Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label MFT. Show all posts
MFT
Cleo Server Cyber Attacks File Share Servers Firewalls MFT

File-Sharing Tools Under Attack: What Users Need to Know

 


A serious flaw has been found in three widely used file-sharing tools, putting several organizations at risk of security breaches. The three tools affected, LexiCom, VLTransfer, and Harmony, are all developed by Cleo, a company focused on managed file transfer (MFT) solutions. Experts have warned that the flaw could be exploited and urged users to take preventive measures immediately.


The Vulnerability and Its Impact

This vulnerability, identified as CVE-2024-50623, has been known to allow unrestricted file uploads and downloads. This might allow hackers to execute malicious code remotely. Huntress, a cybersecurity firm, reported that the flaw has already been exploited, with at least 24 businesses confirmed as compromised. Companies in sectors like logistics, consumer products, and food supply are included in the list.

Although Cleo has issued a patch in October 2024, Huntress believes that the update is not enough to protect the users, hence exposing the systems to attackers. According to Shodan, a search engine that monitors internet-connected devices, there are hundreds of vulnerable servers running Cleo's tools, mostly located in the United States.


What Is Happening After Exploitation?

Once the vulnerability has been exploited, attackers are engaging in activities that might reflect data theft or other malicious activities. According to Huntress, the motives of the hackers are unknown and no data breaches have so far been confirmed. But from the available evidence, files may have been accessed or stolen with huge risks to the organizations affected.


Cleo's Response and Recommended Actions

Cleo has acknowledged the vulnerability and is currently working on an improved fix. In the meantime, the company advises users to secure their systems by placing file-sharing tools behind a firewall. This added layer of protection can help minimize exposure to attackers until a robust patch is released.


A Broader Issue in File-Sharing Security

This is not the first time MFT tools have been attacked with security issues. In 2023, a Russian ransomware group exploited a similar vulnerability in MOVEit, another MFT solution, to steal sensitive data from numerous organizations worldwide. These incidents highlight the growing risks associated with such tools, emphasizing the need for stronger security measures.

Users of file-sharing tools need to be watchful and prioritize cybersecurity. Regular application of updates, use of firewalls, and monitoring for unusual activity can help minimize the exploitation risk. Since file-sharing is an integral part of modern business operations, it is essential that these tools are secure in order to protect sensitive information.




Read more »
Shell
CIOp MOVEit Attacks cybercrime gang Data Breach MFT MoveIt Hack Ransomware attack Ransomware group Shell

Shell Confirms MOVEit-based Hack After the Threat Group Leaks Data


The CIOp ransomware gang has targeted a zero-day vulnerability in the MOVEit managed file transfer (MFT) product, acquiring data of at least 130 companies that had been utilizing the solution. At least 15 million people are thought to have been affected as of now.

CIOp , the Russia-based cybercrime gang has now started to expose its victim organizations that have refused to negotiate with its demands. Apparently, the victims’ names have been exposed on its leak website, will Shell being the first company to be revealed.

Following the leak, Shell confirmed being affected by the MOVEit attack. In a statement published on Wednesday, the company clarified that the MFT software was “used by a small number of Shell employees and customers.”

“Some personal information relating to employees of the BG Group has been accessed without authorization,” it added.

Shell confirmed the incident only after the Cl0p hacking gang disclosed files allegedly taken from the company. The fact that the group made 23 archive files with the label "part1" public may indicate that they have access to more information.

Following this discloser, the ransomware gang added that they did so since the company refused to negotiate.

However, it is yet not particularly clear of what information has been compromised. Although, the firm confirmed to have informed the affected victims.

Moreover, toll-free phone numbers have been made available to employees in in Malaysia, South Africa, Singapore, Philippines, UK, Canada, Australia, Oman, Indonesia, Kazakhstan, and Netherlands. Thus, indicating that the affected individuals are more likely to be from these countries.

Since no file-encrypting software was used in the attack, Shell noted that "this was not a ransomware event" and that there is no proof that any other IT systems were impacted.

