An adversary has leaked stolen episodes from the new season of prison dramedy Orange Is the New Black, after its distributor Netflix refused to cave in to a ransom demand.
The hacker (or group of bad actors), who goes by the pseudonym The Dark Overlord (or thedarkoverlord), has also threatened on his Twitter account to dump additional content from FOX, IFC, National Geographic and ABC, presumably unless he is paid by these networks and distributors. "Oh, what fun we are all going to have. We're not playing any games anymore," the bad actor posted on his Twitter page.
The first illegal dump occurred on Friday, April 28 when The Dark Overlord posted the first episode of OITNB to file-sharing site The Pirate Bay, and an accompanying announcement on Pastebin. The reminder of the season was uploaded the following day.
The same actor has already gained a reputation across the infosec space for extorting health care providers and hospitals by breaching their systems, stealing their data and threatening to post it.
In reaction to the content dump, Netflix released the following official statement: "We are aware of the situation. A production vendor used by several major TV studios had its security compromised and the appropriate law enforcement authorities are involved." According to a report by DataBreaches.net, that third-party vendor is Larson Studios, an audio post-production company. SC Media has reached out to Larson Studios for comment.
DataBreaches.net also reported that it was contacted by The Dark Overlord last December regarding the apparent Larson breach. Reportedly, the adversary originally attempted to extort Larson before moving on to Netflix. In total, the hacker swiped at least 37 titles from a variety of entertainment companies, DataBreaches.net noted, including episodes of It's Always Sunny in Philadelphia, The Middle, and Portlandia.
Michael Sutton, CISO at cloud-based security company Zscaler, praised Netflix for refusing to pay up, suggesting that doing so would only embolden attackers to commit similar acts in the future. “It's quite possible that the same attacker has succeeded elsewhere, but we've not heard about it because the ransom was paid," said Sutton in emailed comments.
"Attackers are becoming increasingly aware of the profit potential that corporate extortion can provide. We can expect this trend to continue as attackers identify additional opportunities for disrupting business, such as attacking IoT devices," Sutton continued.
Tyler Reguly, manager of the Vulnerability and Exposure Research Team (VERT) at IT security software company Tripwire, said in emailed comments that Netflix was probably too savvy to pay the ransom. However, fans of its shows could easily become secondary victims.
“It is believed that Netflix has the best viewing data of anyone because you watch it from their servers and they know exactly how many people subscribe permanently versus subscribe just for the reason of new shows, so it's likely that they know the exact impact this will have and whether or not it will hurt them better than any traditional network would, making it the wrong choice as an extortion target," said Reguly.
But with lots of viewers potentially searching the web for these leaked episodes, "This would be a great time for malware authors to load malicious content under the guise of being the leaked episode to popular torrent and movie viewing sites," Reguly continued. "I suspect that you could rapidly create a fairly large botnet comprised of the individuals looking for the content. You have to wonder if the goal was truly extortion and the stolen content or if it was just to create the rapidly spreading news that it was stolen, so that people would search and download the attacker's malware.”
Several security experts commented that this incident underscored the importance of vetting the security of third-party partners, which according to DataBreach.net are a common target of The Dark Overlord.
“The pattern of attacks by the alleged hacker that breached Netflix's partner shows that it consistently targets a third party, validating the fact that this is an easy attack vector at the heart of the majority of breaches today," said Fred Kneip, CEO of cyber risk exchange platform CyberGRX, in emailed comments. "A lesson here is that companies need to understand that their third parties' security controls are constantly vulnerable to new exploits or configuration changes, which creates a need to monitor and mitigate these risks as they arise.”
"In this case of Netflix, one of their most prized assets is their original programming which they use to differentiate their service and attract an ever-growing list of subscribers," said Matthew Gardiner, cybersecurity strategist at cloud services provider Mimecast. "And no matter how strong the security program is at Netflix, if there are weaknesses in their supply-chain the attackers will hit them there. Unfortunately these types of attacks are now a key element of the risks that all organizations face.”