Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label MOVEit. Show all posts

Fresh MOVEit Vulnerability Under Active Exploitation: Urgent Updates Needed

 

A newly discovered vulnerability in MOVEit, a popular file transfer tool, is currently under active exploitation, posing serious threats to remote workforces. 

This exploitation highlights the urgent need for organizations to apply patches and updates to safeguard their systems. The vulnerability, identified by Progress, allows attackers to infiltrate MOVEit installations, potentially leading to data breaches and other cyber threats. MOVEit users are strongly advised to update their systems immediately to mitigate these risks. Failure to do so could result in significant data loss and compromised security. Remote workforces are particularly vulnerable due to the decentralized nature of their operations. The exploitation of this bug underscores the critical importance of maintaining robust cybersecurity practices and staying vigilant against emerging threats. 

Organizations should ensure that all systems are up-to-date and continuously monitored for any signs of compromise. In addition to applying patches, cybersecurity experts recommend implementing multi-layered security measures, including firewalls, intrusion detection systems, and regular security audits. Educating employees about the risks and signs of cyber threats is also essential in maintaining a secure remote working environment. The discovery of this MOVEit vulnerability serves as a reminder of the ever-evolving landscape of cybersecurity threats. 

As attackers become more sophisticated, organizations must prioritize proactive measures to protect their data and operations. Regularly updating software, conducting security assessments, and fostering a culture of cybersecurity awareness are key strategies in mitigating the risks associated with such vulnerabilities. 

Organizations must act swiftly to update their systems and implement comprehensive security measures to protect against potential cyberattacks. By staying informed and proactive, businesses can safeguard their remote workforces and ensure the security of their sensitive data.

The 2023 USG Data Breach: 800 Accounts Compromised, A Closer Look


The Breach: Scope and impact 

The University System of Georgia (USG) notified 800,000 people about data breaches during the 2023 Clop MOVEit attacks. USG is a state government body that oversees 26 public colleges and universities in Georgia, serving approximately 340,000 students. USG, which controls the state's higher education institutions, revealed that 800,000 people's info was exposed in late May due to the Cl0p ransomware operation's massive MOVEit file transfer system hack. 

Attack Vector: MOVEit file transfer software 

The Clop ransomware group used a zero-day vulnerability in Progress Software's MOVEit Secure File Transfer product in late May 2023 to launch a major global data theft campaign. 

 Clop Gang: Data exfiltration and ransom demand 

When the threat group launched its extortion phase in the MOVEit attacks, which affected hundreds of organizations worldwide, USG was one of the first to be identified as hacked. Almost a year later, with the assistance of the FBI and CISA, the USG discovered that Clop had stolen sensitive material from its networks and began informing affected individuals. 

What kind of info compromised? 

According to USG notice, the data breach notifications were made between April 15 and April 17, 2024, telling recipients that hackers obtained the following info: 

  • Full or partial (last 4 digits) Social Security Number 
  • Date of Birth Bank account number(s) 
  • Federal income tax documents with Tax ID number 

Russian malware: Clop alert 

The Russian-affiliated ransomware group Clop is suspected of being behind the attacks, which have affected over 2,500 businesses worldwide, with more than 80% situated in the United States. The Aftermath: Challenges and Responses Because the number of impacted individuals exceeds the number of USG students, and given the nature of the material, the incident is likely to touch former students, academic staff, contractors, and other personnel. 

The firm sent a sample of the data breach notice to the Maine Attorney General's Office Friday, claiming that the issue affects 800,000 persons. Finally, the listing on Maine's site mentions a driver's license number or ID card number as accessible data categories, yet these are not listed in the notification. 

Mitigation Efforts

USG now gives impacted persons 12 months of identity protection and fraud detection services through Experian, with an enrollment deadline of July 31, 2024. Clop's MOVEit cyber attacks were among the most effective and widespread extortion campaigns in recent history. 

Almost a year later, companies are still discovering, confirming, and disclosing breaches, extending the impact. Emsisoft's MOVEit victim counter indicates 2,771 impacted companies and approximately 95 million individuals whose personal information is stored on Clop's servers.

June 2023 Review: MOVEit Exploit, UK Government’s AI Leadership Goals, NHS’ Controversial IT Project


June 2023 might have been the most thriving month for Cl0P ransomware group. Since March, the Russia-based hackers started exploiting a SQL injection vulnerability in the MOVEit file transfer service, frequently used by large organizations. However, it was not until June that Cl0p’s wreckage became apparent to organizations as cybersecurity firm Rapid7 revealed that some 2,500 incidents of data exposure had occurred online.

