Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label CLOP. Show all posts

The 2023 USG Data Breach: 800 Accounts Compromised, A Closer Look


The Breach: Scope and impact 

The University System of Georgia (USG) notified 800,000 people about data breaches during the 2023 Clop MOVEit attacks. USG is a state government body that oversees 26 public colleges and universities in Georgia, serving approximately 340,000 students. USG, which controls the state's higher education institutions, revealed that 800,000 people's info was exposed in late May due to the Cl0p ransomware operation's massive MOVEit file transfer system hack. 

Attack Vector: MOVEit file transfer software 

The Clop ransomware group used a zero-day vulnerability in Progress Software's MOVEit Secure File Transfer product in late May 2023 to launch a major global data theft campaign. 

 Clop Gang: Data exfiltration and ransom demand 

When the threat group launched its extortion phase in the MOVEit attacks, which affected hundreds of organizations worldwide, USG was one of the first to be identified as hacked. Almost a year later, with the assistance of the FBI and CISA, the USG discovered that Clop had stolen sensitive material from its networks and began informing affected individuals. 

What kind of info compromised? 

According to USG notice, the data breach notifications were made between April 15 and April 17, 2024, telling recipients that hackers obtained the following info: 

  • Full or partial (last 4 digits) Social Security Number 
  • Date of Birth Bank account number(s) 
  • Federal income tax documents with Tax ID number 

Russian malware: Clop alert 

The Russian-affiliated ransomware group Clop is suspected of being behind the attacks, which have affected over 2,500 businesses worldwide, with more than 80% situated in the United States. The Aftermath: Challenges and Responses Because the number of impacted individuals exceeds the number of USG students, and given the nature of the material, the incident is likely to touch former students, academic staff, contractors, and other personnel. 

The firm sent a sample of the data breach notice to the Maine Attorney General's Office Friday, claiming that the issue affects 800,000 persons. Finally, the listing on Maine's site mentions a driver's license number or ID card number as accessible data categories, yet these are not listed in the notification. 

Mitigation Efforts

USG now gives impacted persons 12 months of identity protection and fraud detection services through Experian, with an enrollment deadline of July 31, 2024. Clop's MOVEit cyber attacks were among the most effective and widespread extortion campaigns in recent history. 

Almost a year later, companies are still discovering, confirming, and disclosing breaches, extending the impact. Emsisoft's MOVEit victim counter indicates 2,771 impacted companies and approximately 95 million individuals whose personal information is stored on Clop's servers.

Sony Discloses Data Leak Affecting Thousands in the U.S.

 

Sony Interactive Entertainment (Sony) recently informed current and former employees, as well as their families, of a data breach that exposed private data. 

The company notified around 6,800 people about the data breach, confirming that the attack occurred when an unauthorised party exploited a zero-day vulnerability in the MOVEit Transfer platform. 

The Clop ransomware took advantage of the zero-day, CVE-2023-34362, a critical-severity SQL injection vulnerability that can result in remote code execution, in massive attacks that affected several organisations across the world. 

The intrusion took place on May 28, three days before Sony was informed of the vulnerability by Progress Software (the MOVEit vendor), according to the data breach notification, although it wasn't discovered until early June. 

The notice states that “on June 2, 2023, [we] discovered the unauthorized downloads, immediately took the platform offline, and remediated the vulnerability.” 

“An investigation was then launched with assistance from external cybersecurity experts. We also notified law enforcement,” Sony further explained in the data breach notification. 

Sony claims that the problem was confined to a particular software platform and had no bearing on any of its other systems. Yet 6,791 Americans' private data was compromised, including sensitive information. Although each letter from the firm contains a list of the exposed facts, the sample notification provided to the Office of the Maine Attorney General has them suppressed. 

Now that they have received a notification, the recipients can sign up for Equifax's identity protection and credit monitoring services by providing their special access code through February 29, 2024. 

Following claims on hacking forums that Sony had experienced another security breach and that 3.14 GB of data had been taken from the company's servers, the firm responded by stating that it was looking into the allegations. 

The SonarQube platform, certifications, Creators Cloud, incident response guidelines, a device emulator for creating licences, and other information were all included in the leaked material, which at least two distinct threat actors owned. 

The following statement, which a Sony representative provided to BleepingComputer, confirms a small security breach: A Sony spokesman confirmed the following security breach to BleepingComputer: 

"Sony has been investigating recent public claims of a security incident at Sony. We are working with third-party forensics experts and have identified activity on a single server located in Japan used for internal testing for the Entertainment, Technology and Services (ET&S) business. Sony has taken this server offline while the investigation is ongoing. 

