CySecurity News - Latest Information Security and Hacking Incidents: Clop Ransomware

Account Theft Clop Ransomware Cyberattacks CyberCrime Cybersecurity malware Microsoft Microsoft Teams

Ransomware Access Broker Leverages Microsoft Teams Titles for Account Theft

A Microsoft warning has been issued about a new phishing campaign which is being undertaken by one of its first-level access brokers. This campaign uses Teams messages as lures to sneak into corporate networks to collect sensitive data.

Under the control of Google's Threat Intelligence team, the cluster has been named Storm-0324, and it is closely monitored either under the name TA543 or Sigrid, as well as under the alias Storm-0324. Security researchers at Microsoft have noticed that the financially motivated group Storm-0324 has started using Teams to target potential victims, which they believe is a means of gaining easy access to their computer systems.

As a payload distributor within the cybercriminal economy, Storm-0324 offers a service that is aimed at providing evasive infection chains as a means of propagating various payloads that are used in the manifestation of systems. There are a variety of types of malware that have been identified in this study, including downloaders, banking trojans, ransomware, as well as modular toolkits such as Nymaim, Gozi, TrickBot, IcedID, Gootkit, Dridex, Sage, GandCrab, and JSSLoader.

This actor has used decoy emails referencing invoices and payments in the past to trick users into downloading SharePoint-hosted ZIP archive files with JSSLoader, a malware loader able to profile and load additional payloads on infected machines.

In the past, he has used similar decoy email messages to trick users into downloading these files. It seems that Microsoft has assigned a temporary name, Storm-0324, to this particular threat actor before gaining clarity about the origin or identity of the individual behind the operation, and this suggests that Microsoft is not fully confident about the origin or identity of this particular threat actor.

After Storm-0324 successfully compromised corporate networks with the use of JSSLoader, Gozi and Nymaim, the notorious cybercrime gang FIN7 was able to gain access to their systems. FIN7 has been observed deploying the Clop ransomware on the networks of its victims.

It is also known as Sangria Tempest and ELBRUS. Before the now-defunct BlackMatter and DarkSide ransomware-as-a-service (Raas) operations took place, the ransomware was also known to be linked to Maze and REvil ransomware.

Storm-0324 is also a malware distributor that distributes payloads for other malware authors, according to Microsoft. This group employs evasive tactics and uses payment and invoice lures to lure victims into their traps. It has been proven that the gang has distributed malware for FIN7 and Cl0p, both well-known Russian cybercrime gangs.

It has been discovered that Storm-0324 is responsible for spreading phishing scams over Teams. Cybercriminals employ TeamsPhisher to scale up the mission of phishing, which allows tenants of Teams to attach files to messages that are sent to external tenants.

Attackers send victims links that lead them to malicious SharePoint-hosted files. The Microsoft Teams vulnerability causing these attacks was previously said by Microsoft to have not met the requirements for immediate remediation.

Enterprise administrators can minimize this risk by modifying security settings so that only certain domains are allowed to communicate with their employees, or by making it impossible for tenants to contact their employees outside their premises.

Furthermore, Microsoft explains that it has made several improvements to protect itself from such threats and to improve its defences against them. They have also enhanced the Accept/Block experience within Teams' one-to-one chats, in addition to suspending accounts and tenants whose behaviour is deemed inauthentic or fraudulent.

In this manner, Teams users are reminded that the externality of a user and their email address is important so that they are more careful in interacting with unknown or malicious senders and do not interact with those users. In addition, there has been an enhancement to the notification feature for tenant admins when new domains are created in their tenants, which allows them to monitor if any new domains are created on their tenant's premises.

It is believed that the group is leveraging previously compromised Microsoft 365 instances, most of which belong to small businesses, in their phishing attacks to create new domains that look as if they are technical support accounts for small businesses.

These individuals are then persuaded by the group to approve the multi-factor authentication prompts initiated by the attacker through Teams messages. A new onmicrosoft.com subdomain is established using compromised instances that have been renamed and used to set up the new instance.

Microsoft 365 uses the onmicrosoft.com domain name as a fallback if there is no custom domain created by the user. To provide credibility to the technical support-themed messages that are sent out as a lure by attackers, they often use security terms or product-specific names in these subdomain names.