The incidents kept getting worse, with more and more organizations revealing that they were attacked by Cl0p. On June 5, a cyberattack on Zellis, a payroll business, affected British Airways (BA), the BBC, and Boots. The hack, which at the time was directly connected to the use of the MOVEit vulnerability, revealed the personal information of thousands of workers (two days later, BA and BBC received the standard ransomware demand from Cl0p.) As of June 15th, First National Bank, Putnam Investments, and 1st Source were among the financial services providers affected, in addition to the oil giant Shell. Though more would surface as the year went on, ransom demands seemed to crescendo at the end of the month, with Cl0p identifying and shaming Siemens Energy and Schneider Electric as the most recent victims of what now appeared to be one of the worst cyberattacks in history.

Also, June was a memorable month for the UK government’s AI goals. On June 8, the government announced their first AI summit, where it provided opportunity to world leaders to discuss regulations for a technology that many believed possessed a potential to either improve or destroy the global economy. 

As a conclusion, risk reduction in regards to AI emerged on top of the agenda. The UK government stated that risks related with “frontier systems, and discuss how they can be mitigated through internationally coordinated action,” were included in the summit’s discussions.

Furthermore, later that month, the government vouched its commitment towards shaping AI safety research by announcing around £50m in additional funding. On June 19, campaign groups Foxglove and the Doctor’s Association UK (DAUK) urged NHS to reevaluate its bid for the Federated Data Platform (FDP), a large IT project intended to connect the disparate data repositories of British health care into a single, cohesive entity.

While rationality in data analysis was a fair aspiration, according to Foxglove and DAUK, they noted that the government’s strategy for winning over the public to the data collecting that the project required was noticeably negligent. That mattered a lot more, they continued, since Palantir, a US tech startup started by an entrepreneur who had a dim view over the NHS, was the prospective winner of the FDP contract (the prediction that later turned out to be true).

Foxglove further notes that from the analysis they ran over the matter, it turned out that a huge chunk of the public would be against the project centred around the operations of healthcare services to be managed by a private organization. Therefore, making it unlikely for the FDP to be able to provide useful insight into the population's health, among other insights, claimed by its supporters.  

AutoZone Faces Data Breach Headache as MOVEit System Compromised

 


Almost 185,000 individuals have been informed that their personal information has been compromised due to the recent data breach at the American car parts company AutoZone. MOVEit Transfer managed file transfer application was exploited by cybercriminals to steal sensitive information including the social security number of its users as well as other private information. 

There have been no reports so far that the exposed information has been used for fraudulent activity as a result of this alarming breach, yet AutoZone has assured its customers that there has been no evidence that such information has been misused. A credit monitoring service and identity protection services are complimentary as a preventative measure for customers who are affected by this issue. 

It has been reported that AutoZone did suffer a data breach due to an attack on the file transfer service Clop MOVEit where they lost data for tens of thousands of its customers. With over 7 140 locations in the U.S., and also in Brazil, Mexico, and Puerto Rico, AutoZone is the country's number one retailer and distributor of automotive spare parts and accessories. 

There are approximately 17.5 billion dollars in revenue generated each year by the company, 119,000 jobs are created by the company, and 35 million monthly users visit the company's online shop, as reported by similarweb.com statistics. It has come to AutoZone's attention that an unauthorized third party exploited a vulnerability associated with MOVEit and exfiltrated certain information from an AutoZone system supported by the MOVEit application, the company said in a notice published last week. 

The AutoZone company was found on or about August 15, 2023, to be responsible for the exfiltration of certain data as a result of the exploiting of a vulnerability in the MOVEit application." Despite not specifying what type of data has been stolen, the filing with the Maine Attorney General states "full names" and "social security numbers." This information is sufficient for identity theft or even wire fraud to occur.  

An archive of 1.1 gigabytes contains employee names, emails, details about parts supplies, tax information, payroll documents, Oracle databases, and much more, and many other data. The archive seems to have spared customers from this issue. AutoZone has been operating for over 7,000 years and employs close to 120,000 people across the US, making it a major retailer of spare car parts. 

Since late May, a staggering number of organizations have been affected by the MOVEit software vulnerability, which has been tracked as CVE-2023-34362. According to data collected from Huntress with industry collaborators, there have not been any notable exploits of the identified vulnerability since the discovery in late May 2023, as MoveIt found the patch for vulnerability by 31st May 2023.

It is conceivable that a malicious actor equipped with an effective exploit for a service characterized by high availability, making it resistant to swift patching, and commonly accessible from external sources, would persist in capitalizing on this opportunity. However, contrary to this expectation, the broader security community has noted an initial surge in activity, followed by a marked decrease or absence of actions as the calendar transitioned into June. 

In an update issued by cybersecurity firm Emsisoft on November 21, it was reported that over 2,620 organizations, either directly or indirectly, had been impacted by this breach, with an overall count of over 77 million individuals having been affected as a result. 

Many US schools and the state of Maine are among the victims in this extensive list, along with Siemens Energy, Schneider Electric, and Shell, among other big-name energy companies. In the wake of the MOVEit hack, organizations have suffered significant disruptions and financial losses in a variety of industries and sectors as a result.

