Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Clop Ransomware Gang. Show all posts
Zero-day vulnerability
Cleo data breach Clop Ransomware Gang CVE-2024-50623 exploit Data Breach data theft attack ransom payment negotiation Zero-day vulnerability

Clop Ransomware Gang Threatens 66 Companies with Data Leak After Cleo Breach

 

The Clop ransomware gang has intensified its extortion tactics following a data theft attack targeting Cleo software. On its dark web portal, the group revealed that 66 companies have been given 48 hours to meet their ransom demands.

According to Clop, the affected companies are being contacted directly with links to secure chat channels for negotiating ransom payments. Additionally, the hackers have provided email addresses for victims to initiate communication.

A notice on Clop’s data leak site lists partial names of 66 companies that have yet to engage in negotiations. The gang has threatened to reveal the full names of these companies if they continue to ignore the demands, implying that the actual number of affected organizations might be higher.

Clop exploited a zero-day vulnerability in Cleo LexiCom, VLTrader, and Harmony products to access data from compromised networks. This attack marks another significant breach for the ransomware group, known for targeting zero-day flaws in platforms like Accellion FTA, GoAnywhere MFT, and MOVEit Transfer in previous campaigns.

The vulnerability exploited in the Cleo software, tracked as CVE-2024-50623, allows remote attackers to upload and download files without restriction, enabling remote code execution. A fix is available in Cleo Harmony, VLTrader, and LexiCom version 5.8.0.21, but a private advisory warned that hackers have been leveraging the flaw to open reverse shells on affected networks.

Earlier this month, Huntress publicly disclosed the active exploitation of the vulnerability and warned that the vendor’s fix could be bypassed. The researchers also released a proof-of-concept (PoC) to demonstrate their findings. Days later, Clop confirmed to BleepingComputer that it was behind the exploitation of CVE-2024-50623.

The ransomware group announced it would delete data from previous attacks as it shifts focus to the current wave of extortion.

Macnica researcher Yutaka Sejiyama told BleepingComputer:"Even with the incomplete company names that Clop published on its data leak site, it is possible to identify some of the victims by simply cross-checking the hacker's hints with owners of Cleo servers exposed on the public web."

While the total number of companies affected remains unclear, Cleo states that its software serves over 4,000 organizations worldwide.
Read more »
Ransomware Gang
Clop Ransomware Clop Ransomware Gang Cyber Attacks MOVEit NCC Group Ransomware Gang

MOVEit Attacks Makes Clop the Most-active Ransomware Threat Actor This Summer


According to numerous threat intelligence reports, this July, Clop had been the reason for about one-third, executing financially-motivated, placing the financially driven threat actor to emerge as the most active ransomware threat actor this summer.

The ransomware gang’s mass exploit of a zero-day vulnerability in the MOVEit file transfer service has now made it to the top of the ransomware threat actor hierarchy.

Emsisoft and KonBriefing Research traceked Clop’s activities, noting that till now, the threat actor has compromised more than 730 organizations in the course of its campaign.

In July, Clop had been responsible for 171 out of the 502 ransomware attacks reported by NCC Group, the firm confirmed. NCC Group added, Clop's actions are most likely to blame for a 16% overall rise in ransomware assaults from the preceding month. NCC and Flashpoint further noted that clop was the threat actor behind for at least twice as many attacks as Lockbit, its next-closest rival, in illegal ransomware activity in July.

“Many organizations are still contending with the impact of Clop’s MOVEit attack, which goes to show just how far-reaching and long-lasting ransomware attacks can be — no organization or individual is safe[…]This campaign is particularly significant given that Clop has been able to extort hundreds of organizations by compromising one environment,” Hull said. “Not only do you need to be vigilant in protecting your own environment, but you must also pay close attention to the security protocols of the organizations you work with as part of your supply chain,” Matt Hull, global head of threat intelligence at NCC Group, said in a statement.

These instances eventually indicate that the impact of Clop's attacks against companies in highly sensitive and regulated industries is enormous, as is the possible exposure. It is still not clear as of how many victims are actually downstream. 

Some other instances of Clop’s threat activities include Colorado State University, which was hit six times, in six different ways. Also, the ransomware’s target include three of the big four accounting firms – Deloitte, Ernst & Young and PwC – consequently putting their sensitive customer data in high risk.  

