Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Clop Ransomware. Show all posts
Microsoft Teams
Account Theft Clop Ransomware Cyberattacks CyberCrime Cybersecurity malware Microsoft Microsoft Teams

Ransomware Access Broker Leverages Microsoft Teams Titles for Account Theft

 


A Microsoft warning has been issued about a new phishing campaign which is being undertaken by one of its first-level access brokers. This campaign uses Teams messages as lures to sneak into corporate networks to collect sensitive data. 

Under the control of Google's Threat Intelligence team, the cluster has been named Storm-0324, and it is closely monitored either under the name TA543 or Sigrid, as well as under the alias Storm-0324. Security researchers at Microsoft have noticed that the financially motivated group Storm-0324 has started using Teams to target potential victims, which they believe is a means of gaining easy access to their computer systems. 

As a payload distributor within the cybercriminal economy, Storm-0324 offers a service that is aimed at providing evasive infection chains as a means of propagating various payloads that are used in the manifestation of systems. There are a variety of types of malware that have been identified in this study, including downloaders, banking trojans, ransomware, as well as modular toolkits such as Nymaim, Gozi, TrickBot, IcedID, Gootkit, Dridex, Sage, GandCrab, and JSSLoader. 

This actor has used decoy emails referencing invoices and payments in the past to trick users into downloading SharePoint-hosted ZIP archive files with JSSLoader, a malware loader able to profile and load additional payloads on infected machines.

In the past, he has used similar decoy email messages to trick users into downloading these files. It seems that Microsoft has assigned a temporary name, Storm-0324, to this particular threat actor before gaining clarity about the origin or identity of the individual behind the operation, and this suggests that Microsoft is not fully confident about the origin or identity of this particular threat actor. 

After Storm-0324 successfully compromised corporate networks with the use of JSSLoader, Gozi and Nymaim, the notorious cybercrime gang FIN7 was able to gain access to their systems. FIN7 has been observed deploying the Clop ransomware on the networks of its victims. 

It is also known as Sangria Tempest and ELBRUS. Before the now-defunct BlackMatter and DarkSide ransomware-as-a-service (Raas) operations took place, the ransomware was also known to be linked to Maze and REvil ransomware. 

Storm-0324 is also a malware distributor that distributes payloads for other malware authors, according to Microsoft. This group employs evasive tactics and uses payment and invoice lures to lure victims into their traps. It has been proven that the gang has distributed malware for FIN7 and Cl0p, both well-known Russian cybercrime gangs. 

It has been discovered that Storm-0324 is responsible for spreading phishing scams over Teams. Cybercriminals employ TeamsPhisher to scale up the mission of phishing, which allows tenants of Teams to attach files to messages that are sent to external tenants. 

Attackers send victims links that lead them to malicious SharePoint-hosted files. The Microsoft Teams vulnerability causing these attacks was previously said by Microsoft to have not met the requirements for immediate remediation. 

Enterprise administrators can minimize this risk by modifying security settings so that only certain domains are allowed to communicate with their employees, or by making it impossible for tenants to contact their employees outside their premises.

Furthermore, Microsoft explains that it has made several improvements to protect itself from such threats and to improve its defences against them. They have also enhanced the Accept/Block experience within Teams' one-to-one chats, in addition to suspending accounts and tenants whose behaviour is deemed inauthentic or fraudulent. 

In this manner, Teams users are reminded that the externality of a user and their email address is important so that they are more careful in interacting with unknown or malicious senders and do not interact with those users. In addition, there has been an enhancement to the notification feature for tenant admins when new domains are created in their tenants, which allows them to monitor if any new domains are created on their tenant's premises. 

It is believed that the group is leveraging previously compromised Microsoft 365 instances, most of which belong to small businesses, in their phishing attacks to create new domains that look as if they are technical support accounts for small businesses. 

These individuals are then persuaded by the group to approve the multi-factor authentication prompts initiated by the attacker through Teams messages. A new onmicrosoft.com subdomain is established using compromised instances that have been renamed and used to set up the new instance. 

Microsoft 365 uses the onmicrosoft.com domain name as a fallback if there is no custom domain created by the user. To provide credibility to the technical support-themed messages that are sent out as a lure by attackers, they often use security terms or product-specific names in these subdomain names. 

Specifically, the goal is to target users who have been set up to utilize passwordless authentication on their accounts or have obtained credentials for accounts that they have previously acquired credentials for. During the authentication process, the user is required to enter a code displayed on the screen of their mobile device into the prompt in Microsoft Authenticator, which is displayed during the authentication process.
Read more »
Ransomware Gang
Clop Ransomware Clop Ransomware Gang Cyber Attacks MOVEit NCC Group Ransomware Gang

MOVEit Attacks Makes Clop the Most-active Ransomware Threat Actor This Summer


According to numerous threat intelligence reports, this July, Clop had been the reason for about one-third, executing financially-motivated, placing the financially driven threat actor to emerge as the most active ransomware threat actor this summer.

The ransomware gang’s mass exploit of a zero-day vulnerability in the MOVEit file transfer service has now made it to the top of the ransomware threat actor hierarchy.

Emsisoft and KonBriefing Research traceked Clop’s activities, noting that till now, the threat actor has compromised more than 730 organizations in the course of its campaign.

In July, Clop had been responsible for 171 out of the 502 ransomware attacks reported by NCC Group, the firm confirmed. NCC Group added, Clop's actions are most likely to blame for a 16% overall rise in ransomware assaults from the preceding month. NCC and Flashpoint further noted that clop was the threat actor behind for at least twice as many attacks as Lockbit, its next-closest rival, in illegal ransomware activity in July.

“Many organizations are still contending with the impact of Clop’s MOVEit attack, which goes to show just how far-reaching and long-lasting ransomware attacks can be — no organization or individual is safe[…]This campaign is particularly significant given that Clop has been able to extort hundreds of organizations by compromising one environment,” Hull said. “Not only do you need to be vigilant in protecting your own environment, but you must also pay close attention to the security protocols of the organizations you work with as part of your supply chain,” Matt Hull, global head of threat intelligence at NCC Group, said in a statement.

These instances eventually indicate that the impact of Clop's attacks against companies in highly sensitive and regulated industries is enormous, as is the possible exposure. It is still not clear as of how many victims are actually downstream. 

Some other instances of Clop’s threat activities include Colorado State University, which was hit six times, in six different ways. Also, the ransomware’s target include three of the big four accounting firms – Deloitte, Ernst & Young and PwC – consequently putting their sensitive customer data in high risk.  

Read more »
Vulnerabilities and Exploits
BBA Clop Ransomware Cyberattacks CyberCrime Cybersecurity malware MOVEit Ransom Ransomware Software Security Technical Security Vulnerabilities and Exploits

Security in the Software Sector: Lessons Learned from the MOVEit Mass Hack

 


MOVEit's mass hack into its system will likely be remembered as one of the most damaging cyberattacks in history, and it is expected to make history. 

An exploit in Progress Software's MOVEit managed file transfer service was exploited by hackers to gain access to customers' sensitive data through SQL commands injected into the system. The MOVEit service is used by thousands of organizations to secure the transfer of large amounts of sensitive files. 