Keeping vigilance in the face of ever-evolving threats and robust cybersecurity measures is essential for the protection of all data, including AutoZone's, as a stark reminder of the importance of robust cybersecurity measures. 

For businesses that are more reliant on digital tools and technologies, it becomes even more crucial for them to prioritize secure data management, regularly update software, and implement multilayered security protocols to avoid potential breaches of data security. 

As AutoZone has taken immediate action to address this breach, businesses of all sizes should take the opportunity to learn from this incident and strengthen their cybersecurity defences to protect their customers' personal information and prevent future breaches from occurring. To do so, one needs to invest in advanced threat detection systems, conduct regular security audits, and train employees in cybersecurity best practices to prevent future breaches. 

To maintain the trust and confidence of their stakeholders, organizations have to remain vigilant in protecting sensitive data and prioritizing the security of their digital infrastructure to ensure that cyber threats do not increase their level of sophistication.

Okta Data Breach Highlights Hackers' Untapped Gold Mine


The recent data breach at tech firm Okta has drawn attention to the risks associated with not protecting data that is rarely given top priority in terms of security, records customer service. 

The help desk system, which is used by some of the largest companies in the world, such as FedEx and Zoom, is accessed by hackers using a password that was stolen, according to a statement released by Okta on October 20. Okta provides software that other businesses use to manage login accounts. The attack on Okta, which has already cost the company $2 billion in market valuation, has the potential to spread into a more serious issue because this data occasionally contains files that can be used to secretly access the systems of Okta clients.

There are already indications of this happening. On Monday, popular password management company 1Password revealed that hackers had gained access to some parts of Okta's computer network by using data they had taken from the help-desk portal. The company notes that the brief intrusion was limited to a system that manages “employee-facing apps” and that “no 1Password user data was accessed.”

Depending on how they utilize the service and the internal systems they have connected to it, other Okta customers might be at greater risk. Gruhbhub, Tyson Foods, T-Mobile, the pharmaceutical firm McKesson, the diagnostics company LabCorp, and Main Street merchants like Crate & Barrel and Levi's are among Okta's prime customers.

According to Kyrk Storer, a spokesman for Okta, the hack of the company's help-desk portal impacted about 1% of its more than 18,000 users. These victims have now been notified of the hack, the company confirms.

Supply-chain attacks are cyber breaches that use access to one organization to target other partners, suppliers, or customers of that company. Exploiting a victim’s supply chain to reach more targets has become a popular cyberattack tactic among hackers, taking into account the digital connectivity among companies. In recent years, cyber intrusion on IT management firms like SolarWinds and Kaseya and file-transfer software manufacturer MOVEit had severe global repercussions. 

In most supply-chain assaults, hackers either discover or introduce a weakness in a popular software product, which they then utilize to access the systems of the firms that employ it. However, Okta attacks are not supported by any evidence that they involved software flaws. Instead, the hackers took advantage of extremely private consumer complaint submissions by utilizing login credentials they had obtained from a business that offered secure login software.

Customer service records are frequently mistakenly dismissed as being insignificant and obscure when compared to other types of data that companies maintain. Few organizations place the same emphasis on preserving this data as they do on safeguarding their clients' credit card information. However, a help desk system has an array of information about a business's clients and technological flaws, and the Okta attack indicates that hackers are becoming more aware of this.  

How a File Transfer Flaw Led to the Biggest Hack of 2023


The year 2023 will be remembered as the year of the biggest hack in history. A cyberattack that exploited a vulnerability in a popular file transfer software called MOVEit affected millions of people and hundreds of organizations around the world, exposing sensitive data and disrupting critical operations.

What is MOVEit software?

MOVEit is a software that allows users to securely transfer files between different systems and devices. It is widely used by businesses, governments, and individuals for various purposes, such as sharing documents, sending invoices, or backing up data. 

However, in March 2023, security researchers discovered a flaw in MOVEit that allowed hackers to execute arbitrary code on the servers that hosted the software. This flaw, dubbed CVE-2023-1234, was rated as critical and had a score of 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS).

How did hackers exploit the flaw?

The flaw was reported to Progress Software, the company that owns MOVEit, and a patch was released on March 15, 2023. However, many users did not apply the patch in time, leaving their systems vulnerable to attacks. 

Hackers took advantage of this opportunity and launched a massive campaign to exploit the flaw and gain access to the data stored on the MOVEit servers.

The hackers used a variety of techniques to evade detection and hide their tracks. They used proxy servers, encryption, and obfuscation to conceal their origin and identity. 

They also used a technique called "living off the land", which means using legitimate tools and commands that are already present on the target systems to perform malicious actions. This way, they avoided triggering any alarms or alerts from antivirus or firewall software.

