15 June 2023

The CLOP Ransomware Gang Strikes Again and Again

The extortion threat adds urgency to an already high-stakes security incident that has forced responses from tech firms, corporations and government agencies from the US to Canada and the UK.
The CLOP hackers are “overwhelmed with the number of victims,” according to Charles Carmakal, chief technology officer at Mandiant Consulting, a Google-owned firm that has investigated the hack. 
  • “Instead of directly reaching out to victims over email or telephone calls like in prior campaigns, they are asking victims to reach out to them via email,” he said on LinkedIn Tuesday night.
Allan Liska, a ransomware expert at cybersecurity firm Recorded Future, also told CNN: “Unfortunately, the sensitive nature of the data often stored on MOVEit servers means there will likely be real consequences stemming from the [data theft] but it will be months before we understand the full fallout from this attack.”
JUN152023

Ransomware Attack Hits Federal Agencies

‘Criminal’ group responsible for the intrusion, CISA says.

An undetermined number of civilian federal agencies were hit Thursday with an attack from what government officials described as a “criminal” ransomware group.

The attack targeted “a software that federal agencies and companies across the world use,” Jen Easterly, director of the Cybersecurity and Infrastructure Security Agencytold MSNBC.

Exclusive: US government agencies hit in global cyberattack

hackers
CNN — 

Several US federal government agencies have been hit in a global cyberattack by Russian cybercriminals that exploits a vulnerability in widely used software, according to a top US cybersecurity agency.

The US Cybersecurity and Infrastructure Security Agency “is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications,” Eric Goldstein, the agency’s executive assistant director for cybersecurity, said in a statement on Thursday to CNN, referring to the software impacted. “We are working urgently to understand impacts and ensure timely remediation.”

Aside from US government agencies, “several hundred” companies and organizations in the US could be affected by the hacking spree, a senior CISA official told reporters later Thursday, citing estimates from private experts.

Clop, the ransomware gang allegedly responsible, is known to demand multimillion-dollar ransoms. But no ransom demands have been made of federal agencies, the senior official told reporters in a background briefing.

CISA’s response comes as Progress Software, the US firm that makes the software exploited by the hackers, said it had discovered a second vulnerability in the code that the company was working to fix.

The Department of Energy is among multiple federal agencies breached in the ongoing global hacking campaign, a department spokesperson confirmed to CNN.

US government agencies hit by cyberattack, official says

U.S. government networks were hit by a cyberattack affecting several federal agencies, Cybersecurity and Infrastructure Security Agency ...
ABC News · Quinn Owen · 3 hours ago
8 hours ago — Several unidentified federal agencies were hit in a cyberattack, the Cybersecurity and Infrastructure Security Agency confirmed Thursday.
2 hours ago — Energy Department, Other U.S. Government Agencies Hacked in Cyberattack · Hack exploited software bug previously used to hit major businesses in ...
8 hours ago — Several U.S. federal government agencies have been hit in a global cyberattack that exploits a vulnerability in widely used software, ...
5 hours ago — “Several” US federal government agencies have been hit in a global cyberattack that exploits a vulnerability in widely used software. 7:19 PM · ...
27 minutes ago — investigators, Easterly said, the breach was part of a larger ransomware operation carried out by Clop, a Russian ransomware gang that exploited a vulnerability ...
51 minutes ago — The number of victims targeted by the Clop ransomware gang's targeting of a critical vulnerability in Progress Software Corp.'s MOVEit file transfer ...
49 minutes ago — The CLOP ransomware group is one of numerous gangs in Eastern Europe and Russia that are almost exclusively focused on wringing their victims for as much money ...

Jun 7, 2023  In late January 2023, the CL0P ransomware group launched a campaign using a zero-day vulnerability, now catalogued as CVE-2023-0669, to target ... 

Clop ransomware gang starts extorting MOVEit data-theft victims

 
  • June 15, 2023
  •  
  • 11:39 AM
  •  
  • 3

MOVEit Transfer

The Clop ransomware gang has started extorting companies impacted by the MOVEit data theft attacks, first listing the company's names on a data leak site—an often-employed tactic before public disclosure of stolen information

These entries come after the threat actors exploited a zero-day vulnerability in the MOVEit Transfer secure file transfer platform on May 27th to steal files stored on the server.

