VPN vulnerability linked to ransomware attack in Singapore

 Ransomware attack on a computer
Ransomware attack on a computer

A VPN vulnerability has been identified as the key behind a ransomware attack against the Law Society of Singapore.

The attack occurred on January 27, 2021 and endangered the personal data of over 16,000 members, using a bug in the VPN service to gain access credentials if left unpatched.

The investigation carried on by the Singapore's Personal Data Protection Commission (PDPC) also found the Society guilty of using an easy-to-guess password as well as failing to conduct the periodic security reviews required by law. The organization has now 60 days to finalize an internal audit and fix any security gaps.

Breach of data protection obligations

Despite many members' personal information including full names, residential addresses and date of birth were leaked, PDPC's Deputy Commissioner Zee Kin Yeong concluded that: "There was no evidence of any exfiltration or misuse of the personal data of the members and the (Law Society) took prompt remedial actions in response to the incident," Channel News Asia reported.

The company's antivirus software detected the attack on the same day, in fact. It quickly removed the threat actor account used to inject the malware, while restoring the servers on previously data backups.

As the VPN provider Fortinet disclosed, developers informed their clients about the VPN's vulnerability on May 24, 2019. However, there were no updates to fix the bug available before the incident took place.

For this reason, Mr Yeong absolved the Law Society from any responsibility on the matter.

The troubles for the organizations representing all Singapore's lawyers didn't end there, though.

The PDPC found, in fact, the Society to be in breach of Section 24 of the country's Personal Data Protection Act for failing to fulfil some of its data protection obligations.

Section 24 of Singapore Personal Data Protection Act covering organizations' obligation to protect personal data.
Section 24 of Singapore Personal Data Protection Act covering organizations' obligation to protect personal data.

(Image credit: Singapore Statues Online)

Specifically, it was guilty to use weak password— "Welcome2020lawsoc"— for the hacked account. Even worse, this was in use for more than 90 days when the law required this to be changed every three months as a minimum requirement. The Law Society was also found guilty of not carrying out a security review in the three years preceding the attack.

Despite the gravity of the security flaws, these were not directly linked with the ransomware attack. The Law Society is now finalizing an internal audit to strengthen its security posture.

"In the past two years since the incident, we have already taken a number of proactive steps to enhance our cybersecurity infrastructure," said the Society in an official statement.

"Those include implementing multi-factor authentication for all VPN access and strengthening our in-house IT team to deal with cybersecurity matters."