Specifically, the goal is to target users who have been set up to utilize passwordless authentication on their accounts or have obtained credentials for accounts that they have previously acquired credentials for. During the authentication process, the user is required to enter a code displayed on the screen of their mobile device into the prompt in Microsoft Authenticator, which is displayed during the authentication process.

MOVEit Attacks Makes Clop the Most-active Ransomware Threat Actor This Summer



 

Ransomware Gang

Clop Ransomware Clop Ransomware Gang Cyber Attacks MOVEit NCC Group Ransomware Gang

MOVEit Attacks Makes Clop the Most-active Ransomware Threat Actor This Summer

According to numerous threat intelligence reports, this July, Clop had been the reason for about one-third, executing financially-motivated, placing the financially driven threat actor to emerge as the most active ransomware threat actor this summer.

The ransomware gang’s mass exploit of a zero-day vulnerability in the MOVEit file transfer service has now made it to the top of the ransomware threat actor hierarchy.

Emsisoft and KonBriefing Research traceked Clop’s activities, noting that till now, the threat actor has compromised more than 730 organizations in the course of its campaign.

In July, Clop had been responsible for 171 out of the 502 ransomware attacks reported by NCC Group, the firm confirmed. NCC Group added, Clop's actions are most likely to blame for a 16% overall rise in ransomware assaults from the preceding month. NCC and Flashpoint further noted that clop was the threat actor behind for at least twice as many attacks as Lockbit, its next-closest rival, in illegal ransomware activity in July.

“Many organizations are still contending with the impact of Clop’s MOVEit attack, which goes to show just how far-reaching and long-lasting ransomware attacks can be — no organization or individual is safe[…]This campaign is particularly significant given that Clop has been able to extort hundreds of organizations by compromising one environment,” Hull said. “Not only do you need to be vigilant in protecting your own environment, but you must also pay close attention to the security protocols of the organizations you work with as part of your supply chain,” Matt Hull, global head of threat intelligence at NCC Group, said in a statement.

These instances eventually indicate that the impact of Clop's attacks against companies in highly sensitive and regulated industries is enormous, as is the possible exposure. It is still not clear as of how many victims are actually downstream.

Some other instances of Clop’s threat activities include Colorado State University, which was hit six times, in six different ways. Also, the ransomware’s target include three of the big four accounting firms – Deloitte, Ernst & Young and PwC – consequently putting their sensitive customer data in high risk.

Security in the Software Sector: Lessons Learned from the MOVEit Mass Hack



 

Vulnerabilities and Exploits

BBA Clop Ransomware Cyberattacks CyberCrime Cybersecurity malware MOVEit Ransom Ransomware Software Security Technical Security Vulnerabilities and Exploits

Security in the Software Sector: Lessons Learned from the MOVEit Mass Hack

MOVEit's mass hack into its system will likely be remembered as one of the most damaging cyberattacks in history, and it is expected to make history.

An exploit in Progress Software's MOVEit managed file transfer service was exploited by hackers to gain access to customers' sensitive data through SQL commands injected into the system. The MOVEit service is used by thousands of organizations to secure the transfer of large amounts of sensitive files.

There was a zero-day vulnerability exploited in the attack, which meant Progress was not aware of the flaw and was not able to patch it in time, which essentially left Progress' customers without any defence from the attack.

There has been a public listing of alleged victims of the hacks started by the Russia-linked Clop ransomware group since June 14, the group that claimed responsibility for the hacks. Banks, hospitals, hotels, energy giants, and others are all included in the growing list of companies affected, part of a campaign being conducted in an attempt to pressure victims into paying ransom demands so that their information will not be breached online.

The company Clop announced in a blog post this week that it will release the "secrets and data" of all victims of MOVEit who refused to negotiate with Clop on August 15. There had been similar hacks targeting the file-transfer tools of Fortra and Acellion earlier in the year as well; it was unlikely that this was Clop's first mass hack.

The latest Emsisoft statistics indicate that more than 40 million people have been affected by the MOVEit hack, according to Emsisoft's latest statistics. Since the hacks started almost a year ago, those numbers have continued to increase almost daily.

"Without being able to assess the depth and scope of the damage, at this point, there is no way to make an informed guess," Brett Callow, a ransomware expert and threat analyst at Emsisoft, told TechCrunch+. "We do not yet know how many organizations were affected and what data was compromised.”