The Clop gang took responsibility for the attacks, claiming to have breached "hundreds of companies" and warning that their names would be added to a data leak site on June 14th if negotiations did not occur.

If an extortion demand is not paid, the threat actors say they will begin leaking stolen data on June 21st.

Clop begins extorting companies

Yesterday, the Clop threat actors listed thirteen companies on their data leak site but did not state if they were related to the MOVEit Transfer attacks or were ransomware encryption attacks.

Since then, one of the companies, Greenfield CA, has been removed, indicating the listing was either a mistake or negotiations are taking place.

Five of the listed companies, British multinational oil and gas company Shell, UnitedHealthcare Student Resources (UHSR), the University of Georgia (UGA) and University System of Georgia (USG), Heidelberger Druck, and Landal Greenparks, have since confirmed to BleepingComputer that they were impacted in varying degrees by the MOVEit attacks.

Shell said only a small number of employees and customers were impacted and Landal told BleepingComputer the threat actors accessed the names and contact information for approximately 12,000 guests.

The University System of Georgia, University of Georgia, and UnitedHealthcare Student Resources told BleepingComputer they are still investigating the attack and will disclose any breaches if discovered.

German printing company Heidelberger Druck told BleepingComputer that while they use MOVEit Transfer, their analysis indicates it did not lead to any data breach.

Putnam Investments, who is also listed on Clop's data leak site, told BleepingComputer they are looking into the matter.

While the other companies listed on Clop's site have not responded to our emails, Macnica security researcher Yutaka Sejiyama shared data with BleepingComputer confirming that they currently use the MOVEit Transfer platform or have done so in the past.

Already disclosed data breaches

Other organizations who have already disclosed MOVEit Transfer breaches include, Zellis (BBC, Boots, and Aer Lingus, Ireland's HSE through Zellis), the University of Rochester, the government of Nova Scotia, the US state of Missouri, the US state of IllinoisBORN OntarioOfcamExtreme Networks, and the American Board of Internal Medicine.

In similar attacks in the past using zero-day vulnerabilities in Accellion FTAGoAnywhere MFT, and SolarWinds Serv-U managed file transfer attacks, the threat actors demanded $10 million ransoms to prevent the leaking of data.

BleepingComputer has learned the extortion operation was not very successful in the GoAnywhere extortion attempts, with companies preferring to disclose data breaches rather than pay a ransom.

Today, CNN reported that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) was working with several U.S. federal agencies had also been breached using the MOVEit zero-day vulnerability. Two U.S. Department of Energy (DOE) entities were also compromised, according to Federal News Network.

However, the Clop threat actors previously told BleepingComputer that they automatically deleted any data stolen from the government.

"I want to tell you right away that the military, children's hospitals, GOV etc like this we no to attack, and their data was erased," claimed the ransomware operation.

Unfortunately, once data is stolen, there is no way to confirm if data is actually deleted as promised, and should be assumed to be at risk.

Related Articles:

Clop ransomware likely testing MOVEit zero-day since 2021

Clop ransomware claims responsibility for MOVEit extortion attacks

Microsoft links Clop ransomware gang to MOVEit data-theft attacks

New MOVEit Transfer zero-day mass-exploited in data theft attacks

Exploit released for MOVEit RCE bug used in data theft attacks

Top stories

Clop ransomware gang starts extorting MOVEit data-theft victims

 
  • June 15, 2023
  •  
  • 11:39 AM
  •  
  • 3

MOVEit Transfer

The Clop ransomware gang has started extorting companies impacted by the MOVEit data theft attacks, first listing the company's names on a data leak site—an often-employed tactic before public disclosure of stolen information

These entries come after the threat actors exploited a zero-day vulnerability in the MOVEit Transfer secure file transfer platform on May 27th to steal files stored on the server.

The Clop gang took responsibility for the attacks, claiming to have breached "hundreds of companies" and warning that their names would be added to a data leak site on June 14th if negotiations did not occur.

If an extortion demand is not paid, the threat actors say they will begin leaking stolen data on June 21st.

Clop begins extorting companies

Yesterday, the Clop threat actors listed thirteen companies on their data leak site but did not state if they were related to the MOVEit Transfer attacks or were ransomware encryption attacks.

Since then, one of the companies, Greenfield CA, has been removed, indicating the listing was either a mistake or negotiations are taking place.

