A dangerous vulnerability in software used by thousands of companies has been exploited by the ransomware gang Clop for massive attacks. Victims are also expected in Switzerland. IT security expert Marc Ruef explains what we are dealing with.
What happened?
The dark web page of the ransomware gang Clop featured an unusual threat on Wednesday. The unknown cybercriminals claim that they have stolen “a lot of data” from numerous companies thanks to an IT security vulnerability that has not been patched.
The procedure is unusual. Typically, ransomware gangs publish the names of individual victims on their dark web pages to pressure them.
But the current threat targets hundreds, if not thousands, of companies around the world using the well-known software MOVEit. According to the manufacturer, this is the American company Ipswitch, which in turn belongs to the American company Progress Software «the leading Managed File Transfer (MFT) software»used by thousands of companies around the world.
Ongoing cases that have already been made public show that the threat should be taken seriously. In Great Britain, the media company BBC, the airline British Airways and the drugstore chain Boots with a total of more than 100,000 employees are affected.
The American University of Rochester, the Irish airline Aer Lingus and the government of the Canadian province of Nova Scotia are also affected. Many more could follow.
The hacker gang Clop writes that they have developed an “extraordinary” attack tool (exploit) to exploit the vulnerability and steal data. Anyone using MOVEit Transfer who hasn’t fixed the vulnerability in time should expect the worst.
Therefore IT security expert Marc Ruef:
The National Center for Cyber Security (NCSC) had previously issued a public alert: the federal government’s IT security experts announced Monday that they were aware of victims in Switzerland who had been “successfully compromised”.
As for the main events since the cyberattacks became known, one follows at the end of the article timeline.
Who is the threat aimed at?
To an unknown number of companies using MOVEit software that have been hacked.
Clop won’t say how many companies it’s been able to loot from servers worldwide. It can be assumed that negotiations are now underway between the perpetrators and some of the victims. Anyone who does not want to pay a ransom must file a report on the so-called Data Leak Site (DLS) on the dark web from June 14. In addition, stolen files must be published there.
The cyber criminals claim that they only blackmail private companies.
What is the damage potential of the IT security hole?
Security expert Marc Ruef says:
Despite the high rating, many people didn’t have the vulnerability on their radar because it took several days for a CVE to be released. This is an official ‹identifier› that has established itself as an industry standard.
Many vulnerabilities are not taken seriously by companies until they have received an official CVE.”
The IT news portal heise.de reported on Wednesday that many German companies and authorities should also check a possible data breach or had already done so. “Some people affected by the vulnerability declined to comment.” More than 100 systems may have been affected in Germany alone, and 2,500 worldwide.
Who is affected in Switzerland?
This is not public knowledge.
Security expert Marc Ruef:
We are currently seeing that other actors are also trying to exploit the vulnerability. A lot of research is currently being done here to develop a good exploit. Widespread exploitation should be expected in the coming days. Affected companies can’t afford to wait to fix the vulnerability.”
According to local software vendors, several large Swiss companies are among the customers using MOVEit transfer software. Swissport, Schindler and the St.Gallen cantonal police, among others, should work with it.
Swissport spokesman Stefan Hartung writes:
Who is behind Clop?
This is a group of cybercriminals believed to be from Russia. This has been active for years and is considered a fire hazard due to the technical skills of its members.
Carrying out attacks around holidays is a common tactic used by the Clop gang. This is because the workforce is reduced to a minimum on non-working days.
On December 23, 2020, Clop hackers used a zero-day vulnerability in software vendor Accellion to steal data right at the start of the Christmas holiday.
In March of this year, the Clop gang began blackmailing companies around the world whose data they previously stole using a zero-day vulnerability in the Fortra GoAnywhere MFT file-sharing solution.
Clop was one of the providers of ransomware-as-a-service (RaaS). This means that developers make the IT infrastructure necessary for hacker attacks and blackmail available to third parties for a financial contribution.
Recently, the cybercriminals told BleepingComputer that they are focusing on data theft and related blackmail. Accordingly, they would refrain from encryption attacks.
What has happened so far?
Saturday May 27
The Clop ransomware gang began exploiting a vulnerability in the “MOVEit Transfer” software over the Whitsun weekend (Whit Monday was also the US Memorial Day holiday). A spokesman for the gang later told BleepingComputer.
Wednesday, May 31
The American company Progress writes in an advisory that it has discovered a vulnerability in the “MOVEit Transfer” software that “could lead to extended privileges and possibly unauthorized access to the environment”. Customers are asked to turn off Internet traffic around the program.
Thursday June 1
The vulnerability in the «MOVEit Transfer» software has been identified CVE-2023-34362 assigned. This is a previously unknown vulnerability. The software supplier is releasing the first patches to neutralize the existing threat situation.
The US federal authority CISA (Cybersecurity & Infrastructure Security Agency) is calling on companies to take defensive measures against the threat.
According to security researcher Kevin Beaumont, the vulnerability also affects customers who rely on the cloud platform “MOVEit Transfer”. At least one exposed server instance is connected to the US Department of Homeland Security, and several “major banks” have also been affected as MOVEIt customers, according to Beaumont.
BleepingComputer is the first medium to report that hackers are actively exploiting “a zero-day vulnerability” in file transfer software to steal data from organizations.
Friday June 2
The national cybersecurity center NCSC warns in a statement that it is aware of victims in Switzerland who have been successfully compromised.
On the same day, Tech Crunch reports that hackers launched another wave of massive hacks to exploit the vulnerability in MOVEit Transfer.
Monday June 5
Microsoft IT security experts attribute the attacks to the cybercrime group “Lace Tempest”. This one is known for ransomware operations and runs the blackmail website Clop. The threat actor has used similar vulnerabilities in the past to steal data and blackmail victims through Twitter.
The cybersecurity startup Huntress writes in a blog post that they discovered “a complete set of attacks and all associated indicators of compromise” with one client. The Attackers: Knock.
According to BleepingComputer, Clop assumes responsibility for the massive cyberattacks.
UK payroll and HR solutions provider Zellis confirms it has suffered a data breach as a result of the attacks, affecting some of its customers.
The Record (Recorded Future News) reports that the BBC and British Airways were among the victims.
Wednesday June 7
The dark web site of the ransomware gang Clop announces that hundreds of organizations could be affected by data theft. The blackmailers give the victims an ultimatum. They would contact them via email to negotiate the ransom payment. The unknown perpetrators threaten that they would otherwise name names and leak data.
Such security advisory is intended to inform users of a known vulnerability or security breach in a specific piece of software, an operating system, an application or a device.
source
With material from the Keystone-SDA news agency
- progress.com: MOVEit Transfer and MOVEit Cloud vulnerability
- ncsc.admin.nl: Critical Vulnerability in the “MOVEit” File Sharing Program: Quickly install the security patch
- heise.de: MOVEit: Ransomware gang “Clop” warns companies about security vulnerabilities
- ipswitch.com: Managed file transfer software
Source: Watson
I’m Ella Sammie, author specializing in the Technology sector. I have been writing for 24 Instatnt News since 2020, and am passionate about staying up to date with the latest developments in this ever-changing industry.