There was a zero-day vulnerability exploited in the attack, which meant Progress was not aware of the flaw and was not able to patch it in time, which essentially left Progress' customers without any defence from the attack. 

There has been a public listing of alleged victims of the hacks started by the Russia-linked Clop ransomware group since June 14, the group that claimed responsibility for the hacks. Banks, hospitals, hotels, energy giants, and others are all included in the growing list of companies affected, part of a campaign being conducted in an attempt to pressure victims into paying ransom demands so that their information will not be breached online. 

The company Clop announced in a blog post this week that it will release the "secrets and data" of all victims of MOVEit who refused to negotiate with Clop on August 15. There had been similar hacks targeting the file-transfer tools of Fortra and Acellion earlier in the year as well; it was unlikely that this was Clop's first mass hack. 

The latest Emsisoft statistics indicate that more than 40 million people have been affected by the MOVEit hack, according to Emsisoft's latest statistics. Since the hacks started almost a year ago, those numbers have continued to increase almost daily. 

"Without being able to assess the depth and scope of the damage, at this point, there is no way to make an informed guess," Brett Callow, a ransomware expert and threat analyst at Emsisoft, told TechCrunch+. "We do not yet know how many organizations were affected and what data was compromised.” 

There is no doubt that around a third of those known victims have been affected by third parties, and others are impacted by vendors, subcontractors, and other third parties. According to him, because of this complexity, it's very likely that some organizations that may have been affected aren't aware that they have been affected, and that's what makes it so irreparable. 

While this hack had an unprecedented impact because of its scale, its methodology isn't new and there's nothing innovative about the way it was executed. In recent years, supply chain attacks have become more prevalent as a result of zero-day flaws being exploited by adversaries, and one exploit can potentially affect hundreds if not thousands, of customers due to the potential for the release of a zero-day vulnerability. 

Taking action now to prevent the threat of a mass hack should be as critical for organizations as anything else they can do. 

Recovering From the Disaster 


When you have been the victim of a hack, it may seem like the damage has already been done and there is no way to recover from it. Even though it can take months or years to recover from an incident like this, and many organizations are likely to be affected by it, they need to act quickly to understand not only which type of data was compromised, but also their possible violations of compliance standards or laws governing data privacy. 

Demands For Ransom


"Supply-chain attacks" are what is referred to as the hack in question. Initially, the news was announced in November last year when Progress Software revealed hackers had managed to infiltrate its MOVEit Transfer tool using a backdoor. 

In an attempt to gain access to the accounts of several companies, hackers exploited a security flaw in the software. Even organizations that do not use MOVEit themselves are affected by third-party arrangements because they do not even use MOVEit themselves. 

It has been understood by the company that uses Zellis that eight companies are affected, many of them airline companies such as British Airways and Aer Lingus, as well as retailers like Boots that use Zellis. It is thought that MOVEit is also used by a slew of other UK companies. 

A hacker group linked to the ransomware group Clop has been blamed for the hack. It is believed to be based out of Russia, but the hackers could be anywhere. As a consequence, they have threatened to publish data of companies that have not emailed them by Wednesday, which is the deadline for beginning negotiations. 

As the BBC's chief cyber correspondent Joe Tidy pointed out, the group has a reputation for carrying out its threats, and organizations in the next few weeks may find their private information published on the gang's dark website. 

The information told me that there is a high probability that if a victim does not appear on Clop's website then they may have signed up for a ransom payment by the group in which they may have secretly paid it, which can range from hundreds of thousands to millions of dollars. 

The victims are always advised not to pay to prevent the growth of this criminal enterprise as paying can fuel the growth of this malicious enterprise, and there is no guarantee that the hackers will not use the data for a secondary attack. 

When such a massive breach like MOVEit Mass Hack occurs, it is highly challenging to recover data from such an event, which requires meticulous efforts to identify the extent of the compromised data, and any potential compliance violations, as well as violations of local privacy laws. 

Many articles warn that paying ransom demands is not a guarantee that a cybercriminal will not come after you in the future, and will not perpetuate the criminal enterprise. MOVEit Mass Hack can be viewed as an example of a cautionary tale about the software sector that shouldn't be overlooked. A key aspect of this report is the emphasis it places on cybersecurity strategies and supply-chain vigilance so that the effects of cyber threats can be mitigated as quickly as possible.
Read more »
zero Day vulnerability
CLOP Clop Ransomware Data Evade Detection Extortion MOVEit Ransom Ransomware Safety Security zero Day vulnerability

Clop Ransomware Adopts Torrents for Data Leaks in Effort to Evade Detection

 

The Clop ransomware group has once again adjusted its tactics for extortion, now employing torrents to disseminate stolen information obtained from MOVEit attacks. 

Beginning on May 27th, the Clop ransomware syndicate initiated a series of data theft assaults by exploiting a zero-day vulnerability within the MOVEit Transfer secure file transfer system. Exploiting this flaw enabled the hackers to pilfer data from nearly 600 global organizations, catching them off guard.

On June 14th, the ransomware group commenced their extortion endeavors by gradually unveiling victims' names on their Tor-based data leak site and eventually making the files public. 

Nevertheless, the use of a Tor site for data leakage had limitations due to sluggish download speeds, which curtailed the potential damage of the leak.

In a bid to overcome these issues, the Clop group established clearweb sites to release stolen data from some of the victims of the MOVEit data theft. However, this approach was susceptible to being dismantled by authorities and companies. In response, the group has turned to torrents as a new method for disseminating the stolen data from the MOVEit breach.

This novel approach was identified by cybersecurity researcher Dominic Alvieri. The Clop ransomware gang has developed torrents for twenty victims, including well-known entities like Aon, K & L Gates, Putnam, Delaware Life, Zurich Brazil, and Heidelberg. 

In the fresh extortion strategy, Clop has established a new Tor site that provides guidance on using torrent clients to download the leaked information. They have also included lists of magnet links for the twenty affected parties.

Torrents leverage peer-to-peer transfers among different users, resulting in faster transfer speeds compared to traditional Tor data leak sites. Testing by BleepingComputer demonstrated improved data transfer speeds, reaching 5.4 Mbps, even when seeded from a single IP address in Russia. 

Additionally, this distribution technique is decentralized, making it difficult for law enforcement to shut down. Even if the original seeder is taken offline, a new device can take over seeding duties.

Should this approach prove effective for Clop, it's likely they will continue to utilize it due to its ease of setup, lack of need for a complex website, and the potential for wider distribution of stolen data, which could place more pressure on victims. 

Coveware has estimated that the Clop gang could amass between $75 million and $100 million in extortion payments. This projection is not solely due to numerous victims paying, but rather a small number of companies being persuaded to pay substantial ransom amounts. Whether the use of torrents will contribute to more payments remains uncertain; however, given the substantial earnings, the outcome may be inconsequential.
Read more »
Uofl Health
CIOp MOVEit Attacks CLOP Clop Ransomware Cyber Attacks Dark Web Dark Web leak sites Data Leak Jones Lang LaSalle Mass-hack MOVEit Raddison Hotels Americas TomTom Uofl Health

Clop Attacks: More Organizations Confirm to have Fallen Prey to MOVEit Mass-hack


As the ongoing MOVEit hack is getting exposed, their seems to be some new names that have fallen prey to the attack. These organizations involve hotel chain Radisson, U.S. based 1st Source Bank, real estate giant Jones Lang LaSalle and Dutch GPS company TomTom.