Five of the listed companies, British multinational oil and gas company Shell, UnitedHealthcare Student Resources (UHSR), the University of Georgia (UGA) and University System of Georgia (USG), Heidelberger Druck, and Landal Greenparks, have since confirmed to BleepingComputer that they were impacted in varying degrees by the MOVEit attacks.

Shell said only a small number of employees and customers were impacted and Landal told BleepingComputer the threat actors accessed the names and contact information for approximately 12,000 guests.

The University System of Georgia, University of Georgia, and UnitedHealthcare Student Resources told BleepingComputer they are still investigating the attack and will disclose any breaches if discovered.

German printing company Heidelberger Druck told BleepingComputer that while they use MOVEit Transfer, their analysis indicates it did not lead to any data breach.

Putnam Investments, who is also listed on Clop's data leak site, told BleepingComputer they are looking into the matter.

While the other companies listed on Clop's site have not responded to our emails, Macnica security researcher Yutaka Sejiyama shared data with BleepingComputer confirming that they currently use the MOVEit Transfer platform or have done so in the past.

Already disclosed data breaches

Other organizations who have already disclosed MOVEit Transfer breaches include, Zellis (BBC, Boots, and Aer Lingus, Ireland's HSE through Zellis), the University of Rochester, the government of Nova Scotia, the US state of Missouri, the US state of IllinoisBORN OntarioOfcamExtreme Networks, and the American Board of Internal Medicine.

In similar attacks in the past using zero-day vulnerabilities in Accellion FTAGoAnywhere MFT, and SolarWinds Serv-U managed file transfer attacks, the threat actors demanded $10 million ransoms to prevent the leaking of data.

BleepingComputer has learned the extortion operation was not very successful in the GoAnywhere extortion attempts, with companies preferring to disclose data breaches rather than pay a ransom.

Today, CNN reported that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) was working with several U.S. federal agencies had also been breached using the MOVEit zero-day vulnerability. Two U.S. Department of Energy (DOE) entities were also compromised, according to Federal News Network.

However, the Clop threat actors previously told BleepingComputer that they automatically deleted any data stolen from the government.

"I want to tell you right away that the military, children's hospitals, GOV etc like this we no to attack, and their data was erased," claimed the ransomware operation.

Unfortunately, once data is stolen, there is no way to confirm if data is actually deleted as promised, and should be assumed to be at risk.

Related Articles:

Clop ransomware likely testing MOVEit zero-day since 2021

Clop ransomware claims responsibility for MOVEit extortion attacks

Microsoft links Clop ransomware gang to MOVEit data-theft attacks

New MOVEit Transfer zero-day mass-exploited in data theft attacks

Exploit released for MOVEit RCE bug used in data theft attacks 


BACK IN FEBRUARY 2023

Florida state court system, US, EU universities hit by ransomware outbreak

By  and 
A computer keyboard lit by a displayed cyber code is seen in this illustration picture
A computer keyboard lit by a displayed cyber code is seen in this illustration picture taken on March 1, 2017. REUTERS/Kacper Pempel/Illustration/File Photo

LONDON/WASHINGTON, Feb 7 (Reuters) - A global ransomware outbreak has scrambled servers belonging to Florida's Supreme Court and several universities in the United States and Central Europe, according to a Reuters analysis of ransom notes posted online to stricken servers.

Those organizations are among more than 3,800 victims of a fast-spreading digital extortion campaign that locked up thousands of servers in Europe over the weekend, according to figures tallied by Ransomwhere, a crowdsourced platform that tracks digital extortion attempts and online ransom payments and whose figures are drawn from internet scans.

Ransomware is among the internet's most potent scourges. Although this particular extortion campaign was not sophisticated, it drew warnings from national cyber watchdogs in part because of the speed of its spread.

Ransomwhere did not name individual victims, but Reuters was able to identify some by looking up internet protocol address data tied to the affected servers via widely used internet scanning tools such as Shodan.

The extent of the disruption to the affected organizations, if any, was not clear. . ."

No comments:

Centrifugal Hyper-Gravity and Interdisciplinary Experiment Facility >> China turns on hyper-gravity machine to ‘compress’ time and space

The world's most advanced hypergravity machine - capable of generating forces thousands of times greater than Earth's surface gravit...