There is currently no indication that customer or business partner data was stored on the affected server or that any other Sony systems were affected. There has been no adverse impact on Sony's operations." 

This proves that Sony experienced two security lapses during the previous four months.

Clop Ransomware Adopts Torrents for Data Leaks in Effort to Evade Detection

 

The Clop ransomware group has once again adjusted its tactics for extortion, now employing torrents to disseminate stolen information obtained from MOVEit attacks. 

Beginning on May 27th, the Clop ransomware syndicate initiated a series of data theft assaults by exploiting a zero-day vulnerability within the MOVEit Transfer secure file transfer system. Exploiting this flaw enabled the hackers to pilfer data from nearly 600 global organizations, catching them off guard.

On June 14th, the ransomware group commenced their extortion endeavors by gradually unveiling victims' names on their Tor-based data leak site and eventually making the files public. 

Nevertheless, the use of a Tor site for data leakage had limitations due to sluggish download speeds, which curtailed the potential damage of the leak.

In a bid to overcome these issues, the Clop group established clearweb sites to release stolen data from some of the victims of the MOVEit data theft. However, this approach was susceptible to being dismantled by authorities and companies. In response, the group has turned to torrents as a new method for disseminating the stolen data from the MOVEit breach.

This novel approach was identified by cybersecurity researcher Dominic Alvieri. The Clop ransomware gang has developed torrents for twenty victims, including well-known entities like Aon, K & L Gates, Putnam, Delaware Life, Zurich Brazil, and Heidelberg. 

In the fresh extortion strategy, Clop has established a new Tor site that provides guidance on using torrent clients to download the leaked information. They have also included lists of magnet links for the twenty affected parties.

Torrents leverage peer-to-peer transfers among different users, resulting in faster transfer speeds compared to traditional Tor data leak sites. Testing by BleepingComputer demonstrated improved data transfer speeds, reaching 5.4 Mbps, even when seeded from a single IP address in Russia. 

Additionally, this distribution technique is decentralized, making it difficult for law enforcement to shut down. Even if the original seeder is taken offline, a new device can take over seeding duties.

Should this approach prove effective for Clop, it's likely they will continue to utilize it due to its ease of setup, lack of need for a complex website, and the potential for wider distribution of stolen data, which could place more pressure on victims. 

Coveware has estimated that the Clop gang could amass between $75 million and $100 million in extortion payments. This projection is not solely due to numerous victims paying, but rather a small number of companies being persuaded to pay substantial ransom amounts. Whether the use of torrents will contribute to more payments remains uncertain; however, given the substantial earnings, the outcome may be inconsequential.

Estée Lauder: Cosmetic Brand Amongst the new Victims of Ransomware Attack


On Tuesday, U.S.-based cosmetic brand Estée Lauder Cos. Inc. confirmed to have witnessed a ransomware attack, following which it compromised some of its data and took down some of its systems.

Apparently, ransomware gangs ALPHV/BlackCat claim to have executed the attacks, listing Estée Lauder to their illicit sites on the dark web along with an airline, comms regulator, hard drive storage provider, and others.

Among the attacked victims is the file transfer tool MoveIt, attacked by the massive Clop breach in late May. The data theft has caused disturbance to several entities that used MoveIt services and claim around 378 organizations and 20 million individuals as its victims.

However, it is still not clear if Estée Lauder is one of the victims. The company has not revealed the nature or scope of the data that is compromised, but some screenshots tweeted by Emsisoft threat analyst Brett Callow of posts from Black Cat and Clop claim that the compromised data include ‘customer data.’

Another message by Clop reveals that they have extracted 131 GB of data from the beauty giant. The ransomware gang also condemn the company stating it “doesn't care about its customers, it ignored their security!!!”

Adding to this, the ALPHV/Black Cat screen grab has threatened to expose more data that has been compromised, stating, “Estée Lauder, under the control of a family of billionaire heirs. Oh, what these eyes have seen. We will not say much for now, except that we have not encrypted their networks. Draw your own conclusions for now. Maybe the data was worth a lot more.”

A statement from the beauty brand confirmed the attack, where its statement and disclosure with the Securities and Exchange Commission mentions an “unauthorized third party” that managed to “access to some of the company’s systems,” but it did not explain what the attackers hoped to gain or what they demanded if anything.

Estée Lauder added that “the incident has caused, and is expected to continue to cause, disruption to parts of the company’s business operations.” The company is now focusing on “remediation.” It has taken down at least some of its systems and is working with law enforcement to investigate the matter.

In the recent series of ransomware attacks, Estée Lauder has thus joined list with other big names that were a victim, including Walmart, Ikea, McDonald’s, and many others.