Numerous victims have already fallen victim to the Clop ransomware gang, responsible for the widespread data raids that targeted corporate customers of Progress Software's MOVEit file-transfer program.

Radisson Hotels Americas

One of the recently known victim organizations is the Radisson Hotels Americas. The international hotel chain has more than 1,100 locations, which is now appearing on the Clop dark web leak sites following the attack.

Spokesperson, Moe Rama of Choice Hotels’ (which acquired Radisson Hotels Group in 2022), says that a “limited number of guest records were accessed by hackers exploiting the MOVEit Transfer vulnerability, but declined to say how many guests had been affected.”

Jones Lang LaSalle

Jones Lang LaSalle, the U.S. based real estate giant, also claims to have suffered a data breach as a result of the cyberattack. According to a source with the knowledge of the incidents informs that the company informed its employee about the attack via emails. The emails says that all the employee data had been compromised, except the Social Security numbers. Apparently, the data breach affected all of the organization’s 43,000 employees.

“We were notified by MOVEit of a previously unknown security vulnerability in their software. Our immediate investigation detected unauthorized access to a limited number of files; we contained the malicious activity and patched our systems per vendor-provided instructions,” said JLL spokesperson Allison Heraty.

“Our priority has been to communicate directly with those impacted as well as all relevant authorities, which we have done,” she added. One of the first MOVEit victims to be identified by Clop, 1st Source Bank, disclosed in a regulatory filing on Monday that hackers gained access to "sensitive client data of commercial and individual clients, including personally identifiable information."

In a statement, the bank says, “The company has notified and is working with its commercial clients so impacted and is in the process now of identifying and directly notifying individual clients who have been impacted.”

Uofl Health

After appearing on Clop's dark web leak site, UofL Health, an academic health system with headquarters in Kentucky, acknowledged that it had been the subject of the hacks. However, UofL Health did not confirm if data had been accessed.

“Recently, the United States government confirmed that multiple federal agencies had been affected by cyberattacks which exploited a security vulnerability in a popular file transfer tool called MOVEit[…]Unfortunately, a small number of UofL Health medical practices used this software to transfer files to third party vendors," said UofL Health spokesperson David McArthur. “Upon learning of this event, UofL Health immediately took action and is now working with a forensic IT agency to determine the scope of the matter. The security of normal operations at UofL Health hospitals, medical centers, and physician offices has not been jeopardized.”

TomTom

On Tuesday, Dutch navigation giant TomTom also confirmed to have been fallen victims of Clop. “We at TomTom were immediately aware of a data breach that occurred on our vendor’s platform, MOVEit, last month,” said TomTom spokesperson Ivo Bökkerink. “We have taken all necessary safety and security measures to protect the data, and we have informed the relevant authorities,” the company stated. However, it has not been made clear of what data (if any) was stolen.

Following the recent disclosure, several other companies came forward, confirming to have fallen prey to the Clop cyberattacks. Some of them include German investment bank Deutsche Bank, the University of Colorado, the University of Illinois, diagnostics company Realm IDX, and New York-based biopharmaceutical firm Bristol Myers Squibb.

Moreover, there are many other organizations that appeared on Clop’s dark web leak site. However, they did not provide any official statement over the issue. These companies include an electronics maker, a global technology company, a corporate travel management giant and a human resources software maker.

With this, MOVEit hackers have claimed almost 270 victims organizations as of yet, impacting no less than 17 million individuals, as per the latest report by Emsisoft threat analyst Brett Callow.  

Read more »
PwC
Australia CIop MOVEit Attack CLOP Clop Ransomware Cyber Security PwC

PwC Caught in the Crossfire: Australian Fallout from Major Cyber Breach Deepens

 


There has been a severe scandal going on at the accounting firm PwC over the past few weeks involving a tax scam and the company was dealt another blow as Russian hackers have just managed to steal sensitive information. 

It has come to the attention of PwC that a notable cyber breach has so far affected 267 Australian companies, and would also have a significant impact on many more corporations from other countries. In a recent attack on popular file-sharing software, cybercriminals with Russian connections broke into the system, which resulted in new high-profile attacks on the system. 

During the last week of May, clop, a cybercrime group, made its first attempt to break into the MOVEit file-sharing service. The company had begun the theft of data from various institutions, including agencies of the US federal government, Shell, the BBC, and many others. As more and more companies reveal that they have been targeted by the data breach, which has affected rival consultancy EY as well, this breach is expected to grow much larger by the day. 

The cybercrime group reportedly obtained client data after hacking third-party software called MOVEit, which PwC used to transfer confidential information. 

The hackers, who have executed two other global attacks in the last three years, have told companies to pay a ransom or have their files released online. “Pay attention to avoid extraordinary measures that may negatively impact your company,” Clop’s website reads. On Monday, PwC Australia confirmed it had used the software for a “limited number” of its clients, adding to its woes stemming from the Collins tax scandal. 

PwC said its initial investigations showed that the company’s internal IT network had not been compromised. The cyberattack on MOVEit had a limited impact on PwC. 

The firm had determined its own IT network had not been compromised, saying the breach was likely to have a "limited impact." PwC has reached out to the businesses whose files were affected and is discussing the next steps. The spokesman added that data security remained a "key priority" for the firm and that it was continuing to put "the right resources and safeguards in place" to protect its network and data.

Although the company appears to have escaped significant harm, the revelation comes at a poor time as it battles to regain governments' trust following the leaking of confidential tax information. 

Former PwC partner Peter Collins allegedly distributed documents describing the government's tax plans to other staff at the firm. This led to his registration termination with the Tax Practitioners Board. It also caused a slew of governments and their agencies to terminate agreements with the company. 

Clop demanded large ransoms for data return, but senior US officials have reportedly said no such demands have been made to federal agencies. It remains to be seen if the group will seek money from either of the Australian firms caught up in the breach. Progress, the company that created and maintains MOVEit software, patched the vulnerability within 48 hours. It also said it was aiding affected clients and had drafted in some of the world's best cybersecurity firms to assist with its response. 

In the face of a cybersecurity crisis that has hit Australia, PwC finds itself at the forefront, bracing for the expanding fallout. This incident serves as a stark reminder of the urgent need for robust cybersecurity measures and collaboration between organizations and government agencies. 

As the nation grapples with the aftermath, it becomes crucial for stakeholders to fortify their cybersecurity strategies, invest in advanced technologies, and enhance incident response capabilities. Australia must come together to address the immediate challenges and lay the groundwork for a more resilient and secure digital future.
Read more »
Russian Ransomware
CISA Clop Ransomware Cyberattacks CyberCrime Cybersecurity malware Russian Ransomware

Government Agencies are Compromised by Russian Ransomware

 


Several federal agencies, including the Department of Energy and several others, have been hacked by a Russian cyber-extortion gang. However, Homeland Security officials warned Thursday that the impact would not be very significant. The hack of a popular file-transfer program popular with corporations and governments involved the Russian cyber-extortion gang.

