Ransomware Targeted RSAWeb, a Leading South Africa company

RSAWEB, a fast growing and highly innovative Internet Service Provider with specialisation in Cloud infrastructure, Enterprise Connectivity in south africa got hit by ransomware attack.

An outage that took down RSAWeb’s whole network on 1 February, including its fibre, mobile, hosting, VoIP, and PBX services, was a “highly sophisticated cyberattack”.

RSAWeb informed its largest enterprise clients last week that they had been hit with a ransomware attack and their team is working on decrypting customers’ data, and they didn’t want to do or say something publicly that could compromise that effort.

Van Staden said the attack particularly impacted their cloud and shared hosting customers.

“Given the sophisticated nature of this attack, the recovery process is highly complex,” he said.

“We are currently in the process of restoring these services and expect to have the majority of these customers restored within the next 24 hours, with the remainder thereafter.”

He said they had restored services to their Fibre to the Home (FTTH), Fibre to the Business (FTTB), MPLS, VolP, and Mobile APN customers.

In his letter to fibre customers, Van Staden said they restored most customers’ FTTH and FTTB services within 24 hours.

“Our team worked around the clock to assist our remaining customers to reconfigure their settings and get back online.”

Van Staden mentioned, “This attack is part of a campaign that has victimised many other businesses both in South Africa and globally.”

He said they don’t believe customer or employee data was accessed or misused due to the attack.

“The relevant authorities have been informed, and we have also engaged independent professional cybersecurity advisors.”

Dr Zakir Hussain, Security Advisor mentioned that Cybersecurity agencies worldwide issued notices last week about attackers actively targeting unpatched VMware ESXi servers and RSAweb joined victim list.

The attackers are exploiting a security flaw tracked as CVE–2021–21974.

This is a two-year-old remote code execution vulnerability that involves triggering a a heap overflow in the OpenSLP service.

“A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution,” the CVE’s description states.