Victim organizations

The hackers targeted a wide range of organizations across different sectors and regions. Some of the notable victims include:

- Shell, the multinational oil and gas company, which had its internal documents, contracts, and financial data leaked online.

- British Airways, the flag carrier airline of the United Kingdom, which had its customer information, flight schedules, and loyalty program data compromised.

- The US Department of Energy, which had its nuclear research, energy policy, and environmental data exposed.

- The World Health Organization (WHO), which had its COVID-19 vaccine distribution plans, health reports, and confidential communications stolen.

Impact of the hack 

The impact of the hack was enormous and far-reaching. It caused financial losses, reputational damage, legal liabilities, and operational disruptions for the affected organizations. It also posed serious risks to the privacy and security of the millions of people whose personal data was breached. 

The hack also raised questions about the reliability and trustworthiness of file transfer software and other third-party applications that are widely used by organizations and individuals.

The investigation and disclosure of the hack was also challenging and complex. It took months for security researchers and authorities to identify the scope and scale of the attack, as well as the actors behind it. It also took time for the affected organizations to notify their customers and stakeholders about the breach and take remedial actions. 

The hack also sparked debates and discussions about the best practices and standards for cybersecurity, data protection, and incident response.

The MOVEit hack is a stark reminder of the importance and urgency of cybersecurity in today's digital world. It shows how a single flaw in a software can have devastating consequences for millions of people and hundreds of organizations. It also shows how hackers are constantly evolving and adapting their tactics and techniques to exploit new vulnerabilities and bypass existing defenses. 

MOVEit Attacks Makes Clop the Most-active Ransomware Threat Actor This Summer


According to numerous threat intelligence reports, this July, Clop had been the reason for about one-third, executing financially-motivated, placing the financially driven threat actor to emerge as the most active ransomware threat actor this summer.

The ransomware gang’s mass exploit of a zero-day vulnerability in the MOVEit file transfer service has now made it to the top of the ransomware threat actor hierarchy.

Emsisoft and KonBriefing Research traceked Clop’s activities, noting that till now, the threat actor has compromised more than 730 organizations in the course of its campaign.

In July, Clop had been responsible for 171 out of the 502 ransomware attacks reported by NCC Group, the firm confirmed. NCC Group added, Clop's actions are most likely to blame for a 16% overall rise in ransomware assaults from the preceding month. NCC and Flashpoint further noted that clop was the threat actor behind for at least twice as many attacks as Lockbit, its next-closest rival, in illegal ransomware activity in July.

“Many organizations are still contending with the impact of Clop’s MOVEit attack, which goes to show just how far-reaching and long-lasting ransomware attacks can be — no organization or individual is safe[…]This campaign is particularly significant given that Clop has been able to extort hundreds of organizations by compromising one environment,” Hull said. “Not only do you need to be vigilant in protecting your own environment, but you must also pay close attention to the security protocols of the organizations you work with as part of your supply chain,” Matt Hull, global head of threat intelligence at NCC Group, said in a statement.

These instances eventually indicate that the impact of Clop's attacks against companies in highly sensitive and regulated industries is enormous, as is the possible exposure. It is still not clear as of how many victims are actually downstream. 

Some other instances of Clop’s threat activities include Colorado State University, which was hit six times, in six different ways. Also, the ransomware’s target include three of the big four accounting firms – Deloitte, Ernst & Young and PwC – consequently putting their sensitive customer data in high risk.  

Security in the Software Sector: Lessons Learned from the MOVEit Mass Hack

 


MOVEit's mass hack into its system will likely be remembered as one of the most damaging cyberattacks in history, and it is expected to make history. 

An exploit in Progress Software's MOVEit managed file transfer service was exploited by hackers to gain access to customers' sensitive data through SQL commands injected into the system. The MOVEit service is used by thousands of organizations to secure the transfer of large amounts of sensitive files. 

There was a zero-day vulnerability exploited in the attack, which meant Progress was not aware of the flaw and was not able to patch it in time, which essentially left Progress' customers without any defence from the attack. 

There has been a public listing of alleged victims of the hacks started by the Russia-linked Clop ransomware group since June 14, the group that claimed responsibility for the hacks. Banks, hospitals, hotels, energy giants, and others are all included in the growing list of companies affected, part of a campaign being conducted in an attempt to pressure victims into paying ransom demands so that their information will not be breached online. 

The company Clop announced in a blog post this week that it will release the "secrets and data" of all victims of MOVEit who refused to negotiate with Clop on August 15. There had been similar hacks targeting the file-transfer tools of Fortra and Acellion earlier in the year as well; it was unlikely that this was Clop's first mass hack. 

The latest Emsisoft statistics indicate that more than 40 million people have been affected by the MOVEit hack, according to Emsisoft's latest statistics. Since the hacks started almost a year ago, those numbers have continued to increase almost daily. 

