Ransomware attack affecting Tietoevry's services to some customers in Sweden (opens in new tab)

(tietoevry.com)

49 pointszyberzero2y ago20 comments

20 comments

rightbyte2y ago

Tietoevry is one of these firms MBAs use to dismantle the it-department and outsorce it to.

I've always thought these centralized point of failures are a bad idea.

thejackgoode2y ago

With extra sauce of numerous mergers and rebrandings. So, every 3 to 7 years, this phoenix of shit is reborn

jruohonen2y ago

> With extra sauce of numerous mergers and rebrandings

That's actually a good hypothesis that hasn't been examined before, I believe.

1 more reply

filleokus2y ago

Seen people speculate online that everything in AS25473 and AS34950 is affected, and that unpatched Ivanti Endpoint Manager Mobile could be the entry point https://www.shodan.io/host/193.8.33.135

Not sure how credible that is? I don't understand how that could take down the whole data center.

cxcorp2y ago

BleepingComputer's coverage[1] has this tidbit:

> BleepingComputer has been told that the Akira ransomware operation is behind the attack on Tietoevry, coming soon after the Finnish government warned about their ongoing attacks against companies in the country.

> "The incidents were particularly related to weakly secured Cisco VPN implementations or their unpatched vulnerabilities. Recovery is usually hard," warned the Finnish NCSC.

I wonder what the entrypoint was back in 2021 when they were attacked around the same time?

[1]: https://www.bleepingcomputer.com/news/security/tietoevry-ran...

rasse2y ago

Probably unrelated, but their software offering in healthcare is riddled with bad practices.

ptaipale2y ago

Certainly unrelated. And when compared to the biggest competition (Apotti/Epic) it's a shining light of sanity... though some other providers have better user experiences.

jruohonen2y ago

"One of Tietoevry’s several datacenters in Sweden has become partially subject to a ransomware attack."

Sounds bad.

zyberzeroOP2y ago

Yeah. From what I know at least Filmstaden (Swedens biggest cinema chain, owned by AMC) can’t sell a thing right now. No tickets can be sold at all, and no snacks can be sold at the cinema either :(

Rusta is another affected store chain. I guess there is a lot more affected customers unknown to the public right now

CRConrad2y ago

In a meeting right now, team lead just recounted how she'd had to pay in cash at Rusta (ESpoo, I assume) yesterday or the other day because card payment wasn't working. "I was lucky to happen to have cash on me, others turned around and left."

gerikson2y ago

Granngården is another.

1 more reply

tgsovlerkhgsel2y ago

It only affecting one datacenter is good news, IMO:

It makes it likely that the attackers didn't breach Tietoevry itself, or that they had only very limited access (unless Tietoevry has incredibly good separation between business units, so that only a small subset is affected).

That increases the chance that the customers have to deal with an outage, not an outage followed by ransom demands and their customer data being leaked.

cotillion2y ago

They obviously had no separation at all between customers within the DC though. Which is worrying.

2 more replies

j / k navigate · click thread line to collapse

20 comments

rightbyte2y ago

Tietoevry is one of these firms MBAs use to dismantle the it-department and outsorce it to.

I've always thought these centralized point of failures are a bad idea.

thejackgoode2y ago

With extra sauce of numerous mergers and rebrandings. So, every 3 to 7 years, this phoenix of shit is reborn

jruohonen2y ago

> With extra sauce of numerous mergers and rebrandings

That's actually a good hypothesis that hasn't been examined before, I believe.

1 more reply

filleokus2y ago

Seen people speculate online that everything in AS25473 and AS34950 is affected, and that unpatched Ivanti Endpoint Manager Mobile could be the entry point https://www.shodan.io/host/193.8.33.135

Not sure how credible that is? I don't understand how that could take down the whole data center.

cxcorp2y ago

BleepingComputer's coverage[1] has this tidbit:

> "The incidents were particularly related to weakly secured Cisco VPN implementations or their unpatched vulnerabilities. Recovery is usually hard," warned the Finnish NCSC.

I wonder what the entrypoint was back in 2021 when they were attacked around the same time?

[1]: https://www.bleepingcomputer.com/news/security/tietoevry-ran...

rasse2y ago

Probably unrelated, but their software offering in healthcare is riddled with bad practices.

ptaipale2y ago

Certainly unrelated. And when compared to the biggest competition (Apotti/Epic) it's a shining light of sanity... though some other providers have better user experiences.

jruohonen2y ago

"One of Tietoevry’s several datacenters in Sweden has become partially subject to a ransomware attack."

Sounds bad.

zyberzeroOP2y ago

Rusta is another affected store chain. I guess there is a lot more affected customers unknown to the public right now

CRConrad2y ago

gerikson2y ago

Granngården is another.

1 more reply

tgsovlerkhgsel2y ago

It only affecting one datacenter is good news, IMO:

That increases the chance that the customers have to deal with an outage, not an outage followed by ransom demands and their customer data being leaked.

cotillion2y ago

They obviously had no separation at all between customers within the DC though. Which is worrying.

2 more replies

j / k navigate · click thread line to collapse