While the hack was beginning to appear to have some serious consequences for some of the hundreds of possible victims - including patrons of at least two state motor vehicle agencies as well as several individuals in the industry - the incident began to cause some concern. 

As the director of the Cybersecurity and Infrastructure Security Agency, Jen Easterly, explained to reporters, this hacking campaign, compared to the meticulous, stealthy SolarWinds hack blamed on state-backed Russian intelligence agents, was relatively short and superficial. It was quickly caught in the act. 

Easterly explained that these intrusions are not being used as a means of gaining broad access, gaining persistent access, or stealing specific high-value data. As far as they can tell, the attack is mainly opportunistic and has no other purpose.

CISA officials told a senior reporter that neither the U.S. military nor the U.S. intelligence community had been affected by the hack. Two Energy Department entities were affected. A spokesperson for the agency, Chad Smith, did not provide further details about the incident. 

There are so far several organizations affected by this scam such as the Louisiana Department of Motor Vehicles, the Oregon Department of Transportation, the Nova Scotia Provincial Government, British Airways, the British Broadcasting Company, and the United Kingdom drugstore chain Boots. 

The exploited program, MOVEit, is widely used by businesses to securely share files. Security experts say that includes sensitive financial and insurance data.

Louisiana officials said Thursday that people with a driver’s license or vehicle registration in the state likely had their personal information exposed including their name, address, Social Security number, and birthdate. They encouraged Louisiana residents to freeze their credit to guard against identity theft. 

The Oregon Department of Transportation confirmed Thursday that the attackers accessed some personal information and some other sensitive data. This was for about 3.5 million people to whom state-issued identity cards or driver’s licenses. 

The Clop ransomware syndicate behind the hack announced last week on its dark website that its victims, who it suggested numbered in the hundreds, had until Wednesday to contact them to negotiate a ransom or risk having sensitive stolen data dumped online. 

The gang, among the world’s most prolific cybercrime syndicates, also claimed it would delete data stolen from governments, cities, and police departments.

The senior CISA official told reporters a “small number” of federal agencies were hit — declining to name them — and said, “This is not a widespread campaign affecting a large number of federal agencies.” The official, speaking on condition of anonymity to discuss the breach, said no federal agencies had received extortion demands and no data from an affected federal agency had been leaked online by Clop. 

U.S. officials “have no evidence of coordination between Clop and the Russian government,” the official added. 

The breach of the Energy Department and other federal agencies by a Russian ransomware gang underscores the persistent and evolving threats posed by cybercriminals to national security and critical infrastructure. This incident serves as a stark reminder that the fight against cybercrime is an ongoing battle that requires constant vigilance and investment in robust cybersecurity measures. By prioritizing proactive defense strategies, collaboration, and international cooperation, we can work towards a safer and more secure digital environment for all. 

According to the official, there are no indications that Clop and the Russian government are coordinating, according to U.S. officials. 

An attack by a Russian ransomware gang that has breached the US Department of Energy and other federal agencies makes it evident that cybercriminals will continue to pose a persistent and evolving threat to national security and critical infrastructure in the coming years. Whether it is a cyberattack or an incident of identity theft, a cybercrime at any point in time is a persistent problem that requires constant vigilance and committed investment in effective cybersecurity measures. The key to creating a safer and more secure digital environment for us all is to implement proactive defense strategies, collaborate and cooperate internationally in a concerted effort.
Read more »
Zellis
Clop Ransomware Cyberattacks CyberCrime Cybersecurity Daily Telegraph Shell Vulnerabilities and Exploits Zellis

Oil Industry Giant Shell Under Siege: Clop Group's Ransomware Attack Exposes Vulnerabilities

 


A zero-day vulnerability in MOVEit software has been exploited by the Clop ransomware attack that targets Oil and Gas giant Shell and has been used to mount the attack. Threat actors have been actively exploiting the vulnerability, identified as CVE-2023-34362, to steal data from organizations throughout the world. This is to gain access to sensitive information. Shell is investigating this security breach to determine whether it affected the company's core information technology systems or not. 

The Clop gang has targeted Shell's file transfer service for the second time since being infiltrated by the Clop gang in 2013. They broke into the company's global network of more than 80,000 employees and reported revenues of $381 billion.

It has been reported that Shell US spokesperson Anna Arata has been informed that a cyber security incident has affected a third-party software program from Progress called MOVEit Transfer, which is used by some Shell employees and customers. Arata stated that "so far, there has been no evidence that damage has occurred to Shell's core information systems." In addition, she mentioned that Shell's IT teams are trying to identify any risks and take the appropriate action to manage them.

In Rapid7's investigation undertaken on May 31, the experts discovered that approximately 2,500 instances of MOVEit Transfer were publicly accessible online. A large number of them were located in the United States. Currently, there are 127 installations in the UK, and the number is rising. 

Hundreds of people in the United Kingdom have been affected by Clop's MOVEit hack. There are many victims in this attack, including the international broadcaster BBC, the airlines British Airways and Aer Lingus, the retail pharmacy Boots, and even the agency that regulates the country's communication system, Ofcom. 

Even though Shell and Ofcom appear to use limited settings of the MOVEit tool, they do seem to be significantly less affected by the breach. 

As a result of the attack, Ofcom has announced that a certain amount of confidential information about companies whose activities it regulates has been downloaded, but some of it is confidential. The Ofcom also performed a data download on 412 Ofcom employees who had been affected by the breach. 

In another episode of Clop's ongoing ransomware campaign, the UK's regulator for communication, Ofcom, has been targeted by the attack. The hack of payroll services provider Zellis is known to have caused yet another data breach to make the headlines in recent months. 

As part of its payroll processing services provided by Zellis, the company used a personalized MOVEit Transfer instance to exchange files with tens of different companies via the payroll processor. Accordingly, a lot of companies would likely be affected by this change.

The Daily Telegraph reported that Transport for London had warned up to 13,000 drivers that their data had been stolen in the incident. It said that up to half of the drivers' data may have been breached. Several contractors in the city operated the city's congestion charges and parking charges schemes as a consequence of the incident. 

A BBC report stated that professional services firm EY was also impacted by the crisis. The exact nature of the Zellis account can not be ascertained, or if EY used MOVEit Transfer directly instead of Zellis. Two Zellis users - the BBC and British Airways - have confirmed to me that their whole payroll systems may have been compromised as their data may have been hacked. 

A gang of hackers called Clop targeted Shell for the first time in 2021 when they hacked Accellion's file transfer appliance. This was part of a scheme to extort companies using the appliance. Threatening the leak of sensitive information that had been stolen was the method used to achieve this. 

There was a widespread impact on more than 100 organizations worldwide as a result of the attack on Accellion, including numerous American universities and Bombardier, a Canadian aerospace company. 

In April of this year, Clop exploited a vulnerability in the Fortra product GoAnywhere file transfer product, which could be exploited by third parties. According to the group, the system enabled them to steal data from more than 130 companies, governments, and organizations for extortion. They used the stolen data to extort money.

There has been a second vulnerability in Progress' operating system affecting the popular MOVEit tool. This vulnerability was announced last week by the company that develops the software. There have been several announcements recently about breaches caused by program problems.