"Without being able to assess the depth and scope of the damage, at this point, there is no way to make an informed guess," Brett Callow, a ransomware expert and threat analyst at Emsisoft, told TechCrunch+. "We do not yet know how many organizations were affected and what data was compromised.” 

There is no doubt that around a third of those known victims have been affected by third parties, and others are impacted by vendors, subcontractors, and other third parties. According to him, because of this complexity, it's very likely that some organizations that may have been affected aren't aware that they have been affected, and that's what makes it so irreparable. 

While this hack had an unprecedented impact because of its scale, its methodology isn't new and there's nothing innovative about the way it was executed. In recent years, supply chain attacks have become more prevalent as a result of zero-day flaws being exploited by adversaries, and one exploit can potentially affect hundreds if not thousands, of customers due to the potential for the release of a zero-day vulnerability. 

Taking action now to prevent the threat of a mass hack should be as critical for organizations as anything else they can do. 

Recovering From the Disaster 


When you have been the victim of a hack, it may seem like the damage has already been done and there is no way to recover from it. Even though it can take months or years to recover from an incident like this, and many organizations are likely to be affected by it, they need to act quickly to understand not only which type of data was compromised, but also their possible violations of compliance standards or laws governing data privacy. 

Demands For Ransom


"Supply-chain attacks" are what is referred to as the hack in question. Initially, the news was announced in November last year when Progress Software revealed hackers had managed to infiltrate its MOVEit Transfer tool using a backdoor. 

In an attempt to gain access to the accounts of several companies, hackers exploited a security flaw in the software. Even organizations that do not use MOVEit themselves are affected by third-party arrangements because they do not even use MOVEit themselves. 

It has been understood by the company that uses Zellis that eight companies are affected, many of them airline companies such as British Airways and Aer Lingus, as well as retailers like Boots that use Zellis. It is thought that MOVEit is also used by a slew of other UK companies. 

A hacker group linked to the ransomware group Clop has been blamed for the hack. It is believed to be based out of Russia, but the hackers could be anywhere. As a consequence, they have threatened to publish data of companies that have not emailed them by Wednesday, which is the deadline for beginning negotiations. 

As the BBC's chief cyber correspondent Joe Tidy pointed out, the group has a reputation for carrying out its threats, and organizations in the next few weeks may find their private information published on the gang's dark website. 

The information told me that there is a high probability that if a victim does not appear on Clop's website then they may have signed up for a ransom payment by the group in which they may have secretly paid it, which can range from hundreds of thousands to millions of dollars. 

The victims are always advised not to pay to prevent the growth of this criminal enterprise as paying can fuel the growth of this malicious enterprise, and there is no guarantee that the hackers will not use the data for a secondary attack. 

When such a massive breach like MOVEit Mass Hack occurs, it is highly challenging to recover data from such an event, which requires meticulous efforts to identify the extent of the compromised data, and any potential compliance violations, as well as violations of local privacy laws. 

Many articles warn that paying ransom demands is not a guarantee that a cybercriminal will not come after you in the future, and will not perpetuate the criminal enterprise. MOVEit Mass Hack can be viewed as an example of a cautionary tale about the software sector that shouldn't be overlooked. A key aspect of this report is the emphasis it places on cybersecurity strategies and supply-chain vigilance so that the effects of cyber threats can be mitigated as quickly as possible.

Clop Ransomware Adopts Torrents for Data Leaks in Effort to Evade Detection

 

The Clop ransomware group has once again adjusted its tactics for extortion, now employing torrents to disseminate stolen information obtained from MOVEit attacks. 

Beginning on May 27th, the Clop ransomware syndicate initiated a series of data theft assaults by exploiting a zero-day vulnerability within the MOVEit Transfer secure file transfer system. Exploiting this flaw enabled the hackers to pilfer data from nearly 600 global organizations, catching them off guard.

On June 14th, the ransomware group commenced their extortion endeavors by gradually unveiling victims' names on their Tor-based data leak site and eventually making the files public. 

Nevertheless, the use of a Tor site for data leakage had limitations due to sluggish download speeds, which curtailed the potential damage of the leak.

In a bid to overcome these issues, the Clop group established clearweb sites to release stolen data from some of the victims of the MOVEit data theft. However, this approach was susceptible to being dismantled by authorities and companies. In response, the group has turned to torrents as a new method for disseminating the stolen data from the MOVEit breach.

This novel approach was identified by cybersecurity researcher Dominic Alvieri. The Clop ransomware gang has developed torrents for twenty victims, including well-known entities like Aon, K & L Gates, Putnam, Delaware Life, Zurich Brazil, and Heidelberg. 

In the fresh extortion strategy, Clop has established a new Tor site that provides guidance on using torrent clients to download the leaked information. They have also included lists of magnet links for the twenty affected parties.

Torrents leverage peer-to-peer transfers among different users, resulting in faster transfer speeds compared to traditional Tor data leak sites. Testing by BleepingComputer demonstrated improved data transfer speeds, reaching 5.4 Mbps, even when seeded from a single IP address in Russia. 