Clop Attacks: More Organizations Confirm to have Fallen Prey to MOVEit Mass-hack


As the ongoing MOVEit hack is getting exposed, their seems to be some new names that have fallen prey to the attack. These organizations involve hotel chain Radisson, U.S. based 1st Source Bank, real estate giant Jones Lang LaSalle and Dutch GPS company TomTom.

Numerous victims have already fallen victim to the Clop ransomware gang, responsible for the widespread data raids that targeted corporate customers of Progress Software's MOVEit file-transfer program.

Radisson Hotels Americas

One of the recently known victim organizations is the Radisson Hotels Americas. The international hotel chain has more than 1,100 locations, which is now appearing on the Clop dark web leak sites following the attack.

Spokesperson, Moe Rama of Choice Hotels’ (which acquired Radisson Hotels Group in 2022), says that a “limited number of guest records were accessed by hackers exploiting the MOVEit Transfer vulnerability, but declined to say how many guests had been affected.”

Jones Lang LaSalle

Jones Lang LaSalle, the U.S. based real estate giant, also claims to have suffered a data breach as a result of the cyberattack. According to a source with the knowledge of the incidents informs that the company informed its employee about the attack via emails. The emails says that all the employee data had been compromised, except the Social Security numbers. Apparently, the data breach affected all of the organization’s 43,000 employees.

“We were notified by MOVEit of a previously unknown security vulnerability in their software. Our immediate investigation detected unauthorized access to a limited number of files; we contained the malicious activity and patched our systems per vendor-provided instructions,” said JLL spokesperson Allison Heraty.

“Our priority has been to communicate directly with those impacted as well as all relevant authorities, which we have done,” she added. One of the first MOVEit victims to be identified by Clop, 1st Source Bank, disclosed in a regulatory filing on Monday that hackers gained access to "sensitive client data of commercial and individual clients, including personally identifiable information."

In a statement, the bank says, “The company has notified and is working with its commercial clients so impacted and is in the process now of identifying and directly notifying individual clients who have been impacted.”

Uofl Health

After appearing on Clop's dark web leak site, UofL Health, an academic health system with headquarters in Kentucky, acknowledged that it had been the subject of the hacks. However, UofL Health did not confirm if data had been accessed.

“Recently, the United States government confirmed that multiple federal agencies had been affected by cyberattacks which exploited a security vulnerability in a popular file transfer tool called MOVEit[…]Unfortunately, a small number of UofL Health medical practices used this software to transfer files to third party vendors," said UofL Health spokesperson David McArthur. “Upon learning of this event, UofL Health immediately took action and is now working with a forensic IT agency to determine the scope of the matter. The security of normal operations at UofL Health hospitals, medical centers, and physician offices has not been jeopardized.”

TomTom

On Tuesday, Dutch navigation giant TomTom also confirmed to have been fallen victims of Clop. “We at TomTom were immediately aware of a data breach that occurred on our vendor’s platform, MOVEit, last month,” said TomTom spokesperson Ivo Bökkerink. “We have taken all necessary safety and security measures to protect the data, and we have informed the relevant authorities,” the company stated. However, it has not been made clear of what data (if any) was stolen.

Following the recent disclosure, several other companies came forward, confirming to have fallen prey to the Clop cyberattacks. Some of them include German investment bank Deutsche Bank, the University of Colorado, the University of Illinois, diagnostics company Realm IDX, and New York-based biopharmaceutical firm Bristol Myers Squibb.

Moreover, there are many other organizations that appeared on Clop’s dark web leak site. However, they did not provide any official statement over the issue. These companies include an electronics maker, a global technology company, a corporate travel management giant and a human resources software maker.

With this, MOVEit hackers have claimed almost 270 victims organizations as of yet, impacting no less than 17 million individuals, as per the latest report by Emsisoft threat analyst Brett Callow.  

PwC Caught in the Crossfire: Australian Fallout from Major Cyber Breach Deepens

 


There has been a severe scandal going on at the accounting firm PwC over the past few weeks involving a tax scam and the company was dealt another blow as Russian hackers have just managed to steal sensitive information. 

It has come to the attention of PwC that a notable cyber breach has so far affected 267 Australian companies, and would also have a significant impact on many more corporations from other countries. In a recent attack on popular file-sharing software, cybercriminals with Russian connections broke into the system, which resulted in new high-profile attacks on the system. 

During the last week of May, clop, a cybercrime group, made its first attempt to break into the MOVEit file-sharing service. The company had begun the theft of data from various institutions, including agencies of the US federal government, Shell, the BBC, and many others. As more and more companies reveal that they have been targeted by the data breach, which has affected rival consultancy EY as well, this breach is expected to grow much larger by the day. 