It is worth mentioning that this was not the first time that Shell has been targeted by the CIOs group, since in 2020 the threat actors targeted the company’s Accellion file transfer service. The company noted that during this hack the hackers stole their personal and corporate data.

Some of the other notable companies targeted by the latest MOVEit exploit includes Siemens Energy, Schneider Electric, UCLA, and EY.

It has also been confirmed by some government organizations that they as well were impacted by the hack, while the ransomware group claims to have deleted all the data acquired from such entities.  

Read more »
Vulnerabilities and Exploits
Clop Ransomware Data Theft Fortra GoAnywhere MFT Ransomware Vulnerabilities and Exploits

CLOPS Claim to Have Hacked 130 Organizations

 


It is now reported that the Clop ransomware group - known for its Linux variant recently - has used the zero-day vulnerability of the GoAnywhere MFT file transfer tool that they claim to have hacked into hundreds of organizations to boost its reputation by claiming to have stolen data from hundreds of organizations. 

Attackers can exploit a vulnerability in GoAnywhere MFT to remotely execute code by exploiting flaws without first authenticating in the GoAnywhere MFT administration console or the application itself. GoAnywhere MFT is vulnerable to a remote code execution vulnerability which occurs before authentication is completed. This vulnerability is in cases with their administrative console exposed to the Internet. 
This vulnerability has been assigned the CVE-2023-0669 number. It is estimated that the gang has committed over 50 hacks. 

 
With GoAnywhere MFT, organizations can efficiently share files with their business partners while maintaining security. The system also records who accessed the shared files and who made changes. Fortra (formerly known as HelpSystems), the company that created this tool, has also developed the popular and widespread Cobalt Strike tool, intended for penetration testers and the Red Team, focusing on operation and post-operation techniques for hackers. 

It was reported on Friday that up to 56 victims had been compromised in the last 24 hours by the Clop ransomware group. This was according to cybersecurity analyst and security researcher Dominic Alvieri. 

There are plenty of other companies and organizations in the business world on the list, including British multinational conglomerate Virgin's rewards club, Virgin Red, the city of Toronto, Rio Tinto, Rubrik, Axis Bank, Hitachi Energy, Saks Fifth Avenue, Procter & Gamble, the U.K.'s Pension Protection Fund, Pluralsight, and Munich RE. 

GoAnywhere MFT mentioned in a statement that "On March 24, the hacker group Clop announced on the darknet that sensitive Atos data was compromised. We want to reassure our clients, suppliers, and employees that this is not the case. Atos IT systems have not been affected by ransomware."

According to a report by the Clop group, the group stole data from over 130 organizations over 10 days after exploiting CVE-2023-0669 in a report.

As a result of the group gaining access to the admin console exposed to the internet, the group could remotely execute code on unpatched GoAnywhere MFT instances. 

The claim says hackers moved between networks to encrypt people's systems with ransomware payloads deployed laterally. 

However, there is a possibility that it may have only stolen documents stored on compromised GoAnywhere MFT servers.

As to hackers, the vulnerability could also be exploited to enter their victims' networks. They could also deploy extortionate payloads using the unpatched vulnerability. It is critical to note that thieves stole sensitive documents from compromised GoAnywhere MFT servers. 

There was no proof or information provided by the ransomware group about the origin of the attack, the date on which it began, or evidence of what they were doing. In addition, the company refused to disclose how much ransom it demanded and whether or not victims initiated extortion. 

As a result of the flaw in GoAnywhere MFT, its developer Fortra disclosed that the vulnerability is currently being exploited actively. 

CISA added the GoAnywhere MFT bug to its Known and Exploited Vulnerabilities Catalog on March 3, ordering federal agencies to update their systems by that date. 

As a result, it is relatively worrying that Clop has exploited an opportunistic vulnerability in GoAnywhere MFT to cause damage. To ensure system security in the future, organizations should avoid paying the ransom. They should also use backups to guarantee protection and take a layer-by-layer approach to secure systems ahead.
Read more »
Subscribe to: Posts (Atom)