There is no doubt that around a third of those known victims have been affected by third parties, and others are impacted by vendors, subcontractors, and other third parties. According to him, because of this complexity, it's very likely that some organizations that may have been affected aren't aware that they have been affected, and that's what makes it so irreparable.

While this hack had an unprecedented impact because of its scale, its methodology isn't new and there's nothing innovative about the way it was executed. In recent years, supply chain attacks have become more prevalent as a result of zero-day flaws being exploited by adversaries, and one exploit can potentially affect hundreds if not thousands, of customers due to the potential for the release of a zero-day vulnerability.

Taking action now to prevent the threat of a mass hack should be as critical for organizations as anything else they can do.

Recovering From the Disaster

When you have been the victim of a hack, it may seem like the damage has already been done and there is no way to recover from it. Even though it can take months or years to recover from an incident like this, and many organizations are likely to be affected by it, they need to act quickly to understand not only which type of data was compromised, but also their possible violations of compliance standards or laws governing data privacy.

Demands For Ransom

"Supply-chain attacks" are what is referred to as the hack in question. Initially, the news was announced in November last year when Progress Software revealed hackers had managed to infiltrate its MOVEit Transfer tool using a backdoor.

In an attempt to gain access to the accounts of several companies, hackers exploited a security flaw in the software. Even organizations that do not use MOVEit themselves are affected by third-party arrangements because they do not even use MOVEit themselves.

It has been understood by the company that uses Zellis that eight companies are affected, many of them airline companies such as British Airways and Aer Lingus, as well as retailers like Boots that use Zellis. It is thought that MOVEit is also used by a slew of other UK companies.

A hacker group linked to the ransomware group Clop has been blamed for the hack. It is believed to be based out of Russia, but the hackers could be anywhere. As a consequence, they have threatened to publish data of companies that have not emailed them by Wednesday, which is the deadline for beginning negotiations.

As the BBC's chief cyber correspondent Joe Tidy pointed out, the group has a reputation for carrying out its threats, and organizations in the next few weeks may find their private information published on the gang's dark website.

The information told me that there is a high probability that if a victim does not appear on Clop's website then they may have signed up for a ransom payment by the group in which they may have secretly paid it, which can range from hundreds of thousands to millions of dollars.

The victims are always advised not to pay to prevent the growth of this criminal enterprise as paying can fuel the growth of this malicious enterprise, and there is no guarantee that the hackers will not use the data for a secondary attack.

When such a massive breach like MOVEit Mass Hack occurs, it is highly challenging to recover data from such an event, which requires meticulous efforts to identify the extent of the compromised data, and any potential compliance violations, as well as violations of local privacy laws.

Many articles warn that paying ransom demands is not a guarantee that a cybercriminal will not come after you in the future, and will not perpetuate the criminal enterprise. MOVEit Mass Hack can be viewed as an example of a cautionary tale about the software sector that shouldn't be overlooked. A key aspect of this report is the emphasis it places on cybersecurity strategies and supply-chain vigilance so that the effects of cyber threats can be mitigated as quickly as possible.

Clop Ransomware Adopts Torrents for Data Leaks in Effort to Evade Detection



 

zero Day vulnerability

CLOP Clop Ransomware Data Evade Detection Extortion MOVEit Ransom Ransomware Safety Security zero Day vulnerability

Clop Ransomware Adopts Torrents for Data Leaks in Effort to Evade Detection

The Clop ransomware group has once again adjusted its tactics for extortion, now employing torrents to disseminate stolen information obtained from MOVEit attacks.

Beginning on May 27th, the Clop ransomware syndicate initiated a series of data theft assaults by exploiting a zero-day vulnerability within the MOVEit Transfer secure file transfer system. Exploiting this flaw enabled the hackers to pilfer data from nearly 600 global organizations, catching them off guard.

On June 14th, the ransomware group commenced their extortion endeavors by gradually unveiling victims' names on their Tor-based data leak site and eventually making the files public.

Nevertheless, the use of a Tor site for data leakage had limitations due to sluggish download speeds, which curtailed the potential damage of the leak.

In a bid to overcome these issues, the Clop group established clearweb sites to release stolen data from some of the victims of the MOVEit data theft. However, this approach was susceptible to being dismantled by authorities and companies. In response, the group has turned to torrents as a new method for disseminating the stolen data from the MOVEit breach.

