal IT team to address cybersecurity issues.”