Category: Moveit

The infamous Clop Ransomware gang has once again made headlines by successfully breaching the servers of Cleo, a well-known provider of file transfer software. The cybercriminal group is now threatening to leak sensitive data from Cleo’s extensive client base unless a ransom demand is met within a 48-hour deadline. The ransomware group has already issued warnings to 66 companies, indicating that if they fail to negotiate or pay the required sum within the stipulated time frame, their confidential information will be sold on the dark web.

Initial Leak and Growing Threats

The Clop gang has already taken the first step in its extortion campaign by releasing partial names of the companies affected by the breach on their dark web portal. This public exposure is intended to pressure the victimized organizations into complying with their demands. The ransomware group has further warned that if no agreement is reached within the next two days, they will release the full names of these companies, potentially causing irreparable damage to their reputations and trust with customers.

This tactic is part of a larger strategy of “double extortion”, which has become increasingly common among sophisticated ransomware gangs. In double extortion attacks, cybercriminals not only encrypt the victim’s data, making it inaccessible, but they also threaten to release the stolen information unless the ransom is paid. What sets this attack apart is that Clop has now escalated its threats to include customer and client data stolen from the breached systems of Cleo’s clients. This adds an additional layer of urgency, as businesses face the risk of compromising sensitive information related to their customers, suppliers, and employees.

Exploitation of Vulnerabilities in Cleo’s Software

Reports from Cybersecurity Insiders reveal that Clop gained access to Cleo’s systems by exploiting critical zero-day vulnerabilities in several of Cleo’s products, including Lexicom, VLTransfer, and Harmony. These software products are widely used for secure file transfer and data exchange, making them attractive targets for cybercriminals. By exploiting these vulnerabilities, Clop was able to infiltrate the company’s servers and access the sensitive data of all its clients.

The use of zero-day exploits, which are previously unknown security flaws, makes this attack particularly dangerous. Once the vulnerabilities were discovered and exploited by Clop, Cleo was left with little recourse to prevent the breach or stop the attackers from exfiltrating large volumes of data. The company, which provides secure data transfer solutions to a broad range of businesses, has yet to comment on the full scope of the breach or its efforts to mitigate the damage.

The Double Extortion Playbook: A Growing Trend in Cybercrime

While the idea of ransomware attacks is not new, the strategy of double extortion—which involves both the encryption of files and the public leak of sensitive data—is a more recent and disturbing trend. The tactic is becoming increasingly common among highly organized cybercriminal gangs like Clop, who are motivated not only by financial gain but also by the desire to damage their victims’ reputations.

In previous high-profile incidents, the Clop gang used similar tactics, including in the MoveIT file transfer attack that compromised the data of several prominent organizations. In that case, Clop not only demanded ransom payments from the affected companies but also threatened to expose client data if the ransom was not paid. The same pattern of behavior is expected to unfold in the current attack on Cleo and its clients, with the gang likely to use the stolen information to extract as much profit as possible.

The victims in these kinds of attacks often face tough choices. On one hand, paying the ransom might allow them to regain access to their encrypted data. On the other, businesses that choose to comply with the demands run the risk of encouraging further attacks on themselves and others, as ransomware gangs are incentivized by the money they generate from such crimes.

The Broader Impact: A Call for Stronger Cybersecurity

The Cleo attack highlights an ongoing global cybersecurity crisis where businesses, regardless of their size or industry, are vulnerable to sophisticated attacks from ransomware gangs. For organizations that rely on third-party services for data transfer and file management, this breach underscores the importance of securing software and systems against zero-day vulnerabilities.

The attack also raises critical questions about the responsibility of software providers like Cleo in safeguarding their clients’ data. As companies continue to migrate their operations to cloud-based and third-party solutions, they must be vigilant in ensuring that the software they use is regularly updated and protected from the latest cyber threats.

For businesses that find themselves at the center of a ransomware attack, the incident serves as a stark reminder of the importance of having a robust incident response plan in place. This plan should include measures for both preventing attacks and responding effectively when a breach occurs—ranging from deploying strong encryption practices to ensuring employees are trained in identifying phishing attempts and other common attack vectors.