This novel approach was identified by cybersecurity researcher Dominic Alvieri. The Clop ransomware gang has developed torrents for twenty victims, including well-known entities like Aon, K & L Gates, Putnam, Delaware Life, Zurich Brazil, and Heidelberg.

In the fresh extortion strategy, Clop has established a new Tor site that provides guidance on using torrent clients to download the leaked information. They have also included lists of magnet links for the twenty affected parties.

Torrents leverage peer-to-peer transfers among different users, resulting in faster transfer speeds compared to traditional Tor data leak sites. Testing by BleepingComputer demonstrated improved data transfer speeds, reaching 5.4 Mbps, even when seeded from a single IP address in Russia.

Additionally, this distribution technique is decentralized, making it difficult for law enforcement to shut down. Even if the original seeder is taken offline, a new device can take over seeding duties.

Should this approach prove effective for Clop, it's likely they will continue to utilize it due to its ease of setup, lack of need for a complex website, and the potential for wider distribution of stolen data, which could place more pressure on victims.

Coveware has estimated that the Clop gang could amass between $75 million and $100 million in extortion payments. This projection is not solely due to numerous victims paying, but rather a small number of companies being persuaded to pay substantial ransom amounts. Whether the use of torrents will contribute to more payments remains uncertain; however, given the substantial earnings, the outcome may be inconsequential.

Clop Attacks: More Organizations Confirm to have Fallen Prey to MOVEit Mass-hack



 

Uofl Health

CIOp MOVEit Attacks CLOP Clop Ransomware Cyber Attacks Dark Web Dark Web leak sites Data Leak Jones Lang LaSalle Mass-hack MOVEit Raddison Hotels Americas TomTom Uofl Health

Clop Attacks: More Organizations Confirm to have Fallen Prey to MOVEit Mass-hack

As the ongoing MOVEit hack is getting exposed, their seems to be some new names that have fallen prey to the attack. These organizations involve hotel chain Radisson, U.S. based 1st Source Bank, real estate giant Jones Lang LaSalle and Dutch GPS company TomTom.

Numerous victims have already fallen victim to the Clop ransomware gang, responsible for the widespread data raids that targeted corporate customers of Progress Software's MOVEit file-transfer program.

Radisson Hotels Americas

One of the recently known victim organizations is the Radisson Hotels Americas. The international hotel chain has more than 1,100 locations, which is now appearing on the Clop dark web leak sites following the attack.

Spokesperson, Moe Rama of Choice Hotels’ (which acquired Radisson Hotels Group in 2022), says that a “limited number of guest records were accessed by hackers exploiting the MOVEit Transfer vulnerability, but declined to say how many guests had been affected.”

Jones Lang LaSalle

Jones Lang LaSalle, the U.S. based real estate giant, also claims to have suffered a data breach as a result of the cyberattack. According to a source with the knowledge of the incidents informs that the company informed its employee about the attack via emails. The emails says that all the employee data had been compromised, except the Social Security numbers. Apparently, the data breach affected all of the organization’s 43,000 employees.

“We were notified by MOVEit of a previously unknown security vulnerability in their software. Our immediate investigation detected unauthorized access to a limited number of files; we contained the malicious activity and patched our systems per vendor-provided instructions,” said JLL spokesperson Allison Heraty.

“Our priority has been to communicate directly with those impacted as well as all relevant authorities, which we have done,” she added. One of the first MOVEit victims to be identified by Clop, 1st Source Bank, disclosed in a regulatory filing on Monday that hackers gained access to "sensitive client data of commercial and individual clients, including personally identifiable information."

In a statement, the bank says, “The company has notified and is working with its commercial clients so impacted and is in the process now of identifying and directly notifying individual clients who have been impacted.”

Uofl Health

After appearing on Clop's dark web leak site, UofL Health, an academic health system with headquarters in Kentucky, acknowledged that it had been the subject of the hacks. However, UofL Health did not confirm if data had been accessed.

“Recently, the United States government confirmed that multiple federal agencies had been affected by cyberattacks which exploited a security vulnerability in a popular file transfer tool called MOVEit[…]Unfortunately, a small number of UofL Health medical practices used this software to transfer files to third party vendors," said UofL Health spokesperson David McArthur. “Upon learning of this event, UofL Health immediately took action and is now working with a forensic IT agency to determine the scope of the matter. The security of normal operations at UofL Health hospitals, medical centers, and physician offices has not been jeopardized.”

