Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label MFT. Show all posts

Shell Confirms MOVEit-based Hack After the Threat Group Leaks Data


The CIOp ransomware gang has targeted a zero-day vulnerability in the MOVEit managed file transfer (MFT) product, acquiring data of at least 130 companies that had been utilizing the solution. At least 15 million people are thought to have been affected as of now.

CIOp , the Russia-based cybercrime gang has now started to expose its victim organizations that have refused to negotiate with its demands. Apparently, the victims’ names have been exposed on its leak website, will Shell being the first company to be revealed.

Following the leak, Shell confirmed being affected by the MOVEit attack. In a statement published on Wednesday, the company clarified that the MFT software was “used by a small number of Shell employees and customers.”

“Some personal information relating to employees of the BG Group has been accessed without authorization,” it added.

Shell confirmed the incident only after the Cl0p hacking gang disclosed files allegedly taken from the company. The fact that the group made 23 archive files with the label "part1" public may indicate that they have access to more information.

Following this discloser, the ransomware gang added that they did so since the company refused to negotiate.

However, it is yet not particularly clear of what information has been compromised. Although, the firm confirmed to have informed the affected victims.

Moreover, toll-free phone numbers have been made available to employees in in Malaysia, South Africa, Singapore, Philippines, UK, Canada, Australia, Oman, Indonesia, Kazakhstan, and Netherlands. Thus, indicating that the affected individuals are more likely to be from these countries.

Since no file-encrypting software was used in the attack, Shell noted that "this was not a ransomware event" and that there is no proof that any other IT systems were impacted.

It is worth mentioning that this was not the first time that Shell has been targeted by the CIOs group, since in 2020 the threat actors targeted the company’s Accellion file transfer service. The company noted that during this hack the hackers stole their personal and corporate data.

Some of the other notable companies targeted by the latest MOVEit exploit includes Siemens Energy, Schneider Electric, UCLA, and EY.

It has also been confirmed by some government organizations that they as well were impacted by the hack, while the ransomware group claims to have deleted all the data acquired from such entities.  

CLOPS Claim to Have Hacked 130 Organizations

 


It is now reported that the Clop ransomware group - known for its Linux variant recently - has used the zero-day vulnerability of the GoAnywhere MFT file transfer tool that they claim to have hacked into hundreds of organizations to boost its reputation by claiming to have stolen data from hundreds of organizations. 

Attackers can exploit a vulnerability in GoAnywhere MFT to remotely execute code by exploiting flaws without first authenticating in the GoAnywhere MFT administration console or the application itself. GoAnywhere MFT is vulnerable to a remote code execution vulnerability which occurs before authentication is completed. This vulnerability is in cases with their administrative console exposed to the Internet. 
This vulnerability has been assigned the CVE-2023-0669 number. It is estimated that the gang has committed over 50 hacks. 

 
With GoAnywhere MFT, organizations can efficiently share files with their business partners while maintaining security. The system also records who accessed the shared files and who made changes. Fortra (formerly known as HelpSystems), the company that created this tool, has also developed the popular and widespread Cobalt Strike tool, intended for penetration testers and the Red Team, focusing on operation and post-operation techniques for hackers. 

It was reported on Friday that up to 56 victims had been compromised in the last 24 hours by the Clop ransomware group. This was according to cybersecurity analyst and security researcher Dominic Alvieri. 

There are plenty of other companies and organizations in the business world on the list, including British multinational conglomerate Virgin's rewards club, Virgin Red, the city of Toronto, Rio Tinto, Rubrik, Axis Bank, Hitachi Energy, Saks Fifth Avenue, Procter & Gamble, the U.K.'s Pension Protection Fund, Pluralsight, and Munich RE. 

GoAnywhere MFT mentioned in a statement that "On March 24, the hacker group Clop announced on the darknet that sensitive Atos data was compromised. We want to reassure our clients, suppliers, and employees that this is not the case. Atos IT systems have not been affected by ransomware."

According to a report by the Clop group, the group stole data from over 130 organizations over 10 days after exploiting CVE-2023-0669 in a report.

As a result of the group gaining access to the admin console exposed to the internet, the group could remotely execute code on unpatched GoAnywhere MFT instances. 

The claim says hackers moved between networks to encrypt people's systems with ransomware payloads deployed laterally. 

However, there is a possibility that it may have only stolen documents stored on compromised GoAnywhere MFT servers.

As to hackers, the vulnerability could also be exploited to enter their victims' networks. They could also deploy extortionate payloads using the unpatched vulnerability. It is critical to note that thieves stole sensitive documents from compromised GoAnywhere MFT servers. 

There was no proof or information provided by the ransomware group about the origin of the attack, the date on which it began, or evidence of what they were doing. In addition, the company refused to disclose how much ransom it demanded and whether or not victims initiated extortion. 

As a result of the flaw in GoAnywhere MFT, its developer Fortra disclosed that the vulnerability is currently being exploited actively. 

CISA added the GoAnywhere MFT bug to its Known and Exploited Vulnerabilities Catalog on March 3, ordering federal agencies to update their systems by that date. 

As a result, it is relatively worrying that Clop has exploited an opportunistic vulnerability in GoAnywhere MFT to cause damage. To ensure system security in the future, organizations should avoid paying the ransom. They should also use backups to guarantee protection and take a layer-by-layer approach to secure systems ahead.