The cybercrime group reportedly obtained client data after hacking third-party software called MOVEit, which PwC used to transfer confidential information. 

The hackers, who have executed two other global attacks in the last three years, have told companies to pay a ransom or have their files released online. “Pay attention to avoid extraordinary measures that may negatively impact your company,” Clop’s website reads. On Monday, PwC Australia confirmed it had used the software for a “limited number” of its clients, adding to its woes stemming from the Collins tax scandal. 

PwC said its initial investigations showed that the company’s internal IT network had not been compromised. The cyberattack on MOVEit had a limited impact on PwC. 

The firm had determined its own IT network had not been compromised, saying the breach was likely to have a "limited impact." PwC has reached out to the businesses whose files were affected and is discussing the next steps. The spokesman added that data security remained a "key priority" for the firm and that it was continuing to put "the right resources and safeguards in place" to protect its network and data.

Although the company appears to have escaped significant harm, the revelation comes at a poor time as it battles to regain governments' trust following the leaking of confidential tax information. 

Former PwC partner Peter Collins allegedly distributed documents describing the government's tax plans to other staff at the firm. This led to his registration termination with the Tax Practitioners Board. It also caused a slew of governments and their agencies to terminate agreements with the company. 

Clop demanded large ransoms for data return, but senior US officials have reportedly said no such demands have been made to federal agencies. It remains to be seen if the group will seek money from either of the Australian firms caught up in the breach. Progress, the company that created and maintains MOVEit software, patched the vulnerability within 48 hours. It also said it was aiding affected clients and had drafted in some of the world's best cybersecurity firms to assist with its response. 

In the face of a cybersecurity crisis that has hit Australia, PwC finds itself at the forefront, bracing for the expanding fallout. This incident serves as a stark reminder of the urgent need for robust cybersecurity measures and collaboration between organizations and government agencies. 

As the nation grapples with the aftermath, it becomes crucial for stakeholders to fortify their cybersecurity strategies, invest in advanced technologies, and enhance incident response capabilities. Australia must come together to address the immediate challenges and lay the groundwork for a more resilient and secure digital future.

Steris Corporation, The Latest Victim of Ransomware Gang Called ‘Clop’.

 

Data related to a customer of a recently targeted California-based private cloud solutions firm Accellion is being published online for sale by threat actors. Accellion is a file-transfer platform that is used by Steris Corporation. Many other firms were targeted by hackers a few weeks ago, threat actors exploited the security loopholes in the server of the company.

Ransomware gang ‘Clop’ has taken responsibility for the attack and is claiming to have critical information in their possession belonging to Steris Corporation. Steris Corporation is an American Irish-domiciled medical equipment firm specializing in sterilization and a leading provider of surgical products for the American healthcare system. Documents that are missing from the sever system of Steris Corporation include a confidential report regarding a phenolic disinfectant comparison study dating from 2018. This report bears the signatures of two Steris employees – technical services manager David Shields and quality assurance analyst Jennifer Shultz. 

Threat actors also managed to lay their hands on another critical document containing the formula for CIP neutralizer, a highly confidential trade secret owned by Steris Corporation.

Threat analyst Brett Callow stated to Infosecurity Magazine that “Clop is known to use data stolen from one organization to attack (spear phish) others. This is why, for example, there was a cluster of cases in Germany. So, any organization that has had dealings with one of the compromised entities should be on high alert.”

“It really makes no sense for companies to pay to prevent the publication of their data. There have been multiple instances in which threat actors have published or otherwise misused information after the victims have paid the ransom. In some cases, actors have even used the same data to extort companies a second time. And this is really not at all surprising”, he further added.

Apart from Steris Corporation, the Clop ransomware gang has targeted several clients of Accellion including Jones Day, Inrix, Singtel, ExecuPharm, Plantol, Software Ag, Fugro, Nova Biomedical, Amey Plc, Allstate Peterbit, Danaher, and the CSA Group.

CLoP Hacker Group Purloined Data From Jones Day

 

A dispute has broken out over the provenance of stolen information between US law firm Jones Day and the CLoP ransomware group after some of the association's assets were leaked on the dark web. The hacker group CLoP has posted a huge tranche of stolen records to a dark web “leak site,” asserting it snatched them from the law firm during a recent cyberattack. Such sites are regularly utilized by hackers to goad a victim into paying a ransom. CLoP's site is freely accessible and was verified for its existence.