TomTom

On Tuesday, Dutch navigation giant TomTom also confirmed to have been fallen victims of Clop. “We at TomTom were immediately aware of a data breach that occurred on our vendor’s platform, MOVEit, last month,” said TomTom spokesperson Ivo Bökkerink. “We have taken all necessary safety and security measures to protect the data, and we have informed the relevant authorities,” the company stated. However, it has not been made clear of what data (if any) was stolen.

Following the recent disclosure, several other companies came forward, confirming to have fallen prey to the Clop cyberattacks. Some of them include German investment bank Deutsche Bank, the University of Colorado, the University of Illinois, diagnostics company Realm IDX, and New York-based biopharmaceutical firm Bristol Myers Squibb.

Moreover, there are many other organizations that appeared on Clop’s dark web leak site. However, they did not provide any official statement over the issue. These companies include an electronics maker, a global technology company, a corporate travel management giant and a human resources software maker.

With this, MOVEit hackers have claimed almost 270 victims organizations as of yet, impacting no less than 17 million individuals, as per the latest report by Emsisoft threat analyst Brett Callow.

PwC Caught in the Crossfire: Australian Fallout from Major Cyber Breach Deepens



 

PwC

Australia CIop MOVEit Attack CLOP Clop Ransomware Cyber Security PwC

PwC Caught in the Crossfire: Australian Fallout from Major Cyber Breach Deepens

There has been a severe scandal going on at the accounting firm PwC over the past few weeks involving a tax scam and the company was dealt another blow as Russian hackers have just managed to steal sensitive information.

It has come to the attention of PwC that a notable cyber breach has so far affected 267 Australian companies, and would also have a significant impact on many more corporations from other countries. In a recent attack on popular file-sharing software, cybercriminals with Russian connections broke into the system, which resulted in new high-profile attacks on the system.

During the last week of May, clop, a cybercrime group, made its first attempt to break into the MOVEit file-sharing service. The company had begun the theft of data from various institutions, including agencies of the US federal government, Shell, the BBC, and many others. As more and more companies reveal that they have been targeted by the data breach, which has affected rival consultancy EY as well, this breach is expected to grow much larger by the day.

The cybercrime group reportedly obtained client data after hacking third-party software called MOVEit, which PwC used to transfer confidential information.

The hackers, who have executed two other global attacks in the last three years, have told companies to pay a ransom or have their files released online. “Pay attention to avoid extraordinary measures that may negatively impact your company,” Clop’s website reads. On Monday, PwC Australia confirmed it had used the software for a “limited number” of its clients, adding to its woes stemming from the Collins tax scandal.

PwC said its initial investigations showed that the company’s internal IT network had not been compromised. The cyberattack on MOVEit had a limited impact on PwC.

The firm had determined its own IT network had not been compromised, saying the breach was likely to have a "limited impact." PwC has reached out to the businesses whose files were affected and is discussing the next steps. The spokesman added that data security remained a "key priority" for the firm and that it was continuing to put "the right resources and safeguards in place" to protect its network and data.

Although the company appears to have escaped significant harm, the revelation comes at a poor time as it battles to regain governments' trust following the leaking of confidential tax information.

Former PwC partner Peter Collins allegedly distributed documents describing the government's tax plans to other staff at the firm. This led to his registration termination with the Tax Practitioners Board. It also caused a slew of governments and their agencies to terminate agreements with the company.

Clop demanded large ransoms for data return, but senior US officials have reportedly said no such demands have been made to federal agencies. It remains to be seen if the group will seek money from either of the Australian firms caught up in the breach. Progress, the company that created and maintains MOVEit software, patched the vulnerability within 48 hours. It also said it was aiding affected clients and had drafted in some of the world's best cybersecurity firms to assist with its response.

In the face of a cybersecurity crisis that has hit Australia, PwC finds itself at the forefront, bracing for the expanding fallout. This incident serves as a stark reminder of the urgent need for robust cybersecurity measures and collaboration between organizations and government agencies.

As the nation grapples with the aftermath, it becomes crucial for stakeholders to fortify their cybersecurity strategies, invest in advanced technologies, and enhance incident response capabilities. Australia must come together to address the immediate challenges and lay the groundwork for a more resilient and secure digital future.