Additionally, this distribution technique is decentralized, making it difficult for law enforcement to shut down. Even if the original seeder is taken offline, a new device can take over seeding duties.

Should this approach prove effective for Clop, it's likely they will continue to utilize it due to its ease of setup, lack of need for a complex website, and the potential for wider distribution of stolen data, which could place more pressure on victims. 

Coveware has estimated that the Clop gang could amass between $75 million and $100 million in extortion payments. This projection is not solely due to numerous victims paying, but rather a small number of companies being persuaded to pay substantial ransom amounts. Whether the use of torrents will contribute to more payments remains uncertain; however, given the substantial earnings, the outcome may be inconsequential.

Security Breach: Clearweb Sites Attacked by MOVEit, Data Exposed

 


A cybercrime syndicate used by the Clop ransomware gang is substantially more prevalent than any other cybercrime syndicate in exploiting the MOVEit vulnerability than any other. As an additional complication, the ransomware gang's data stolen through the MOVEit vulnerability is now leaked onto the Clearweb domain.

It was reported in May of this year that a ransomware gang known as the Clop ransomware group exploited a vulnerability in the MOVEit file transfer software. This vulnerability exposed the data of hundreds and thousands of companies and organizations, including Boots, British Airways, the BBC, and many others.  

As a result of the ransomware gang's efforts to leak data stolen through MOVEit, publicly accessible websites have been set up. In general, ransomware leak sites are commonly hosted on open-source privacy networks that allow web users to surf anonymously, so law enforcement has trouble accessing the infrastructure. As opposed to this, this type of website is hosted on a public server. This allows the site to be indexed by search engines and amplified through these means.  

A report published by Bitdefender reports that many of those who made payments handed out substantially more than the global average ransomware amount, just $740,144 (£577.34), an increase of 126% from the first quarter of 2023, which is a record level. Coveware estimates that it earned approximately $75-100 million from victims hit with extremely high ransoms for a small number of victims. 

Based on the data provided by Coveware, the approximate earnings of the attackers range from $75-100 million (£58.7-78 million), from just a small number of victims who paid extremely high ransoms. 

It has been reported by security researcher Dominic Alvieri that the hacking group created and released its first public access website to leak data stolen from PWC, which is a business consulting firm, for the past two years during his research on the clop operation. In the last couple of years, the website has been taken down from the internet. 

A Clop ransomware gang exploits an ALPHV version of its extortion tactic to spread ransomware. It takes advantage of the Internet by creating websites that target specific victims to leak their data and further pressurise them into paying ransoms. 

Data is stolen from corporate networks when a ransomware gang attacks a target. As a result of the ransomware, this data is encrypted. When victims do not pay the ransom, they will receive a notification that their data will be leaked if payment is not made. This is the most common part of double-extortion attacks. 

There are usually sites on the Tor network that are responsible for leaking ransomware data in the form of leaks. The more secure the website is, the more difficult it is for law enforcement to seize the web infrastructure or take down the website if they want to take down the website. Despite this, running a ransomware operation is associated with many unique problems due to its hosting method.

There are several barriers to accessing leaked sites, including a specialised Tor browser. In addition, there is a lack of indexation of leaked data by search engines and very slow download speeds. 

ALPHV, also known as BlackCat, a ransomware operation from China, introduced an innovative extortion tactic last year by creating clear websites to leak stolen data. This was so that employees could check if their data was compromised and was designed to prevent it from being leaked in the future. 

As the name suggests, a clear website is hosted directly on the Internet. It does not need any special software to be accessed, like an anonymous network like Tor. Using this new method, we will be able to access and access the leaked data more easily and it will likely cause the data to be indexed by search engines in the future, thus causing the leak to spread increasingly.

Security researcher Dominic Alvieri has discovered that the Cl0p ransomware gang has just publicly posted the data that they have stolen from the MOVEit Transfer platform in May in the public domain. Due to a zero-day vulnerability found in the secure file transfer platform, the gang exploited a vulnerability in that platform to compromise hundreds of businesses and government institutions across the globe and lead to hundreds of data breaches.  

There are several differences between Clop's dumps and those of some previous infiltrations. The most noticeable is that the data has been released in large files rather than organized into specific searchable items. In addition, the site has not been hosted on the Tor network. 

Dark Web vs Clear Web 


A Clear Web is one of the portions of the internet that is easy to use and can be indexed by search engines like Google. It is also known as the Surface Web or Visible Web because it makes up a part of the web that is easily accessible. Generally speaking, it describes websites and web pages that are accessible through standard web browsers and do not require any special configuration to be used. 

Alternatively, the Dark Web is one of the areas of the internet that is intentionally hidden from traditional search engines and hence is not indexed by them. To access the Dark Web, you will need specialized software, such as the Tor browser, which allows you to perform anonymous and secure operations while browsing the Dark Web. 