In correspondence with the Wall Street Journal, the CLoP gang professed to have acquired more than 100GB of material directly from Jones Day's servers and said it previously contacted the firm with ransom demands on 3 February 2021. Jones Day has not engaged with the gang, hence the leak. In any case, the WSJ proceeded to report that Jones Day – which is among various law firms scrutinized for its connections to previous president Trump – has denied its organization was breached and demands that the information was stolen in a supply chain attack on Accellion’s legacy file transfer product, FTA, which was publicly disclosed in January 2021. 

Accellion was first informed regarding a zero-day vulnerability in its FTA product – which is quickly moving toward end-of-life – in December 2020. It released a patch within 72 hours, but the initial incident turned out to be just the first of a series of exploits used to attack its service over the following weeks. “Our latest release of FTA has addressed all known vulnerabilities at this time,” said Accellion CISO Frank Balonis. “Future exploits, however, are a constant threat. We have encouraged all FTA customers to migrate to kiteworks for the last three years and have accelerated our FTA end-of-life plans in light of these attacks.

“Emsisoft's Brett Callow said: “If CLoP published Jones Day’s data and Jones Day says the data leaked a result of the attack on Accellion, the logical conclusion would be that CLoP was responsible for that attack – and that means they may have data relating to other Accellion customers.”

Cybercriminal Gang Clop Attacked an International Law Firm Jones Day For Ransom

 

Jones Day, a U.S.-based international law firm has suffered a major ransomware attack, and the allegedly stolen files from Jones Day were leaked on the internet. A Cybercriminal group known as Clop has taken the responsibility for attacking and stealing the files from the law firm.

The incident was first reported on February 13 by Databreaches.net and soon after the attack ransomware gang Clop claimed the responsibility and threatened the law firm to leak the files unless a ransom is paid. This group is known to encrypt files on exploited systems, as well as stealing files from the target. Former U.S. President Donald Trump is among Jones Day’s clients.

Accellion Inc., a Palo Alto-based private cloud solutions company is believed to be a source for the ransomware attack due to the vulnerability in its software, Accellion software was connected to a data breach in which 1.4 million unemployment records were stolen from the Office of the Washington State Auditor on 2nd February. Goodwin Procter, a global 50 law firm uncovered in an internal memo earlier this month that some client information has been accessed in a breach of an unnamed vendor, later discovered as Accellion.

Threat actors are claiming to have more than 100 gigabytes of data and have started to leak the stolen files online as evidence of their successful ransomware attack. This same group attacked the German tech giant Software AG in October last year and demanded a ransom of $20 million in return for a decryption key and promised not to leak the redacted files they had stolen.

Jones Day stated that “Jones Day’s network has not been breached. Nor has Jones Day been the subject of a ransomware attack. Jones Day has been informed that Accellion’s FTA file transfer platform, which is a platform that Jones Day – like many law firms, companies, and organizations – used, was recently compromised and information was taken. Jones Day continues to investigate the breach and has been, and will continue to be, in discussion with affected clients and appropriate authorities.”

Hackers Leak Tons of Personal Data as IndiaBulls Fails to Meet the First Ransomware Deadline


Hackers demanding ransom released data, as the IndiaBull failed to meet the first ransom deadline. It happened after a 24-hour ransomware warning was issued, and when the party was unable to make ends meet, the hackers dumped the data. According to Cyble, a Singapore based cybersecurity agency, the hackers have threatened to dump more data after the second deadline ends. The hackers are using ransomware, which the experts have identified as "CLOP."


The hackers stole the data from IndiaBulls and released around 5 Gb of personal data containing confidential files and customer information, banking details, and employee data. It came as a warning from the hackers, in an attempt to threaten the other party, says a private cybersecurity agency.

About the data leak-
The dumped data resulted in exposing confidential client KYC details like Adhaar card, passport details, Pan card details, and voting card details. The leak also revealed personal employee information like official ID, contact details, passwords, and codes that granted access permission to the company's online banking service. The IndiaBulls' spokesman said that the company was informed about the compromise of its systems on Monday; however, the data leaked is not sensitive. When asked about the data leak incident that happened on Wednesday, he said that the company had nothing to say.

The cybersecurity agency, however, tells a different story. It says that the spokesperson's information is incorrect as the attack did not happen on Monday. It also says that it requires some time to carry out such an attack, in other words, the transition phase from initial attack to extortion. The company may have been confused or misguided, say the cybersecurity experts. In a ransomware attack, the hacker makes it impossible for the user to access the files by encrypting them. Most of the time, the motive behind the ransomware threat is money, which is quite the opposite of state-sponsored hackers, whose aim is to affect the systems. In the IndiaBulls' incident, hackers encrypted the files using CLOP ransomware. It is yet to confirm how the hackers pulled this off, but according to Cyble, it was mainly due to vulnerabilities in the company's VPN.