Government Agencies are Compromised by Russian Ransomware



 

Russian Ransomware

CISA Clop Ransomware Cyberattacks CyberCrime Cybersecurity malware Russian Ransomware

Government Agencies are Compromised by Russian Ransomware

Several federal agencies, including the Department of Energy and several others, have been hacked by a Russian cyber-extortion gang. However, Homeland Security officials warned Thursday that the impact would not be very significant. The hack of a popular file-transfer program popular with corporations and governments involved the Russian cyber-extortion gang.

While the hack was beginning to appear to have some serious consequences for some of the hundreds of possible victims - including patrons of at least two state motor vehicle agencies as well as several individuals in the industry - the incident began to cause some concern.

As the director of the Cybersecurity and Infrastructure Security Agency, Jen Easterly, explained to reporters, this hacking campaign, compared to the meticulous, stealthy SolarWinds hack blamed on state-backed Russian intelligence agents, was relatively short and superficial. It was quickly caught in the act.

Easterly explained that these intrusions are not being used as a means of gaining broad access, gaining persistent access, or stealing specific high-value data. As far as they can tell, the attack is mainly opportunistic and has no other purpose.

CISA officials told a senior reporter that neither the U.S. military nor the U.S. intelligence community had been affected by the hack. Two Energy Department entities were affected. A spokesperson for the agency, Chad Smith, did not provide further details about the incident.

There are so far several organizations affected by this scam such as the Louisiana Department of Motor Vehicles, the Oregon Department of Transportation, the Nova Scotia Provincial Government, British Airways, the British Broadcasting Company, and the United Kingdom drugstore chain Boots.

The exploited program, MOVEit, is widely used by businesses to securely share files. Security experts say that includes sensitive financial and insurance data.

Louisiana officials said Thursday that people with a driver’s license or vehicle registration in the state likely had their personal information exposed including their name, address, Social Security number, and birthdate. They encouraged Louisiana residents to freeze their credit to guard against identity theft.

The Oregon Department of Transportation confirmed Thursday that the attackers accessed some personal information and some other sensitive data. This was for about 3.5 million people to whom state-issued identity cards or driver’s licenses.

The Clop ransomware syndicate behind the hack announced last week on its dark website that its victims, who it suggested numbered in the hundreds, had until Wednesday to contact them to negotiate a ransom or risk having sensitive stolen data dumped online.

The gang, among the world’s most prolific cybercrime syndicates, also claimed it would delete data stolen from governments, cities, and police departments.

The senior CISA official told reporters a “small number” of federal agencies were hit — declining to name them — and said, “This is not a widespread campaign affecting a large number of federal agencies.” The official, speaking on condition of anonymity to discuss the breach, said no federal agencies had received extortion demands and no data from an affected federal agency had been leaked online by Clop.

U.S. officials “have no evidence of coordination between Clop and the Russian government,” the official added.

The breach of the Energy Department and other federal agencies by a Russian ransomware gang underscores the persistent and evolving threats posed by cybercriminals to national security and critical infrastructure. This incident serves as a stark reminder that the fight against cybercrime is an ongoing battle that requires constant vigilance and investment in robust cybersecurity measures. By prioritizing proactive defense strategies, collaboration, and international cooperation, we can work towards a safer and more secure digital environment for all.

According to the official, there are no indications that Clop and the Russian government are coordinating, according to U.S. officials.

An attack by a Russian ransomware gang that has breached the US Department of Energy and other federal agencies makes it evident that cybercriminals will continue to pose a persistent and evolving threat to national security and critical infrastructure in the coming years. Whether it is a cyberattack or an incident of identity theft, a cybercrime at any point in time is a persistent problem that requires constant vigilance and committed investment in effective cybersecurity measures. The key to creating a safer and more secure digital environment for us all is to implement proactive defense strategies, collaborate and cooperate internationally in a concerted effort.

Oil Industry Giant Shell Under Siege: Clop Group's Ransomware Attack Exposes Vulnerabilities



 

Zellis

Clop Ransomware Cyberattacks CyberCrime Cybersecurity Daily Telegraph Shell Vulnerabilities and Exploits Zellis

Oil Industry Giant Shell Under Siege: Clop Group's Ransomware Attack Exposes Vulnerabilities

A zero-day vulnerability in MOVEit software has been exploited by the Clop ransomware attack that targets Oil and Gas giant Shell and has been used to mount the attack. Threat actors have been actively exploiting the vulnerability, identified as CVE-2023-34362, to steal data from organizations throughout the world. This is to gain access to sensitive information. Shell is investigating this security breach to determine whether it affected the company's core information technology systems or not.