In an attempt to extort ransom money from Shell, a prominent name in the oil industry, a ransomware attack was recently launched by Clop, a group that is associated with the NSA. The incident has brought to light the vulnerability that exists within the company's information security infrastructure and has exposed several vulnerabilities.

Regardless of how big or how well-known an organization is, cyber threats can pose an existential threat to any organization regardless of size or reputation. As a result of the attack, the oil industry needs to strengthen its cybersecurity procedures and develop proactive risk management strategies that will protect them from potential threats. This incident can be seen as a lesson for Shell and the rest of the industry to strengthen their digital defenses. This will prevent future cyberattacks from affecting critical operations.
Read more »
Vulnerability
CISA Clop Ransomware Cyberattacks Cybersecurity ID malware MOVIEit Ransomeware Vulnerability

Uncovered: Clop Ransomware's Lengthy Zero-Day Testing on the MOVEit Platform

 


Security experts have uncovered shocking evidence that the notorious Clop ransomware group has been spending extensive amounts of time testing zero-day vulnerabilities on the popular MOVEit platform since 2021, according to recent reports. This study has raised a lot of concerns about cybersecurity systems' vulnerability. For this reason, affected organizations and security agencies have taken urgent action to prevent these vulnerabilities. In light of this discovery, it only highlights the fact that ransomware attacks are becoming increasingly sophisticated. The need for robust defense measures to mitigate various types of cyber threats is critical. 

There is now close work collaboration between authorities and the parties affected by the breach to investigate this incident and develop appropriate countermeasures. 

A recent Clop data theft attack aimed at weak MOVEit Transfer instances was examined, and it was discovered that the technique employed by the group to deploy the recently revealed LemurLoot web shell can be matched with the technique used by the gang to target weak MOVEit Transfer instances. Using logs from some affected clients' networks, they determined which clients were affected. 

As a result of a joint advisory issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) regarding the active exploitation of a recently discovered critical vulnerability in Progress Software's MOVEit Transfer application, ransomware is now being dropped on the internet. 

Kroll researchers performed a forensic review of the exploit carried out by the Clop cybergang in July 2021. They determined that they may have experimented with the now-patched file transfer vulnerability (CVE-2023-34362) that month. 

BBC, British Airways, Boots, a UK drugstore chain and the Halifax provincial government are some of the organizations that have reported that their data was exfiltrated by the group at the end of last month as well as payroll company Zellis. There was a breach of employee data by three organizations, Vodafone, BBC, and Boots, which used Zellis' services to store employee data. 

The Russian-backed Clop organization, also known as Lace Tempest, TA505, and FIN11, has claimed responsibility for attacks that exploited Fortra’s GoAnywhere Managed File Transfer solution by exploiting a zero-day vulnerability. Over 130 organizations have been targeted and over one million patients' data has been compromised as a result. 

It has been reported that the MOVEit Transfer SQL injection vulnerability exploit on Wednesday was similar to a 2020-21 campaign in which the group installed a DEWMODE web shell on Accellion FTA servers in a joint advisory issued by the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency. 

It has also been discovered that threat actors were testing methods for gathering and extracting sensitive data from compromised MOVEit Transfer servers as far back as April of 2022. These methods were probably using automated tools and these methods may have been used to gain access to servers. 

It is possible that actors tested access to organizations using automated means and pulled back information from MOVEit Transfer servers. This was in the weeks leading up to last month's attacks. This is in addition to the 2022 activity. They also did this to determine which organizations they were accessing using information obtained from the MOVEit Transfer servers. 

During the malicious activity, it appeared that specific MOVEit Transfer users' Organization IDs ("Org IDs") were being exfiltrated, which in turn would have allowed Clop to determine which organizations to access. 

It has been reported on Clop's website that it has claimed responsibility for the MOVEit attacks and that victims are invited to contact it until July 14 if they do not wish that their names be posted on the site. Because a ransom deal would not guarantee that the stolen data would remain secure, the company has offered examples of data that has been exfiltrated and data that has been publicly published as part of an unresolvable ransom deal. 

In a LinkedIn post, Charles Carmakal, CEO of Mandiant Consulting, expressed surprise at the number of victims MOVEit has provided. Carmakal characterized MOVEit as "overwhelming.".
Read more »
The Telegraph
BBC Boots British Airways (BA) Clop Ransomware Cyber Attacks MOVEit Personal Data Breach Secureworks The Telegraph

Zellis Cyberattack: British Airways, Boots and BBC Employee’s Personal Data Exploited


Zellis Cyberattacks Exploiting MOVEit

British Airways (BA), Boots, and BBC have recently been investigating an alleged cyber incident. The attack, apparently carried out by a Russia-based criminal gang, included the theft of the personal data of the companies' employees.

BA confirmed the attack, noting that the hackers targeted software named MOVEit used by Zellis, a payroll provider.

“We have been informed that we are one of the companies impacted by Zellis’s cybersecurity incident, which occurred via one of their third-party suppliers called MOVEit,” said a British Airways spokesperson.

The affected BA employees were informed about the situation through an email, which read that the compromised data included their names, addresses, national insurance numbers, and banking details, according to The Telegraph which initially reported about the incident. BA further added that the attack has prominently affected the staff who were paid via BA payroll in the UK and Ireland.

Another company affected by the attack, Boots, says that “some of our team members’ personal details” were compromised. The Telegraph reported that the staff members were informed about the attacks, with the stolen data involving their names, surnames, employee numbers, dates of birth, email addresses, the first lines of home addresses, and national insurance numbers.

While a BBC spokesperson has confirmed the attacks, the corporations decline that the breach involves any of its staff’s bank details.

“We are aware of a data breach at our third-party supplier, Zellis, and are working closely with them as they urgently investigate the extent of the breach. We take data security extremely seriously and are following the established reporting procedures,” the spokesperson said.

Microsoft’s Investigation of the Attacks

Microsoft threat intelligence, in a tweet on Sunday, claimed the attacks on MOVEit were carried out by a threat group called Lace Tempest. The group is popular among threat intelligence firms for their ransomware operations and running “extortion sites” carrying data obtained in attacks using a ransomware strain called Clop.

Microsoft says “The threat actor has used similar vulnerabilities in the past to steal data and extort victims.”

According to Rafe Pilling, director of Secureworks, a US-based security firm, the attack was probably carried out by an affiliate of the cybercriminal gang behind the Clop ransomware, as well as the connected website alluded to by Microsoft where stolen data is advertised. He adds that a Russian-speaking cybercrime organization was responsible for Clop.

Pilling forewarns the victims, asserting they might be contacted by the hackers in the near future, demanding ransom in return for the stolen data. “Victims will be contacted and if they refuse they will probably be listed and published on the Clop site,” he said. Furthermore, MOVEit spokesperson recently confirmed that they have “corrected” the vulnerability exploited by the threat actors.

“We are continuing to work with industry-leading cybersecurity experts to investigate the issue and ensure we take all appropriate response measures,” they added.  

Read more »
Vulnerabilities and Exploits.
Clop Ransomware Encryption Microsoft Software Unauthorized access Vulnerabilities and Exploits.

