- “Instead of directly reaching out to victims over email or telephone calls like in prior campaigns, they are asking victims to reach out to them via email,” he said on LinkedIn Tuesday night.
SECURITY
Ransomware Attack Hits Federal Agencies
An undetermined number of civilian federal agencies were hit Thursday with an attack from what government officials described as a “criminal” ransomware group.
The attack targeted “a software that federal agencies and companies across the world use,” Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, told MSNBC.
Exclusive: US government agencies hit in global cyberattack
Several US federal government agencies have been hit in a global cyberattack by Russian cybercriminals that exploits a vulnerability in widely used software, according to a top US cybersecurity agency.
The US Cybersecurity and Infrastructure Security Agency “is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications,” Eric Goldstein, the agency’s executive assistant director for cybersecurity, said in a statement on Thursday to CNN, referring to the software impacted. “We are working urgently to understand impacts and ensure timely remediation.”
Aside from US government agencies, “several hundred” companies and organizations in the US could be affected by the hacking spree, a senior CISA official told reporters later Thursday, citing estimates from private experts.
Clop, the ransomware gang allegedly responsible, is known to demand multimillion-dollar ransoms. But no ransom demands have been made of federal agencies, the senior official told reporters in a background briefing.
CISA’s response comes as Progress Software, the US firm that makes the software exploited by the hackers, said it had discovered a second vulnerability in the code that the company was working to fix.
The Department of Energy is among multiple federal agencies breached in the ongoing global hacking campaign, a department spokesperson confirmed to CNN.
US government agencies hit by cyberattack, official says
Clop ransomware gang starts extorting MOVEit data-theft victims
- June 15, 2023
- 11:39 AM
- 3
The Clop ransomware gang has started extorting companies impacted by the MOVEit data theft attacks, first listing the company's names on a data leak site—an often-employed tactic before public disclosure of stolen information
These entries come after the threat actors exploited a zero-day vulnerability in the MOVEit Transfer secure file transfer platform on May 27th to steal files stored on the server.
The Clop gang took responsibility for the attacks, claiming to have breached "hundreds of companies" and warning that their names would be added to a data leak site on June 14th if negotiations did not occur.
If an extortion demand is not paid, the threat actors say they will begin leaking stolen data on June 21st.
Clop begins extorting companies
Yesterday, the Clop threat actors listed thirteen companies on their data leak site but did not state if they were related to the MOVEit Transfer attacks or were ransomware encryption attacks.
Since then, one of the companies, Greenfield CA, has been removed, indicating the listing was either a mistake or negotiations are taking place.
Five of the listed companies, British multinational oil and gas company Shell, UnitedHealthcare Student Resources (UHSR), the University of Georgia (UGA) and University System of Georgia (USG), Heidelberger Druck, and Landal Greenparks, have since confirmed to BleepingComputer that they were impacted in varying degrees by the MOVEit attacks.
Shell said only a small number of employees and customers were impacted and Landal told BleepingComputer the threat actors accessed the names and contact information for approximately 12,000 guests.
The University System of Georgia, University of Georgia, and UnitedHealthcare Student Resources told BleepingComputer they are still investigating the attack and will disclose any breaches if discovered.
German printing company Heidelberger Druck told BleepingComputer that while they use MOVEit Transfer, their analysis indicates it did not lead to any data breach.
Putnam Investments, who is also listed on Clop's data leak site, told BleepingComputer they are looking into the matter.
While the other companies listed on Clop's site have not responded to our emails, Macnica security researcher Yutaka Sejiyama shared data with BleepingComputer confirming that they currently use the MOVEit Transfer platform or have done so in the past.
Already disclosed data breaches
Other organizations who have already disclosed MOVEit Transfer breaches include, Zellis (BBC, Boots, and Aer Lingus, Ireland's HSE through Zellis), the University of Rochester, the government of Nova Scotia, the US state of Missouri, the US state of Illinois, BORN Ontario, Ofcam, Extreme Networks, and the American Board of Internal Medicine.
In similar attacks in the past using zero-day vulnerabilities in Accellion FTA, GoAnywhere MFT, and SolarWinds Serv-U managed file transfer attacks, the threat actors demanded $10 million ransoms to prevent the leaking of data.
BleepingComputer has learned the extortion operation was not very successful in the GoAnywhere extortion attempts, with companies preferring to disclose data breaches rather than pay a ransom.
Today, CNN reported that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) was working with several U.S. federal agencies had also been breached using the MOVEit zero-day vulnerability. Two U.S. Department of Energy (DOE) entities were also compromised, according to Federal News Network.
However, the Clop threat actors previously told BleepingComputer that they automatically deleted any data stolen from the government.
"I want to tell you right away that the military, children's hospitals, GOV etc like this we no to attack, and their data was erased," claimed the ransomware operation.
Unfortunately, once data is stolen, there is no way to confirm if data is actually deleted as promised, and should be assumed to be at risk.
Related Articles:
Clop ransomware likely testing MOVEit zero-day since 2021
Clop ransomware claims responsibility for MOVEit extortion attacks
Microsoft links Clop ransomware gang to MOVEit data-theft attacks
New MOVEit Transfer zero-day mass-exploited in data theft attacks
Exploit released for MOVEit RCE bug used in data theft attacks
BACK IN FEBRUARY 2023
Florida state court system, US, EU universities hit by ransomware outbreak
LONDON/WASHINGTON, Feb 7 (Reuters) - A global ransomware outbreak has scrambled servers belonging to Florida's Supreme Court and several universities in the United States and Central Europe, according to a Reuters analysis of ransom notes posted online to stricken servers.
Those organizations are among more than 3,800 victims of a fast-spreading digital extortion campaign that locked up thousands of servers in Europe over the weekend, according to figures tallied by Ransomwhere, a crowdsourced platform that tracks digital extortion attempts and online ransom payments and whose figures are drawn from internet scans.
Ransomware is among the internet's most potent scourges. Although this particular extortion campaign was not sophisticated, it drew warnings from national cyber watchdogs in part because of the speed of its spread.
Ransomwhere did not name individual victims, but Reuters was able to identify some by looking up internet protocol address data tied to the affected servers via widely used internet scanning tools such as Shodan.
The extent of the disruption to the affected organizations, if any, was not clear. . ."
>
No comments:
Post a Comment