The Clop gang has targeted Shell's file transfer service for the second time since being infiltrated by the Clop gang in 2013. They broke into the company's global network of more than 80,000 employees and reported revenues of $381 billion.

It has been reported that Shell US spokesperson Anna Arata has been informed that a cyber security incident has affected a third-party software program from Progress called MOVEit Transfer, which is used by some Shell employees and customers. Arata stated that "so far, there has been no evidence that damage has occurred to Shell's core information systems." In addition, she mentioned that Shell's IT teams are trying to identify any risks and take the appropriate action to manage them.

In Rapid7's investigation undertaken on May 31, the experts discovered that approximately 2,500 instances of MOVEit Transfer were publicly accessible online. A large number of them were located in the United States. Currently, there are 127 installations in the UK, and the number is rising.

Hundreds of people in the United Kingdom have been affected by Clop's MOVEit hack. There are many victims in this attack, including the international broadcaster BBC, the airlines British Airways and Aer Lingus, the retail pharmacy Boots, and even the agency that regulates the country's communication system, Ofcom.

Even though Shell and Ofcom appear to use limited settings of the MOVEit tool, they do seem to be significantly less affected by the breach.

As a result of the attack, Ofcom has announced that a certain amount of confidential information about companies whose activities it regulates has been downloaded, but some of it is confidential. The Ofcom also performed a data download on 412 Ofcom employees who had been affected by the breach.

In another episode of Clop's ongoing ransomware campaign, the UK's regulator for communication, Ofcom, has been targeted by the attack. The hack of payroll services provider Zellis is known to have caused yet another data breach to make the headlines in recent months.

As part of its payroll processing services provided by Zellis, the company used a personalized MOVEit Transfer instance to exchange files with tens of different companies via the payroll processor. Accordingly, a lot of companies would likely be affected by this change.

The Daily Telegraph reported that Transport for London had warned up to 13,000 drivers that their data had been stolen in the incident. It said that up to half of the drivers' data may have been breached. Several contractors in the city operated the city's congestion charges and parking charges schemes as a consequence of the incident.

A BBC report stated that professional services firm EY was also impacted by the crisis. The exact nature of the Zellis account can not be ascertained, or if EY used MOVEit Transfer directly instead of Zellis. Two Zellis users - the BBC and British Airways - have confirmed to me that their whole payroll systems may have been compromised as their data may have been hacked.

A gang of hackers called Clop targeted Shell for the first time in 2021 when they hacked Accellion's file transfer appliance. This was part of a scheme to extort companies using the appliance. Threatening the leak of sensitive information that had been stolen was the method used to achieve this.

There was a widespread impact on more than 100 organizations worldwide as a result of the attack on Accellion, including numerous American universities and Bombardier, a Canadian aerospace company.

In April of this year, Clop exploited a vulnerability in the Fortra product GoAnywhere file transfer product, which could be exploited by third parties. According to the group, the system enabled them to steal data from more than 130 companies, governments, and organizations for extortion. They used the stolen data to extort money.

There has been a second vulnerability in Progress' operating system affecting the popular MOVEit tool. This vulnerability was announced last week by the company that develops the software. There have been several announcements recently about breaches caused by program problems.

In an attempt to extort ransom money from Shell, a prominent name in the oil industry, a ransomware attack was recently launched by Clop, a group that is associated with the NSA. The incident has brought to light the vulnerability that exists within the company's information security infrastructure and has exposed several vulnerabilities.

Regardless of how big or how well-known an organization is, cyber threats can pose an existential threat to any organization regardless of size or reputation. As a result of the attack, the oil industry needs to strengthen its cybersecurity procedures and develop proactive risk management strategies that will protect them from potential threats. This incident can be seen as a lesson for Shell and the rest of the industry to strengthen their digital defenses. This will prevent future cyberattacks from affecting critical operations.

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

Report Abuse

About Me

Showing result(s) for

Popular Posts

Pages

Ransomware Access Broker Leverages Microsoft Teams Titles for Account Theft

MOVEit Attacks Makes Clop the Most-active Ransomware Threat Actor This Summer