A cyber attack against IFX Networks, a telecommunications provider that offers cloud services in much of Latin America, affected the operation of ministries in Colombia and companies in Chile on Tuesday of last week. The hack also reached a group of SMEs and large companies from Argentina who hired IFX services to serve their clients.
The attack was, according to the company itself, a ransomware, a type of virus that encrypts information to extort and demand a ransom in cryptocurrencies in exchange for returning the data. If the victim refuses to pay, cybercriminals They also publish the stolen information on the dark web through a second extortion, to affect the reputation of the company.
The main problem is the large number of services, both state and private, that are hosted on IFX, which is also dedicated to what is known as MSP: Managed Service Provider, that is, remote infrastructure management under a subscription model. Their site is even down and you can only access a page where they update communications about the status of the incident.
In Colombia there is talk of about 65 entities with their systems down, from superintendencies and ministries to the Superior Council of the Judiciary the body that administers Justice in the country.
In Chile, places like Public Market and Chile Purchase (ecommerce pages such as Mercado Libre), remain down until the time of publication of this note.
And in Argentina, as he was able to corroborate Clarion various SMEs that develop software for third parties, and larger companies, are having problems operating due to this ransomware that entered IFX systems.
IFX Networks: the situation in Argentina
“On September 12, at IFX Networks we had an impact on some of our virtual machines as a result of an external cybersecurity attack known as ransomware,” the company explained in an official statement.
Clarion Various Argentine companies of different sizes were contacted and told how it is affecting them. “On Tuesday of last week, at 5 in the morning, the entire IFX network went down. “My clients started calling me because they couldn’t operate in the cloud,” said the president of a local company that manufactures billing software whose identity asked to be reserved.
The SME provides services to more than a thousand subscribers and a small part of them uses IFX services. “As soon as I received the first message, I contacted the official IFX channel called CARE. We started talking on WhatsApp but they stopped answering me. In Argentina there is representation, but it is more commercial, they do not provide information or solve the problem,” he added.
Clarín contacted the local IFX representation, but did not receive a localized response, but the statement that, since the 18th of this month, the company has shared on its website. In reality, the only thing that can be accessed is the release page, since all the official IFX sites show error 404.
“What is complicated is that It feels like they lost information.: when you ask for an update, they send you a generic communication that comes from Colombia, where they say that they are contacting customers to recover the backups. My feeling is that they may have lost it and cannot recover it,” risks the company director.
Another software development company, which has contracted IFX services for 10 years, confirmed that the problems began in the early hours of Tuesday of last week.
“We have a part of the operations in the cloud with different providers. We had been leaving IFX for a long time, because we had been having a lot of problems with them – not like this – and we started moving to other IFX services. cloud computing“, says the development director of a company that provides ERP (Enterprise Resource Planning, resource management for companies).
“The most complicated thing is that they do not explain what happened and, internally, We know that the CEO lowered the order not to deliver the backups to those we asked for them. When we request them, they do not give them to us, and this is a problem because we need to set up the systems to continue operating,” she adds. “At least they let me take the data and settings on a pen drive,” she complains.
“Due to this situation, I have clients who cannot bill, Go explain to the AFIP that IFX fell“, says. “It’s Thursday, more than a week has passed and we cannot be online with these clients,” she concludes.
This company also works with two large companies: “I can’t say which ones they are, but they also There are big players affected by this problem”, he assured.
Clarín learned of two companies most affected in Argentina who are prosecuting the claim.
“Supply Chain Attack”: what it is and what “virtual machines” are
IFX fell into what is known as “supply chain attack”, that is, a domino effect that affects not only the company but also those who hire it. And that is where some Argentine companies are suffering, in the virtualization of their systems in the cloud.
“Virtualization is creating a virtual version of something, such as a computer or a server, storage or network, using specialized software known as a hypervisor (VMWare, Hyper-V, OpenVZ, etc.),” Santiago Pérez Montaño, security analyst at the cybersecurity company Birmingham Cyber Arms, explained to Clarín.
To understand what happened with IFX, it is necessary to go a little more technically: why would a company virtualize a service?
“Virtualize a service facilitates the administration, scalability and availability of the service, in addition to allowing the consolidation of multiple services on the same hardware. Let’s imagine that we have the entire structure of an application (software, its databases and other services) on a physical server and it fails: the result can be fatal”, he hypothesizes.
This is why “virtualizing these services separately segments the problem and improves our response and diagnosis capacity: tasks that in physical environments can be more demanding, such as backups and recovery become trivial in virtualized environments and much friendlier for new system administrators,” he closes.
Of course, when they fail or are victims of a cyberattack, the consequences are also broader than on a local computer.
“In the context of a structure like that of IFX Networks, a destructive attack such as ransomware manages to paralyze operations, cause data loss and have significant financial and reputational consequences not only for the compromised organization, but for all those that depend on or They directly use their services,” explains Pérez. That is the most serious part of a supply chain attack: the number of victims who are affected by the problem.
IFX Networks: The scope and when the problem could be resolved
IFX assured this Wednesday that “all recovered systems are undergoing a validation and guarantee process before putting them back online.” However, in Argentina, Chile and Colombia There are a huge number of services not working.
The head of the Ministry of Information Technologies and Communications of Colombia, Mauricio Lizcano, assured on Twitter that they are 762 organizations affected by this attack in Latin America.
Since IFX does not provide official data, it is impossible to know exactly if this figure provided by the official is accurate.
“The problem with this type of cyberattack is that it can disrupt an entire network and, as for the recovery committee, priorities are established: due to the scale, Colombia is IFX’s number 1 concern. Argentina would be on the last step“, thinks one of the businessmen consulted.
Furthermore, the scarce information when explanations are requested, together with the generic nature of the statements, does not contribute to clarifying the picture. “IFX Networks has not allowed us to understand what happened; My hypothesis is that they are hiding something,” said Minister Lizcano in statements to the newspaper El País.
As for the threat actor, it is believed that the person behind it is Ransom House, based on information that circulated in private groups of directors of different companies in Latin America. However, the poster did not confirm the attack on its site as of this article’s publication.
Only one image of MarioLocker circulated, the name that the cybersecurity company Trend Micro gave to a ransomware that is used by Ransom House.
The fact that cybercriminals have not uploaded the information to their site may mean that negotiations, Still, they are open for ransom payment.
The passage of time will tell if the affected IFX systems, in addition to having been interrupted, have customer data leaked by cybercriminals on the dark web, in what would be the step to action for the second phase of extortion proposed by the ransomware model.
Meanwhile, IFX clients are still unable to provide services to those who hired them and are wondering who will pay that compensation for the problems caused.