N.S. Software Breach: Microsoft Blames Ransomware Gang

A recent software breach in Nova Scotia has raised concerns as the extent of the attack remains unknown. Microsoft has identified the ransomware gang known as Clop as the primary culprit behind the breach, highlighting the ever-growing threat of cybercriminals targeting organizations with sophisticated attacks.

The breach specifically targeted the MoveIT software used by the government of Nova Scotia to securely transfer sensitive data. The ransomware gang exploited vulnerabilities in the software to gain unauthorized access and potentially exfiltrate sensitive information. The full extent of the breach is yet to be determined, leaving many questions unanswered about the potential compromise of confidential data.

Microsoft's attribution to the Clop ransomware gang is a significant development, as this group has been responsible for numerous high-profile attacks worldwide. Their modus operandi involves encrypting victims' data and demanding a hefty ransom for its release. If the affected organization refuses to pay, the gang often resorts to leaking the stolen data, causing severe reputational damage.

The Nova Scotia government and IT experts are actively investigating the breach to ascertain the scope and impact. Assessing the potential compromise of sensitive data is crucial to determine the appropriate response and mitigate any further damage. It highlights the urgency for organizations to implement robust cybersecurity measures, including regular software updates and employee training on identifying and preventing phishing attempts.

The incident serves as a stark reminder that no entity is immune to cyber threats, regardless of its size or industry. Ransomware attacks have become increasingly sophisticated, exploiting vulnerabilities in software and human error to gain unauthorized access. It underscores the need for organizations to adopt a proactive approach to cybersecurity, continuously assessing and strengthening their defenses.

In response to the breach, the government of Nova Scotia has taken immediate action, temporarily shutting down the affected system to prevent further unauthorized access and potential data exfiltration. They are working diligently to restore services while ensuring the security and integrity of their data.

The N.S. software breach reinforces the critical importance of collaboration between organizations and technology providers to combat cyber threats effectively. Microsoft's identification of the Clop ransomware gang allows for an enhanced understanding of the attack and facilitates the development of countermeasures to mitigate the impact of future breaches.

As the investigation unfolds, it is imperative for affected individuals and organizations to remain vigilant, monitoring their accounts for any signs of suspicious activity. Additionally, all entities should revisit their cybersecurity strategies, focusing on preventive measures, incident response planning, and employee awareness training to fortify their defenses against evolving cyber threats.

Read more »
Vulnerabilities and Exploits
Clop Ransomware Data Theft Fortra GoAnywhere MFT Ransomware Vulnerabilities and Exploits

CLOPS Claim to Have Hacked 130 Organizations

 


It is now reported that the Clop ransomware group - known for its Linux variant recently - has used the zero-day vulnerability of the GoAnywhere MFT file transfer tool that they claim to have hacked into hundreds of organizations to boost its reputation by claiming to have stolen data from hundreds of organizations. 

Attackers can exploit a vulnerability in GoAnywhere MFT to remotely execute code by exploiting flaws without first authenticating in the GoAnywhere MFT administration console or the application itself. GoAnywhere MFT is vulnerable to a remote code execution vulnerability which occurs before authentication is completed. This vulnerability is in cases with their administrative console exposed to the Internet. 
This vulnerability has been assigned the CVE-2023-0669 number. It is estimated that the gang has committed over 50 hacks. 

 
With GoAnywhere MFT, organizations can efficiently share files with their business partners while maintaining security. The system also records who accessed the shared files and who made changes. Fortra (formerly known as HelpSystems), the company that created this tool, has also developed the popular and widespread Cobalt Strike tool, intended for penetration testers and the Red Team, focusing on operation and post-operation techniques for hackers. 

It was reported on Friday that up to 56 victims had been compromised in the last 24 hours by the Clop ransomware group. This was according to cybersecurity analyst and security researcher Dominic Alvieri. 

There are plenty of other companies and organizations in the business world on the list, including British multinational conglomerate Virgin's rewards club, Virgin Red, the city of Toronto, Rio Tinto, Rubrik, Axis Bank, Hitachi Energy, Saks Fifth Avenue, Procter & Gamble, the U.K.'s Pension Protection Fund, Pluralsight, and Munich RE. 

GoAnywhere MFT mentioned in a statement that "On March 24, the hacker group Clop announced on the darknet that sensitive Atos data was compromised. We want to reassure our clients, suppliers, and employees that this is not the case. Atos IT systems have not been affected by ransomware."

According to a report by the Clop group, the group stole data from over 130 organizations over 10 days after exploiting CVE-2023-0669 in a report.

As a result of the group gaining access to the admin console exposed to the internet, the group could remotely execute code on unpatched GoAnywhere MFT instances. 

The claim says hackers moved between networks to encrypt people's systems with ransomware payloads deployed laterally. 

However, there is a possibility that it may have only stolen documents stored on compromised GoAnywhere MFT servers.

As to hackers, the vulnerability could also be exploited to enter their victims' networks. They could also deploy extortionate payloads using the unpatched vulnerability. It is critical to note that thieves stole sensitive documents from compromised GoAnywhere MFT servers. 

There was no proof or information provided by the ransomware group about the origin of the attack, the date on which it began, or evidence of what they were doing. In addition, the company refused to disclose how much ransom it demanded and whether or not victims initiated extortion. 

As a result of the flaw in GoAnywhere MFT, its developer Fortra disclosed that the vulnerability is currently being exploited actively. 

CISA added the GoAnywhere MFT bug to its Known and Exploited Vulnerabilities Catalog on March 3, ordering federal agencies to update their systems by that date. 

As a result, it is relatively worrying that Clop has exploited an opportunistic vulnerability in GoAnywhere MFT to cause damage. To ensure system security in the future, organizations should avoid paying the ransom. They should also use backups to guarantee protection and take a layer-by-layer approach to secure systems ahead.
Read more »
Vulnerability
Bug Clop Ransomware Cyber Security Flaws Ransomware Vulnerability

Clop Ransomware Flaw Permitted Linux Victims to Restore Files for Months

 

The first Linux version of the Clop ransomware has been discovered in the wild, but with a flawed encryption algorithm that enables the process to be reverse-engineered. 

"The ELF executable contains a flawed encryption algorithm making it possible to decrypt locked files without paying the ransom," SentinelOne researcher Antonis Terefos said in a report shared with The Hacker News.

The cybersecurity firm, which has created a decryptor available, stated that it discovered the ELF version on December 26, 2022, while also mentioning similarities to the Windows flavor in terms of employing the same encryption method. Around the same time, the detected sample is said to be a component of a larger attack targeting educational institutions in Colombia, including La Salle University. As per FalconFeedsio, the university was added to the criminal group's leak site in early January 2023.

The Clop (stylized as Cl0p) ransomware operation, which has been active since 2019, dealt a major blow in June 2021 when six members of the group were arrested by police as part of an international law enforcement operation codenamed Operation Cyclone.

However, the cybercrime group made a "explosive and unexpected" comeback in early 2022, claiming dozens of victims from the industrial and technology sectors. SentinelOne classified the Linux version as an early-stage version due to the absence of some functions found in the Windows counterpart.

