CISA advised the following actions to take today to mitigate cyber threats from CL0P ransomware:
- Take an inventory of assets and data, identifying authorized and unauthorized devices and software.
- Grant admin privileges and access only when necessary, establishing a software allow list that only executes legitimate applications.
- Monitor network ports, protocols and services, activating security configurations on network infrastructure devices such as firewalls and routers.
- Regularly patch and update software and applications to their latest versions, and conduct regular vulnerability assessments.
GLOBAL IMPACT FROM MOVEit ZERO DAY EXPLOITS
When CISA issued the advisory in early June, the world knew a little about the impact of these new cyber attacks, given the headlines from June 5 that British airways, the BBC and U.K. drugstore chain Boots were involved in a file transfer hack. Here’s an excerpt from Reuters:
“Tens of thousands of employees of British Airways, the UK drugstore chain Boots and Britain’s BBC were among those whose personal data was exposed following a wide-ranging breach centred on a popular file transfer tool, the organizations confirmed on Monday.
“BA, the BBC and Boots said the breach occurred at their payroll provider, Zellis. The provincial government of Nova Scotia, in Canada, was also hit.”
Still, the announcements grew over the next three weeks, underlining the widespread impact from this ransomware gang. Here are some of the major cyber story headlines (and brief summaries) for June 2023:
Washington Post — What you should know about the MOVEit ransomware attack:
“Who was behind the attack?
“The group behind the attack is known as Cl0p, a hacking organization that has Russian-speaking members and is likely based in Russia. While it would not be a surprise if some members of the group included Russian police or spies, there is no indication that Cl0p takes orders from the Russian government, and its past targeting has been all about money. Analysts believe that the government victims of the hack were caught up in a broad campaign aimed at extracting money from corporations, not at blackmailing government agencies.
“How did the hackers get in?
“The attackers used a previously unknown or ‘zero-day’ flaw in the MOVEit file-transfer program sold by ProgressSoftware to thousands of clients in the United States and elsewhere. Aimed at handling sensitive data, the program encrypts files and sends them to designated people or groups. Shortly after the attacks began, Progress identified the vulnerability in its software and offered a patchin late May, though not all clients applied it.”
Cyber Security Hub — PwC and EY impacted by MOVEit cyber attack
Government Technology — MOVEit Ransomware Attack: Victim Count Climbs:
“Federal and state agencies and universities announce data breaches after hackers began exploiting a zero-day in late May. Now the company behind MOVEit has announced another critical vulnerability as more breaches come to light.”
Bleeping Computer — Hackers steal data of 45,000 New York City students in MOVEit breach:
“Shell, the University of Georgia (UGA) and University System of Georgia (USG), Heidelberger Druck, UnitedHealthcare Student Resources (UHSR), and Landal Greenparks are just some of the organizations that have confirmed to BleepingComputer that they were impacted.
“Other victims that already disclosed breaches related to the MOVEit Transfer attacks include the U.S. state of Missouri, the U.S. state of Illinois,Zellis (along with its customers BBC, Boots, Aer Lingus, and Ireland's HSE), Ofcam, the government of Nova Scotia, the American Board of Internal Medicine, and Extreme Networks.”
A few more headlines from Bleeping Computer:
- Millions of Oregon, Louisiana state IDs stolen in MOVEit breach
- Clop ransomware gang starts extorting MOVEit data-theft victims
- MOVEIt breach impacts Genworth, CalPERS as data for 3.2 million exposed
- The Week in Ransomware - June 16th 2023 - Wave of Extortion
- US govt offers $10 million bounty for info on Clop ransomware
Dark Reading — Avast, Norton Parent Latest Victim of MOVEit Data Breach Attacks
The Hacker News — Third Flaw Uncovered in MOVEit Transfer App Amidst Cl0p Ransomware Mass Attack
American Banker — 10 banks alleged victims of ransomware attacks on file transfer software
And one more from June 27 in Ars Technica, “Casualties keep growing in this month’s mass exploitation of MOVEit 0-day,” which reported that up to 122 organizations have been breached.
MORE ANALYSIS, PLEASE
No doubt, many data breaches and ransomware attacks have yet to be announced related to this campaign. Some will never be made public. I fully expect the number of impacted organizations to exceed 200 public and private entities, with many millions more compromised data records when all is said and done.
I really like this analysis from The Last Watch Dog:
“According to Lawrence Abrams, Editor in Chief of Bleeping Computer, the Clop ransomware gang began listing victims on its data leak site on June 14th, warning that they will begin leaking stolen data on June 21st if their extortion demands are not met.
“Among the victims listed were Shell, UnitedHealthcare Student Resources, the University of Georgia, University System of Georgia, Heidelberger Druck, and Landal Greenparks.
“As for federal agencies, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed breaches due to this vulnerability. ‘CISA is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications,’ said Eric Goldstein, CISA’s executive assistant director for cybersecurity, emphasizing the urgency to understand the impacts and ensure remediation. According to Federal News Network, Oak Ridge Associated Universities and Energy’s Waste Isolation Pilot Plant were victims of the cyberattack, with Energy Department sources treating it as a ‘major incident.’
“U.S. government agencies have not yet received any ransom demands, but the threat looms large. Rafe Pilling, Director of Threat Research at Dell-owned Secureworks, told CNN, 'Adding company names to their leak site is a tactic to scare victims, both listed and unlisted, into paying.'"
As can be expected in these types of cyber attacks, some vendors started to tout their ability to detect and respond to this exploit quicker than others. For example, see this piece from MSSP Alert:
“Celerium, a cybersecurity provider, has unwrapped Compromise Defender, a solution it’s positioning as an early detector and defender of compromise activity that is often a precursor to a network attack.
“An additional and timely capability is that the system can rapidly respond to the recent Cl0p/MOVEit ransomware threat. Compromise Defender integrated more than 1,500 indicators of compromise (IOCs) provided by the Cyber and Infrastructure Security Agency (CISA) and other organizations to deliver prompt and efficient protection for organizations in the pilot.
“Several organizations observed reconnaissance activity associated with MOVEit infrastructure, and Compromise Defender blocked that activity, Celerium said.”
FINAL THOUGHTS
Yes, there were several other June cybersecurity stories of note. Here’s one:
The Hill — The Guam hack should be a cybersecurity wakeup call:
“The U.S., along with its key ‘Five Eyes’ intelligence partners, issued an unusual joint statement last month that a Chinese government espionage group had hacked into critical infrastructure systems in Guam. Although the systems remain intact, the agencies are concerned that the hackers’ goal could be to disrupt or prevent communications between the U.S. and Asia during a military confrontation in the region.
“Importantly, the hack was discovered by Microsoft, which then shared the information with the government. This demonstrates the most important point for deterring and responding to increased challenges to our critical infrastructure’s cybersecurity: Public-private collaboration is an indispensable condition for success.”