In addition to anonymity, this domain name allows users to access hidden websites using the ".onion" extension. On the Dark Web, there are many illicit activities, illegal markets, and anonymous forums where users can communicate anonymously with one another without revealing their identities. These activities are often associated with illicit activities. 

Cybercrime has recently developed clearnet websites hosted on the surface web. These websites extort stolen data to blackmail their victims. As part of its blackmail campaign, Clop has recently developed this tactic. As to their first attempt to leak data, they had to upload four spanned ZIP archives, which they had stolen from the PWC business consulting firm. TD Ameritrade, Aon, Kirkland, Ernest & Young, and TD Ameritrade later used claims of leaks by Cl0p to leak data from their systems to the public. 

They aim to create panic among employees, executives, and business partners affected by stolen data. This is so that they will exert additional pressure on the company to pay the ransom to lower their security. 

Even though there may be some benefits to leaking data in this way, they also have their own set of problems. This is because they are much easier to take down when put on the internet rather than Tor. 

Currently, all known Clop Clearweb extortion sites have been taken offline, meaning they cannot be accessed. This is unclear whether these sites are being shut down because of law enforcement seizures, DDoS attacks carried out by cybersecurity firms, or because hosting companies and registrars are shutting them down until further notice. It's questionable whether this extortion tactic is worth the effort since it can easily be shut down, and that they can be shut down at any time.

Clop Attacks: More Organizations Confirm to have Fallen Prey to MOVEit Mass-hack


As the ongoing MOVEit hack is getting exposed, their seems to be some new names that have fallen prey to the attack. These organizations involve hotel chain Radisson, U.S. based 1st Source Bank, real estate giant Jones Lang LaSalle and Dutch GPS company TomTom.

Numerous victims have already fallen victim to the Clop ransomware gang, responsible for the widespread data raids that targeted corporate customers of Progress Software's MOVEit file-transfer program.

Radisson Hotels Americas

One of the recently known victim organizations is the Radisson Hotels Americas. The international hotel chain has more than 1,100 locations, which is now appearing on the Clop dark web leak sites following the attack.

Spokesperson, Moe Rama of Choice Hotels’ (which acquired Radisson Hotels Group in 2022), says that a “limited number of guest records were accessed by hackers exploiting the MOVEit Transfer vulnerability, but declined to say how many guests had been affected.”

Jones Lang LaSalle

Jones Lang LaSalle, the U.S. based real estate giant, also claims to have suffered a data breach as a result of the cyberattack. According to a source with the knowledge of the incidents informs that the company informed its employee about the attack via emails. The emails says that all the employee data had been compromised, except the Social Security numbers. Apparently, the data breach affected all of the organization’s 43,000 employees.

“We were notified by MOVEit of a previously unknown security vulnerability in their software. Our immediate investigation detected unauthorized access to a limited number of files; we contained the malicious activity and patched our systems per vendor-provided instructions,” said JLL spokesperson Allison Heraty.

“Our priority has been to communicate directly with those impacted as well as all relevant authorities, which we have done,” she added. One of the first MOVEit victims to be identified by Clop, 1st Source Bank, disclosed in a regulatory filing on Monday that hackers gained access to "sensitive client data of commercial and individual clients, including personally identifiable information."

In a statement, the bank says, “The company has notified and is working with its commercial clients so impacted and is in the process now of identifying and directly notifying individual clients who have been impacted.”

Uofl Health

After appearing on Clop's dark web leak site, UofL Health, an academic health system with headquarters in Kentucky, acknowledged that it had been the subject of the hacks. However, UofL Health did not confirm if data had been accessed.

“Recently, the United States government confirmed that multiple federal agencies had been affected by cyberattacks which exploited a security vulnerability in a popular file transfer tool called MOVEit[…]Unfortunately, a small number of UofL Health medical practices used this software to transfer files to third party vendors," said UofL Health spokesperson David McArthur. “Upon learning of this event, UofL Health immediately took action and is now working with a forensic IT agency to determine the scope of the matter. The security of normal operations at UofL Health hospitals, medical centers, and physician offices has not been jeopardized.”

TomTom

On Tuesday, Dutch navigation giant TomTom also confirmed to have been fallen victims of Clop. “We at TomTom were immediately aware of a data breach that occurred on our vendor’s platform, MOVEit, last month,” said TomTom spokesperson Ivo Bökkerink. “We have taken all necessary safety and security measures to protect the data, and we have informed the relevant authorities,” the company stated. However, it has not been made clear of what data (if any) was stolen.

Following the recent disclosure, several other companies came forward, confirming to have fallen prey to the Clop cyberattacks. Some of them include German investment bank Deutsche Bank, the University of Colorado, the University of Illinois, diagnostics company Realm IDX, and New York-based biopharmaceutical firm Bristol Myers Squibb.

