Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Accellion. Show all posts

Suspects Linked to the Clop Ransomware Gang Detained in Ukraine

 

Following a joint operation by law enforcement agencies from Ukraine, South Korea, and the United States, multiple persons alleged to be affiliated with the Clop ransomware gang have been arrested in Ukraine. Six arrests were made during searches at 21 locations in Kyiv and the surrounding regions, according to the National Police of Ukraine's Cyber Police Department. 

While it's unclear if the defendants are ransomware affiliates or core developers, they're accused of a "double extortion" technique in which victims who fail to pay the ransom are threatened with the leak of data stolen from their networks before their files are encrypted. “It was established that six defendants carried out attacks of malicious software such as ‘ransomware’ on the servers of American and [South] Korean companies,” alleged Ukraine’s national police force in a statement. 

The police also seized equipment from the alleged Clop ransomware gang, which is accused of causing $500 million in financial losses. This includes computer equipment, a Tesla and a Mercedes, as well as 5 million Ukrainian Hryvnia (about $185,000) in cash. 

Authorities also claim to have successfully shut down the server infrastructure used by gang members to launch prior operations. “Together, law enforcement has managed to shut down the infrastructure from which the virus spreads and block channels for legalizing criminally acquired cryptocurrencies,” the statement added. 

“The Cl0p operation has been used to disrupt and extort organizations globally in a variety of sectors including telecommunications, pharmaceuticals, oil and gas, aerospace, and technology,” said John Hultquist, vice president of analysis at Mandiant’s threat intelligence unit. 

In February 2019, the gang launched an attack on four Korean organizations, encrypting 810 internal services and personal PCs. Clop has since been connected to a slew of high-profile ransomware attacks. These include the attack on ExecuPharm, a US pharmaceutical company, in April 2020, and the attack on E-Land, a South Korean e-commerce company, in November, which prompted the retailer to close over half of its outlets.

Clop is also related to the Accellion ransomware attack and data theft, in which hackers exploited flaws in the IT firm's File Transfer Appliance (FTA) software to steal data from dozens of its clients. Singaporean telecom Singtel, law firm Jones Day, supermarket retail chain Kroger, and cybersecurity firm Qualys are among the victims of this breach.

Steris Corporation, The Latest Victim of Ransomware Gang Called ‘Clop’.

 

Data related to a customer of a recently targeted California-based private cloud solutions firm Accellion is being published online for sale by threat actors. Accellion is a file-transfer platform that is used by Steris Corporation. Many other firms were targeted by hackers a few weeks ago, threat actors exploited the security loopholes in the server of the company.

Ransomware gang ‘Clop’ has taken responsibility for the attack and is claiming to have critical information in their possession belonging to Steris Corporation. Steris Corporation is an American Irish-domiciled medical equipment firm specializing in sterilization and a leading provider of surgical products for the American healthcare system. Documents that are missing from the sever system of Steris Corporation include a confidential report regarding a phenolic disinfectant comparison study dating from 2018. This report bears the signatures of two Steris employees – technical services manager David Shields and quality assurance analyst Jennifer Shultz. 

Threat actors also managed to lay their hands on another critical document containing the formula for CIP neutralizer, a highly confidential trade secret owned by Steris Corporation.

Threat analyst Brett Callow stated to Infosecurity Magazine that “Clop is known to use data stolen from one organization to attack (spear phish) others. This is why, for example, there was a cluster of cases in Germany. So, any organization that has had dealings with one of the compromised entities should be on high alert.”

“It really makes no sense for companies to pay to prevent the publication of their data. There have been multiple instances in which threat actors have published or otherwise misused information after the victims have paid the ransom. In some cases, actors have even used the same data to extort companies a second time. And this is really not at all surprising”, he further added.

Apart from Steris Corporation, the Clop ransomware gang has targeted several clients of Accellion including Jones Day, Inrix, Singtel, ExecuPharm, Plantol, Software Ag, Fugro, Nova Biomedical, Amey Plc, Allstate Peterbit, Danaher, and the CSA Group.

Personal Information of Nearly 1,30,000 Singtel Users' Stolen in a Data Breach

 

Singapore’s leading telecom company Singtel confirmed the exploitation of a third-party file-sharing system Accellion which led to a massive data breach that affected nearly 1,30,000 clients. Private information of clients including National Registration Identity Card numbers and a combination of names, dates of birth, contact numbers, and addresses have been stolen by the hackers. 

Singtel, an associate of Bharti Airtel completed its initial investigation into the data leak and discovered which files on the Accellion file sharing system were illegally accessed. Hackers also managed to steal the bank account details of 28 former Singtel employees and credit card details of 45 staff members of a corporate client with Singtel mobile lines, the company stated in a news release.

Singtel said “some information from 23 enterprises, including suppliers, partners, and corporate customers, was also stolen. The company has started notifying all affected individuals and enterprises to help them and their staff manage the possible risks involved and take appropriate follow-up action.”

Yuen Kuan Moon, CEO of Singtel’s Group said in a news release that we are extremely apologetic for the inconvenience to our loyal customers due to this data breach and assured that we are taking all the necessary steps to beef up the security and negate the potential threats.

CEO said “data privacy is paramount; we have disappointed our stakeholders and not met the standards we have set for ourselves. Given the complexity and sensitivity of our investigations, we are being as transparent as possible and providing information that is accurate to the best of our knowledge. We are doing our level best to keep our customers supported in mitigating the potential risks.”

Telecom company explained that a large part of the stolen data comprises internal information that is non-sensitive such as data logs, test data, reports, and emails. Threat actors targeted Accellion file transfer appliance (FTA); a third-party file-sharing system used by Singtel to exploit the vulnerabilities.

When the company was initially alerted to exploits against the system in December last year, Singtel ‘promptly applied’ a series of patches provided by Accellion to patch the vulnerabilities. On January 23, Accellion advised that a new flaw has emerged that rendered the earlier patches previously applied in December incapable. Since January 23, the FTA system has been kept offline.