This lack of feature parity is also explained by the malware authors' decision to create a custom Linux payload rather than simply porting over the Windows version, implying that future Clop variants may close the gap.

"A reason for this could be that the threat actor has not needed to dedicate time and resources to improve obfuscation or evasiveness due to the fact that it is currently undetected by all 64 security engines on VirusTotal," Terefos explained.

The Linux version is intended to encrypt specific folders and file types, with the ransomware containing a hard-coded master key that can be used to recover the original files without paying the threat actors. If anything, the development indicates a growing trend of threat actors branching out beyond Windows to target other platforms.

Terefos concluded, "While the Linux-flavored variation of Cl0p is, at this time, in its infancy, its development and the almost ubiquitous use of Linux in servers and cloud workloads suggests that defenders should expect to see more Linux-targeted ransomware campaigns going forward," 
Read more »
Water facility attack
Clop Ransomware Data Breach Phishing and Spam SCADA Hacking Water facility attack

UK Water Provider Targeted by Clop Group Ransomware

The UK water supplier, South Staffordshire Water fell prey to a CLOP Ransomware attack. Following the attack, the company released a statement mentioning that the exploit had no effect on the systems that distribute water safely. 

South Staffordshire Water plc, also known as South Staffs Water, is a UK water supply firm that supplies water to a small portion of the West Midlands, Staffordshire, and other nearby counties in England.

Over 1,500 square kilometers in the West Midlands, South Staffordshire, South Derbyshire, North Warwickshire, and North Worcestershire, South Staffordshire provides drinking water to about 1.3 million individuals and 35,000 commercial clients.

The company was able to offer Cambridge Water and South Staffs Water customers safe water because of the security measures in place. Additionally, South Staffordshire Water reassures its clients that all service teams are working normally, negating any possibility of prolonged disruptions as a result of the incident.

Alongside carefully collaborating with the relevant governmental and regulatory agencies, the company is looking into the issue. The supplier's identity was published to the Clop ransomware gang's Tor leak site along with a claim of responsibility for the attack.

The wrong firm extorted by hackers

The Clop ransomware gang's Tor leak site through a release on their onion website today stated that Thames Water was their target. They claimed to have gained access to SCADA systems that they could control to affect 15 million users.

The hackers contend that they acted appropriately by not encrypting their data and only stealing 5TB from the hacked systems. Further claims have it that they warned Thames Water of its network security flaws. However, after allegedly failing to reach an agreement on the ransom payment, the actors released the first sample of stolen information, which included passport images, screenshots from SCADA systems used for water treatment, driver's license images, etc.

In a statement released today, Thames Water formally refuted these assertions, further asserting that any accusations of Clop breaching its network were "cyber-hoaxes" and that its services were already at capacity. One significant aspect of the lawsuit is that, among the public material, Clop offers a table of usernames and passwords that includes the email addresses of South Staffordshire and South Staff Water.

This incident occurs as eight locations in the UK are enforcing water rationing rules and hosepipe bans because of extreme drought. Due to the extreme pressure that could be placed on water suppliers to pay the demanded ransom, cybercriminals don't choose their victims at random.

However, for this to happen, Clop must target its threats on the appropriate party. However, given the amount of attention the situation has received, it's likely too late for that at this point.
Read more »
Sensitive Data Leak
Clop Ransomware Cyber Crime Dark Web Phishing Attack Sensitive Data Leak

The Clop Ransomware Gang Leaked Sensitive Data from the UK Police

 

Clop ransomware operators seized confidential information held by the British police, according to the media, and the cybercriminal group targeted the IT firm Dacoll. According to the media, cybercriminals used a phishing attack to compromise the company's systems, which had access to the police national computer. The Mail reported the security breach on December 19, 2021, while the gang released the stolen material on its leak site on the dark web. 

Clop Ransomware, a member of the well-known Cryptomix ransomware family, is a nasty file-encrypting virus that deliberately avoids unprotected systems and encrypts saved files by planting the .Clop extension. It uses the AES cypher to encrypt images, videos, music, databases, papers, and attaches the .CLOP or.CIOP file extension which stops victims from accessing personal information. For instance, "sample.jpg" is renamed "sample.jpg.Clop." 

Clop virus gets its name from the Russian word "klop," which means "bed bug" — an insect of the genus Cimex that feeds on human blood at night. Clop ransomware is regarded as extremely severe malware due to the virus's ability to infect the majority of operating system versions, including Windows XP, Windows 7, Windows 8, Windows 8.1, and Windows 10. 

The security breach occurred in October, when Clop ransomware operators obtained access to Dacoll data, including that of the PNC, which contained personal information and records for 13 million people. Dacoll, while confirming the data breach said, “We can confirm we were the victims of a cyber incident on October 5.”  

“We were able to quickly return to our normal operational levels. The incident was limited to an internal network not linked to any of our clients’ networks or services.” 

“The cyber-criminal gang Clop has released some of the material it plundered from an IT firm that handles access to the police national computer (PNC) on the so-called ‘dark web’ – with the threat of more to follow.” reported the Daily Mail. “Clop is believed to have demanded a ransom from the company, Dacoll, after launching a ‘phishing’ attack in October." 

Dacoll declined to pay and did not reveal the sum of the ransomware gang's demand. Photographs of motorists exfiltrated from the National Automatic Number Plate Recognition (ANPR) system, footage, and close-up images of the faces of drivers who have committed traffic offenses are among the stolen information.
Read more »
Ransomware
Clop Ransomware Cyber Attacks Extortion Threat GandCrab money extortion Money Laundering Online extortion RaaS Ransomware

French Authorities Have Detained a Suspect in Case of Money Laundering of €19 Million

 

This week, French authorities apprehended a suspect under suspicion of laundering more than €19 million ($21.4 million) in ransomware extortion payouts. 

Law enforcement agencies have not revealed the accused's name, which has only been recognized as a person from the Vaucluse area in southeast France, and neither the title of the ransomware organization with which he worked. 

The detention this week follows as law enforcement agencies throughout the world have started to collaborate and crackdown on ransomware activities following years of recurrent attacks, most of which have disrupted government agencies and private sector organizations on many occasions. 

This year has seen several crackdowns targeting ransomware gangs, including: 

  • February – The arrest of Egregor/Maze members in Ukraine. 

According to French radio station France Inter, participants of the Egregor ransomware cartel were apprehended in Ukraine. The existence of a law enforcement activity was already verified by sources in the threat intelligence community. The Egregor gang, reportedly began operations in September 2020, follows a Ransomware-as-a-Service (RaaS) strategy. They rent ransomware strain access, but they depend on some other cybercrime gangs to organize attacks into corporate networks and distribute the file-encrypting ransomware. 

  • March – The arrest of a GandCrab affiliate in South Korea. 

The arrest of a 20-year-old accused on allegations of spreading and infecting victims with the GandCrab ransomware was announced by South Korean national police. The accused, whose identity has not been revealed, was a client of the GandCrab Ransomware-as-a-Service (RaaS) cybercrime organization. Police described the suspect as an associate — or a distributor — who operated by obtaining copies of the GandCrab ransomware and spreading them via email to victims around South Korea. 

  • June – The arrest of a group of Ukrainian money launderers who worked with the Clop gang.