Conclusion: A Growing Threat Landscape

As the threat landscape continues to evolve, it is likely that ransomware attacks will become more sophisticated and impactful. The rise of groups like Clop, who specialize in double extortion tactics, is a warning for businesses around the world to take cybersecurity seriously. The Cleo breach is just one of many examples of how cybercriminals are adapting to a changing digital landscape, and it underscores the need for organizations to stay ahead of emerging threats through proactive defense strategies, regular vulnerability assessments, and quick response plans to mitigate damage in the event of an attack.

As Clop’s deadline approaches, Cleo and its clients are under intense pressure to protect their sensitive data, preserve their business reputations, and avoid becoming the next headline in the growing list of ransomware-related breaches.

The post Clop Ransomware Gang Targets Cleo File Transfer Service and threatens to expose Sensitive Data appeared first on Cybersecurity Insiders.

At the end of May 2023, a Zero Day vulnerability was discovered by risk analysing firm Kroll and on June 7th of this year, Clop ransomware gang published on its blog that they have gained access to the servers of MOVEit software via Zellis Payroll software and urged the victims to contact via the blog post, as their email response could go at snail pace as the number of victims related to the incident was large.

Going forward, let us list out the victims who have been impacted by the attack after the hack-ers gained control of Moveit file transfer software worldwide, a business unit of Progress Software.

1.    The US Department of Energy,
2.    Shell company,
3.    First National Bankers Bank
4.    Putnam Investments
5.    Datasite
6.    Swizz Insurance company ‘OKK’
7.    Leggett & Platt
8.    Multinational firm PricewaterhouseCoppers(Pwc)
9.    Ernst & Young
10.    Health Services Ireland
11.    BBC
12.    British Airways
13.    Boots Retail
14.    Medibank
15.    Rochester Hospital
16.    GreenShield Canada
17.    Datasite
18.    National Student Clearinghouse
19.    United Healthcare Student Resources
20.    University System of Georgia
21.    German brand Heidelberg
22.    Aer Lingus
23.    Government of Nova Scatia
24.    Johns Hopkins University
25.    Ofcom
26.    Transport for London (TfL)
27.    Ernst and Young

NOTE- Microsoft has confirmed the presence of Clop ransomware suspects, linked to Russian intelligence behind the incident and reaffirmed that health organizations and financial institutions could be the next target of the notorious file encrypting malware spreading gang that is into double extortion.

The post List of victimized companies of MOVEit Cyber Attack appeared first on Cybersecurity Insiders.

After taking advantage of a security vulnerability on Moveit file transfer software produced by Progress Software, a hacker has reportedly taken control of servers on almost all US Federal Agencies. This was confirmed by Cybersecurity and Infrastructure Security Agency (CISA) which also stated that agency heads are being urged to take proper security measures before more such effects are discovered.

Shell, the US Department of Energy, Johns Hopkins University and its health subsidiary and the University System of Georgia have been hit by a cyber-attack..

Initially, Russian hackers gang Clop Ransomware was suspected to be behind the incident. But now the suspicion finger is pointing towards LockBit as a third-party investigation taken up on request of British Airways (another victim of Moveit software cyber-attack) has found the said ransomware spreading gang behind the incident.

It is unclear whether data was stolen from all victims and news is yet to be out on the ransom note.

Reports of a Twitter handle where the hacker posted data as proof have surfaced. They warned that victims who don’t respond to the ransom demands will face serious consequences like data erasure..

Meanwhile, the white house seems to have sniffed out the situation and the Biden admin has ordered for a clinical probe into the incident. After the JBS Meat Ransomware attack and the digital assault on Colonial Pipeline operational software, the latest incident on Moveit software is the next to be tagged as critical by CISA.

 

The post Almost all US Fed Agencies fell prey to Cyber Attack appeared first on Cybersecurity Insiders.

There are shocking revelations about a US Government data suck-up, historic security breaches at Windsor Castle, and the MOVEit hack causes consternation. All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by The Cyberwire's Dave Bittner.