Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cl0p. Show all posts

The MOVEit Breach Might be the Biggest Cyberattack in 2023


Despite the series of malicious cyber attacks witnessed in 2023, with a number of new trends and tactics in the campaigns, one of the breaches that stood out was the breach of the file transfer service MOVEit.

In a new report published by ESET, it was revealed that in addition to its extensive effects, the MOVEit hack was significant since its perpetrators, Cl0p, did not use any ransomware.

Additionally, the campaign leaked the stolen data from victim organizations on a public website—another example of a novel tactic used by cybercriminals. The infamous ALPHV/BlackCat ransomware gang, who were also active this year, were also seen adopting this strategy. 

Emerging Trends

ESET, in its report, notes that because of the scale at which the MOVEit hack transpired, it was probably too much effort for Cl0p to encrypt each victim it captured. ESET cites data from Emsisoft, which projects that there will be more than 2,600 impacted organizations after six months. 

These victims ranged from government agencies, schools and healthcare, to major organizations like Sony and PricewaterhouseCoopers (PwC).

Another emerging tactic adopted by cybercriminals was using AI tools in their attack campaigns, taking into account the boom in technology in 2023 and the wake of ChatGPT’s public release in November 2022. 

Several campaigns have utilized AI tools like ChatGPT and spoofing domains that sound similar to ChatGPT. These domains include web applications that compromise user privacy by using the OpenAI API keys unsafely.

The Lumma hacker, who was extremely successful at stealing cryptocurrency wallets, was another phenomenon of the year. It alone accounted for 80% of detections in this industry and caused a 68% increase in crypto theft this year. In addition, the Lumma malware has been collecting login credentials and other data; between H1 and H2 2023, the total number of Lumma detections tripled. 

Moreover, the infamous Megacart threat, which has been a concern to retailers since 2015, still remains persistent and has developed into a stronger threat this year. It inserts code into insecure websites in order to collect user data, including credit card numbers. There was a 343% increase in detections between 2021 and 2023. 

Jiří Kropáč, Director of Threat Detection at ESET, concludes that "these developments show an ever-evolving cybersecurity landscape, with threat actors using a wide range of tactics." With the emergence of AI technology and evolving tactics of threat actors in 2023, it is anticipated that the situation is only going to worsen in the coming years, making it more important for organizations to take better safety measures to protect their systems from future cyberattacks.  

Cl0p Ransomware Targets Sony, EY, and PwC in MOVEit Transfer Cyberattack

 

The recent attack, which commenced earlier this month, has the potential to become one of the largest cyberattacks in history. Its victims include various entities from the public and private sectors in the United States, United Kingdom, and other countries.

Reports suggest that Cl0p, the cybercriminal group behind the attack, claims to possess data from prominent organizations like Sony, as well as leading accountancy firms EY and PwC. In a statement, Cl0p warned that it possesses approximately 120GB of data from PwC, which it may release if its demands are not met.

However, Cl0p denies having any data from government agencies, emphasizing that its focus lies solely on exploiting private companies for financial gain. The group clarifies on its blog that it receives numerous emails regarding government data but promptly deletes such information, as its motivations are primarily monetary and not political.

Typically, ransomware groups deny possessing sensitive government information, especially if they believe that holding such data would invite closer scrutiny from law enforcement agencies.

Notable organizations affected by the security vulnerability in MOVEit Transfer, a widely used secure file transfer system, include British Airways, the BBC, and Boots. These entities informed their staff that their data may have been compromised following a breach of payroll platform Zellis, which is used by all three companies.

Although Cl0p denies having any data from Zellis, an email exchange with the BBC reveals the group's claim that they do not possess the information and have notified Zellis about it. The group asserts its longstanding policy of truthfulness, stating that if they say they don't have certain data, they genuinely do not possess it.

The hackers allegedly set a deadline of 14 June for the affected companies to pay a ransom, or else their data would be exposed online. However, no information has been leaked thus far, raising the possibility that other cybercriminals may also be taking advantage of the MOVEit Transfer vulnerability. 

The software vendor, Progress Software, disclosed the glitch on 31 May, but no other hacker group has publicly claimed responsibility for stealing data through this exploit.