Representatives of the Clop ransomware gang, who were apprehended in Ukraine as part of an international law enforcement operation, also provided money-laundering facilities to other cybercrime organizations. The group was involved in both cyber-attacks and "a high-risk exchanger" that laundered funds for the Clop ransomware gang and other criminal groups, according to cryptocurrency exchange portal Binance. 

  • September – Sanctions against Suex, a Russian crypto-exchange used to process ransomware 

Suex, a cryptocurrency exchange incorporated in the Czech Republic but managed by Russia, was sanctioned by the US Treasury. According to a blockchain analysis company, Suex has assisted ransomware and other cybercrime organizations in laundering more than $160 million in stolen assets. Suex has aided in the processing of ransom payments to gangs like Conti, Ryuk, and Maze.

  • October – The arrest of 12 suspects behind the LockerGoga ransomware. 

According to Europol, twelve members of a ransomware cell were apprehended in Ukraine and Switzerland. The accused are suspected of orchestrating the ransomware attack that damaged Norsk Hydro in 2019, the organization was linked to 1,800 ransomware assaults in 71 countries.

  • November – The arrest of a REvil affiliate in Ukraine for the Kaseya attack. 

The US Department of Justice charged a 22-year-old Ukrainian national with coordinating the ransomware assaults against Kaseya servers on July 4th of this year.

  • December – The arrest of a Canadian citizen for the attack against an Alaskan healthcare provider. 

Since 2018, Canadian authorities had jailed an Ottawa resident on suspicion of organizing ransomware attacks on commercial companies and government agencies in Canada and the United States.
Read more »
Swire Pacific Offshore
Clop Ransomware Cyber Attacks Ransomware Ransomware Attacks. Swire Pacific Offshore

Swire Pacific Offshore Hit by a Ransomware Attack

 

Swire Pacific Offshore (SPO) reported that it had been the victim of a cyberattack that resulted in the theft of "some confidential proprietary commercial information" as well as personally identifiable information. The details of the incident are unknown, however, there are indications that it was carried out by the CL0P ransomware organization. 

SPO hasn't acknowledged whether or not the attack is ransomware-based, however, CL0P has now modified its blog, alleging that it has accessed SPO's servers. 

IT Pro has observed full names, addresses, phone numbers, company names, bank details, email addresses, and passport scans among some of the stolen data. Employees in Singapore and Malaysia appear to be among the most impacted, however, some information belonged to employees in the United Kingdom, China, and the Philippines. 

File names referencing payment requests, mailbox backups, random archives, and other individual folders are among all the other files acquired. The business is the Swire conglomerate's marine services section, and it has stated that the hack did not affect its international operations. 

"SPO has taken immediate actions to reinforce existing security measures and to mitigate the potential impact of the incident," it said to IT Pro. 

"It takes a serious view of any cyberattack or illegal accessing of data or any unlawful action that potentially compromises the privacy or confidentiality of data and will not be threatened by such actions.SPO has reported the incident to the relevant authorities and will work closely with them concerning the incident. SPO is contacting potentially affected parties to inform them about the incident." 

SOS Intelligence, a dark web monitoring service, drew notice to CL0P's ransomware blog on Wednesday, including Swire Pacific Offshore to its list of victims. 

CL0P is a deadly ransomware gang responsible for several recent high-profile hacks. Donald Trump's previous law firm, Jones Day, was also attacked by CL0P in February of this year, with sources claiming that papers were stolen and uploaded online, similar to the SPO incident, although the law firm denied the compromise. 

CL0P is also suspected of being responsible for the months-long cyberattack on Accellion's File Transfer Application (FTA) product in February 2021. Canada's Bombardier airline has been among the most high-profile victims of the hack, which exploited various zero-day holes in the outdated IT product. Months later, global investment bank Morgan Stanley announced that the very same Accellion data breach had obtained and stolen personal information from its corporate clients.
Read more »
Users' Credential
Beaumont Health Clop Ransomware Data Breach Data Stolen Healthcare Hack Medical Data Leak User Data User Privacy User Security Users' Credential

Beaumont Health: The Latest Victim of Accellion Breach

 

Beaumont Health, headquartered in Michigan, is the latest victim of the Accellion data breach, which began in December 2020 and has so far claimed 100 victims. Threat actors exploited zero-day vulnerabilities in Accellion's File Transfer Application (FTA), compromising the data of millions of patients. 

Approximately 1500 patients have been alerted by Beaumont Health that their personal information may have been compromised as a result of the December cyberattack on Accellion software. Beaumont hired Goodwin Procter LLP to offer legal services, and the firm used Accellion's File Transfer software to make massive transfers on behalf of its customers. 

Goodwin notified the healthcare provider on February 5 that patient data had been breached. Following the announcement of the Accellion breach, Goodwin conducted a digital forensics investigation and discovered that an unknown person had exploited a vulnerability in the application to obtain specific documents. 

“The potentially impacted information included a listing of roughly 1500 patients who had one of two procedures performed at a Beaumont Hospital,” mentioned in a statement issued on August 27 by Beaumont Health. 

“The list included the patient name, procedure name, physician name, the internal medical record number and the date of service. This incident is limited to these patients and does not affect all patients of Beaumont.” 

The healthcare provider also stated that the breach had no financial implications and neither Beaumont nor Goodwin had discovered any indication of the exposed data being exploited. 

On behalf of Beaumont, Goodwin contacted impacted people via mail on August 27 at their last known address to inform them about the data breach. The letter advises patients on the actions they should take to protect themselves from identity theft. 

“The notice letter specifies steps impacted individuals may take to protect themselves against identity fraud, including enrolling in complimentary credit monitoring services (if eligible), placing a fraud alert/security freeze on their credit files, obtaining free credit reports, remaining vigilant in reviewing financial account statements and credit reports for fraudulent or irregular activity on a regular basis and taking steps to safeguard themselves against medical identity theft,” stated Beaumont. 

“At Beaumont, protecting the privacy of personal information is a top priority,” the statement concluded. 

Goodwin is examining its data security policies and protocols in the aftermath of the incident. 

Accellion is now facing lawsuits

As the number of breaches escalates, Accellion is experiencing over a dozen lawsuits. In February, the Cybersecurity and Infrastructure Security Agency (CISA), together with security agencies in the United Kingdom, New Zealand, Singapore, and Australia, issued a warning to companies about the Accellion hack. 

Clop ransomware took responsibility for the assault and abused four previously unknown vulnerabilities. Some of the ransomware group's most recent victims include Kroger, Bombardier, Southern Illinois University School of Medicine, and Trillium Community Health Plan. 

In April, Trinity Health, located in Michigan, alerted over 580,000 patients that their information had been compromised. Demographic data, names, medical record numbers, and medical tests were among the information stolen. 

Centene also alerted over 1.3 million patients of the Accellion data leak in April. Contact information, birthdates, insurance ID numbers, and treatment information were all acquired by the hackers. 

During a major extortion attempt, the Clop ransomware published stolen data online, and some of the affected companies got emails from the intruders attempting to intensify extortion attempts. The number of victims continues to rise months after the initial attack.
Read more »
Subscribe to: Posts (Atom)