Read more »
Securities and Exchange Commission
ALPHV Beauty Brand Beauty Giant attacked BlackCat CLOP Clop Ransomware Gang Cyber Attacks Estée Lauder ransomware attacks Securities and Exchange Commission

Estée Lauder: Cosmetic Brand Amongst the new Victims of Ransomware Attack


On Tuesday, U.S.-based cosmetic brand Estée Lauder Cos. Inc. confirmed to have witnessed a ransomware attack, following which it compromised some of its data and took down some of its systems.

Apparently, ransomware gangs ALPHV/BlackCat claim to have executed the attacks, listing Estée Lauder to their illicit sites on the dark web along with an airline, comms regulator, hard drive storage provider, and others.

Among the attacked victims is the file transfer tool MoveIt, attacked by the massive Clop breach in late May. The data theft has caused disturbance to several entities that used MoveIt services and claim around 378 organizations and 20 million individuals as its victims.

However, it is still not clear if Estée Lauder is one of the victims. The company has not revealed the nature or scope of the data that is compromised, but some screenshots tweeted by Emsisoft threat analyst Brett Callow of posts from Black Cat and Clop claim that the compromised data include ‘customer data.’

Another message by Clop reveals that they have extracted 131 GB of data from the beauty giant. The ransomware gang also condemn the company stating it “doesn't care about its customers, it ignored their security!!!”

Adding to this, the ALPHV/Black Cat screen grab has threatened to expose more data that has been compromised, stating, “Estée Lauder, under the control of a family of billionaire heirs. Oh, what these eyes have seen. We will not say much for now, except that we have not encrypted their networks. Draw your own conclusions for now. Maybe the data was worth a lot more.”

A statement from the beauty brand confirmed the attack, where its statement and disclosure with the Securities and Exchange Commission mentions an “unauthorized third party” that managed to “access to some of the company’s systems,” but it did not explain what the attackers hoped to gain or what they demanded if anything.

Estée Lauder added that “the incident has caused, and is expected to continue to cause, disruption to parts of the company’s business operations.” The company is now focusing on “remediation.” It has taken down at least some of its systems and is working with law enforcement to investigate the matter.

In the recent series of ransomware attacks, Estée Lauder has thus joined list with other big names that were a victim, including Walmart, Ikea, McDonald’s, and many others.

Read more »
USA
Clop Ransomware Gang malware MOVEit Transfer USA

Massive Data Breach: Clop Ransomware Gang Targets MOVEit Transfer, Millions of Driver's Licenses at Risk

 

A significant data breach that took place last month has raised concerns about the potential vulnerability of individuals from Louisiana and Oregon, particularly in relation to identity theft and various cyberattacks. Americans residing in these states may face an increased risk of becoming victims to these malicious activities as a result of the breach. 

Recently discovered zero-day vulnerability (CVE-2023-34362) in the widely-used file transfer software MOVEit Transfer has caught the attention of the notorious Clop ransomware gang. They have wasted no time in exploiting this vulnerability. 

Considering the extensive adoption of MOVEit Transfer by major corporations spanning diverse industries such as finance, education, energy, IT, healthcare, and government organizations, the global repercussions of this data breach are already being experienced. 

In light of recent cyberattacks targeting MOVEit Transfer, a file transfer software used by significant entities such as the Louisiana Office of Motor Vehicles (OMV) and the Oregon Driver & Motor Vehicles Services, concerning revelations have emerged. 

Authorities in Louisiana and Oregon have issued warnings, indicating that the Clop ransomware gang managed to acquire a substantial volume of driver's licenses and other state-issued documents through these attacks. 

The breach's scale is estimated to affect millions of individuals in both states. At present, there is no evidence to indicate that the hackers responsible for the breach have made any use of, sold, shared, or released stolen data. 

Surprisingly, the Clop ransomware gang has publicly stated that they have deleted the pilfered government data in a post-breach announcement. However, the certainty of whether or not the group will fulfill its promise to delete the stolen government data remains unknown. 

To safeguard your personal data in the aftermath of the MOVEit data breach, here are important precautions to consider, particularly if you reside in Louisiana or Oregon: 

• Proceed with the assumption of data compromise: Operate under the assumption that your data may have been stolen by the Clop ransomware gang. 

• Stay vigilant with financial monitoring: Regularly review your bank statements, credit card transactions, and credit reports for any signs of a suspicious activity or potential identity theft. 

