A Mexican IT infrastructure and digital transformation biz is on clean-up duty after a criminal posted screenshots of what they claimed was company video surveillance footage to a cybercrime forum.
Monterrey-based Be Prime confirmed that it was the victim of a “cybersecurity incident” on Thursday, after the criminal, who used the alias “dylanmarly,” made sweeping claims about an attack they claim to have carried out.
Screenshots published by the attacker depicted access to Be Prime’s Cisco Meraki Vision panel, which, if true, would have allowed access to live feeds around its clients’ offices, including cameras overlooking different teams’ workspaces.
Dylanmarly also leaked what they claimed was 12.6 GB worth of data belonging to the company and some of its high-profile clients, which range from energy giants and household retail names to national pharmacies.
In its statement, Be Prime did not address the claims about client data being leaked online, nor did it speak about whether or not it uses Cisco Meraki Vision, which the attacker claims to have accessed. It did, however, admit that it had suffered a cyberattack, which it said it was working with Cisco Talos to remediate.
“In times like these, we believe it’s right to speak clearly, humbly, and with complete transparency,” the statement posted to LinkedIn reads (machine translated from Spanish). “No organization is immune to cybersecurity incidents, and today it has happened to us. Therefore, we want to communicate the facts, the actions taken, and our position on this situation directly and responsibly.
“Be Prime was the target of a cyberattack, so we immediately activated our containment, mitigation, investigation, and remediation protocols. Based on the information analyzed so far, there is no evidence of any impact on Be Prime’s operational continuity or on our clients’ operations.
“From the outset of the incident, we implemented a comprehensive response process. To date, the most critical phases of containment and remediation have been executed and completed, and we are continuing with additional strengthening and follow-up actions in communication with the Talos Cybersecurity Intelligence Center.”
According to dylanmarly’s narrative, shared by Mexican journalist Ignacio Gómez Villaseñor, the attacker gained access to admin accounts because Be Prime failed to implement two-factor authentication.
The attacker also claimed they accessed the Meraki API keys and used them to gain control of thousands of Be Prime network devices, including the security camera feeds of its clients.
Whomever these feeds belonged to, it is not clear why the cameras would have overlooked workspaces, although it is not uncommon for companies to deploy surveillance in commercially sensitive locations, such as server rooms, to assist in criminal investigations.
Be Prime has not explicitly addressed the attacker’s specific claims regarding the API keys or the thousands of accessed devices in its public communications, but has warned that defamation lawsuits would be brought against any person or media outlet it believes has disseminated inaccurate or out-of-context information.
The Register asked Be Prime to clarify every aspect of the attacker’s claims, identifying which were true and which were false. The company did not respond.
Be Prime went on to say in its public disclosure (machine translated from Spanish) that it wished to thank its clients for their support, and remind them that there is a dedicated contact method the company had shared with them, should they have any queries about the attack.
“We will continue to maintain direct communication with our clients to provide them with reassurance, support, and assistance,” Be Prime stated. “We have established and communicated a specific point of contact to address any questions, clarifications, or requests related to this incident.”
“We also want to express our sincere gratitude to our clients, partners, collaborators, specialists, and everyone who has given us their support, trust, and backing during this time,” it added.
“We know that a situation of this nature can happen to any organization, and today it has fallen to us to face it. We accept it with responsibility, seriousness, and total commitment. We reiterate that our priority is to protect operations, further strengthen our security capabilities, and respond with action, not just words. We will continue to provide updates through the appropriate channels as the investigations and additional actions underway progress.” ®