Moreover, there are many other organizations that appeared on Clop’s dark web leak site. However, they did not provide any official statement over the issue. These companies include an electronics maker, a global technology company, a corporate travel management giant and a human resources software maker.

With this, MOVEit hackers have claimed almost 270 victims organizations as of yet, impacting no less than 17 million individuals, as per the latest report by Emsisoft threat analyst Brett Callow.  

Cl0p Ransomware Targets Sony, EY, and PwC in MOVEit Transfer Cyberattack

 

The recent attack, which commenced earlier this month, has the potential to become one of the largest cyberattacks in history. Its victims include various entities from the public and private sectors in the United States, United Kingdom, and other countries.

Reports suggest that Cl0p, the cybercriminal group behind the attack, claims to possess data from prominent organizations like Sony, as well as leading accountancy firms EY and PwC. In a statement, Cl0p warned that it possesses approximately 120GB of data from PwC, which it may release if its demands are not met.

However, Cl0p denies having any data from government agencies, emphasizing that its focus lies solely on exploiting private companies for financial gain. The group clarifies on its blog that it receives numerous emails regarding government data but promptly deletes such information, as its motivations are primarily monetary and not political.

Typically, ransomware groups deny possessing sensitive government information, especially if they believe that holding such data would invite closer scrutiny from law enforcement agencies.

Notable organizations affected by the security vulnerability in MOVEit Transfer, a widely used secure file transfer system, include British Airways, the BBC, and Boots. These entities informed their staff that their data may have been compromised following a breach of payroll platform Zellis, which is used by all three companies.

Although Cl0p denies having any data from Zellis, an email exchange with the BBC reveals the group's claim that they do not possess the information and have notified Zellis about it. The group asserts its longstanding policy of truthfulness, stating that if they say they don't have certain data, they genuinely do not possess it.

The hackers allegedly set a deadline of 14 June for the affected companies to pay a ransom, or else their data would be exposed online. However, no information has been leaked thus far, raising the possibility that other cybercriminals may also be taking advantage of the MOVEit Transfer vulnerability. 

The software vendor, Progress Software, disclosed the glitch on 31 May, but no other hacker group has publicly claimed responsibility for stealing data through this exploit.

Zellis Cyberattack: British Airways, Boots and BBC Employee’s Personal Data Exploited


Zellis Cyberattacks Exploiting MOVEit

British Airways (BA), Boots, and BBC have recently been investigating an alleged cyber incident. The attack, apparently carried out by a Russia-based criminal gang, included the theft of the personal data of the companies' employees.

BA confirmed the attack, noting that the hackers targeted software named MOVEit used by Zellis, a payroll provider.

“We have been informed that we are one of the companies impacted by Zellis’s cybersecurity incident, which occurred via one of their third-party suppliers called MOVEit,” said a British Airways spokesperson.

The affected BA employees were informed about the situation through an email, which read that the compromised data included their names, addresses, national insurance numbers, and banking details, according to The Telegraph which initially reported about the incident. BA further added that the attack has prominently affected the staff who were paid via BA payroll in the UK and Ireland.

Another company affected by the attack, Boots, says that “some of our team members’ personal details” were compromised. The Telegraph reported that the staff members were informed about the attacks, with the stolen data involving their names, surnames, employee numbers, dates of birth, email addresses, the first lines of home addresses, and national insurance numbers.

While a BBC spokesperson has confirmed the attacks, the corporations decline that the breach involves any of its staff’s bank details.

“We are aware of a data breach at our third-party supplier, Zellis, and are working closely with them as they urgently investigate the extent of the breach. We take data security extremely seriously and are following the established reporting procedures,” the spokesperson said.

Microsoft’s Investigation of the Attacks

Microsoft threat intelligence, in a tweet on Sunday, claimed the attacks on MOVEit were carried out by a threat group called Lace Tempest. The group is popular among threat intelligence firms for their ransomware operations and running “extortion sites” carrying data obtained in attacks using a ransomware strain called Clop.

Microsoft says “The threat actor has used similar vulnerabilities in the past to steal data and extort victims.”

According to Rafe Pilling, director of Secureworks, a US-based security firm, the attack was probably carried out by an affiliate of the cybercriminal gang behind the Clop ransomware, as well as the connected website alluded to by Microsoft where stolen data is advertised. He adds that a Russian-speaking cybercrime organization was responsible for Clop.

Pilling forewarns the victims, asserting they might be contacted by the hackers in the near future, demanding ransom in return for the stolen data. “Victims will be contacted and if they refuse they will probably be listed and published on the Clop site,” he said. Furthermore, MOVEit spokesperson recently confirmed that they have “corrected” the vulnerability exploited by the threat actors.

“We are continuing to work with industry-leading cybersecurity experts to investigate the issue and ensure we take all appropriate response measures,” they added.