• Remain cautious of phishing attacks: Be alert to targeted phishing attempts that may leverage the stolen data to deceive you or extract personal information. Exercise caution when interacting with emails, links, and attachments, especially if they seem suspicious. 

• Evaluate identity theft protection services: If you were a subscriber to reputable identity theft protection services before the MOVEit breach, they may offer assistance in recovering your identity and mitigating financial losses resulting from fraud. 

• Enhance security measures: Update passwords for your online accounts regularly, using strong and unique combinations. Whenever possible, enable two-factor authentication to provide an additional layer of security. 

• Exercise discretion with personal information: Be mindful of sharing personal information online and limit it to trusted and secure platforms or organizations. Use discretion when providing sensitive details. 

• Educate yourself about identity theft prevention: Familiarize yourself with best practices for preventing identity theft, such as avoiding the sharing of personal information over unsecured networks, being cautious with social media sharing, and protecting physical documents containing sensitive data. 

• Stay informed through reliable sources: Keep yourself updated on any announcements or updates from relevant authorities or organizations regarding the breach. Rely on trusted sources of information to stay informed about the situation and recommended actions to take. 

Remember, these recommendations provide general guidance, and seeking advice from professionals or relevant authorities based on your specific circumstances is advisable. 

Additionally, it is advisable to read the following articles to gain a better understanding of the Clop ransomware gang and the impact of the attack on MOVEit Transfer software.





Read more »
Ransomware
Clop Ransomware Gang Data Theft malware Ransomware

Companies Targeted by Clop Ransomware Gang Face Extortion of Stolen Data

 

The recent MOVEit data theft attacks have taken a concerning turn as the Clop ransomware gang has started a new extortion strategy against affected companies. They have begun listing the names of targeted companies on a data leak site, which is a common tactic used to pressure organizations into meeting their demands. 

The initial attack on May 27th exploited a zero-day vulnerability in the MOVEit Transfer platform, allowing the hackers to gain unauthorized access and steal files from the server. Now, the stolen data is being used as leverage to extort the companies affected by publicly disclosing their names. This tactic aims to increase the chances of the ransomware gang's demands being met. 

MOVEit, developed by Ipswitch, Inc. (now part of Progress Software), is a managed file transfer software. It ensures file encryption and utilizes secure File Transfer Protocols for automated data transfers. With analytics and failover capabilities, MOVEit has been adopted by numerous organizations, including healthcare institutions like Rochester Hospital and Medibank. It is also widely used in financial services, high technology, and government IT departments. 

What is zero-day vulnerability? 

A zero-day vulnerability refers to a flaw in software or hardware that has been identified without any available patch or fix. In other words, it is a security weakness that is newly discovered and does not have a known solution at the time of its discovery. 

 A zero-day attack consists of three main components: 

Vulnerability: This refers to a flaw in software or hardware that has been discovered by a hacker but is unknown to the developer.

Exploit: An exploit is a tool or malware created by the hacker to take advantage of the vulnerability and carry out the attack. 

Attack: The attack occurs when the hacker utilizes the exploit to exploit the vulnerability, causing damage such as data theft or encryption. 

Clop listed thirteen companies on the dark side 

The Clop threat actors recently listed thirteen companies on their data leak site, but it is unclear whether these are related to the MOVEit Transfer attacks or ransomware encryption attacks. One company, Greenfield CA, has been removed, possibly due to a mistake or ongoing negotiations. Five of the listed companies, including Shell, UnitedHealthcare Student Resources, the University of Georgia, University System of Georgia, Heidelberger Druck, and Landal Greenparks, have confirmed varying degrees of impact from the MOVEit attacks. 

Additionally, several organizations have disclosed data breaches involving the MOVEit Transfer platform. These include Zellis (BBC, Boots, Aer Lingus, and Ireland's HSE through Zellis), the University of Rochester, the government of Nova Scotia, the US states of Missouri and Illinois, BORN Ontario, Ofcam, Extreme Networks, and the American Board of Internal Medicine. 

The situation underscores the importance of robust cybersecurity measures and the need for prompt action in addressing vulnerabilities. Organizations utilizing the MOVEit Transfer platform should take immediate steps to mitigate the risk posed by the zero-day vulnerability. Additionally, affected companies should engage with cybersecurity professionals to assess the extent of the breach and implement measures to minimize further damage.
Read more »
Subscribe to: Posts (Atom)