Microsoft Says Clop Ransomware Gang Is Behind MOVEit Mass-Hacks (techcrunch.com) 12
An anonymous reader quotes a report from TechCrunch: Security researchers have linked to the notorious Clop ransomware gang a new wave of mass-hacks targeting a popular file transfer tool, as the first victims of the attacks begin to come forward. It was revealed last week that hackers are exploiting a newly discovered vulnerability in MOVEit Transfer, a file-transfer tool widely used by enterprises to share large files over the internet. The vulnerability allows hackers to gain unauthorized access to an affected MOVEit server's database. Progress Software, which develops the MOVEit software, has already released some patches. Over the weekend, the first victims of the attacks began to come forward.
Zellis, a U.K.-based human resources software maker and payroll provider, confirmed in a statement that its MOVEit system was compromised, with the incident affecting a "small number" of its corporate customers. One of those customers is U.K. airline giant British Airways, which told TechCrunch that the breach included the payroll data of all of its U.K.-based employees. [...] The U.K.'s BBC also confirmed it was affected by the incident affecting Zellis. [...] The government of Nova Scotia, which uses MOVEit to share files across departments, said in a statement that some citizens' personal information may have been compromised. The Nova Scotia government said it took its affected system offline, and is working to determine "exactly what information was stolen, and how many people have been impacted."
It was initially unclear who was behind this new wave of hacks, but Microsoft security researchers are attributing the cyberattacks to a group it tracks as "Lace Tempest." This gang is a known affiliate of the Russia-linked Clop ransomware group, which was previously linked to mass-attacks exploiting flaws in Fortra's GoAnywhere file transfer tool and Accellion's file transfer application. Microsoft researchers said that the exploitation of the MOVEit vulnerability is often followed by data exfiltration. Mandiant isn't yet making the same attribution as Microsoft, but noted in a blog post over the weekend that there are "notable" similarities between a newly created threat cluster it's calling UNC4857 that has as-of-yet "unknown motivations," and FIN11, a well-established ransomware group known to operate Clop ransomware. "Ongoing analysis of emerging activity may provide additional insights," Mandiant said. "It's likely many more victims of the MOVEit breach will come to light over the next few days," adds TechCrunch.
"Shodan, a search engine for publicly exposed devices and databases, showed that more than 2,500 MOVEit Transfer servers were discoverable on the internet."
Zellis, a U.K.-based human resources software maker and payroll provider, confirmed in a statement that its MOVEit system was compromised, with the incident affecting a "small number" of its corporate customers. One of those customers is U.K. airline giant British Airways, which told TechCrunch that the breach included the payroll data of all of its U.K.-based employees. [...] The U.K.'s BBC also confirmed it was affected by the incident affecting Zellis. [...] The government of Nova Scotia, which uses MOVEit to share files across departments, said in a statement that some citizens' personal information may have been compromised. The Nova Scotia government said it took its affected system offline, and is working to determine "exactly what information was stolen, and how many people have been impacted."
It was initially unclear who was behind this new wave of hacks, but Microsoft security researchers are attributing the cyberattacks to a group it tracks as "Lace Tempest." This gang is a known affiliate of the Russia-linked Clop ransomware group, which was previously linked to mass-attacks exploiting flaws in Fortra's GoAnywhere file transfer tool and Accellion's file transfer application. Microsoft researchers said that the exploitation of the MOVEit vulnerability is often followed by data exfiltration. Mandiant isn't yet making the same attribution as Microsoft, but noted in a blog post over the weekend that there are "notable" similarities between a newly created threat cluster it's calling UNC4857 that has as-of-yet "unknown motivations," and FIN11, a well-established ransomware group known to operate Clop ransomware. "Ongoing analysis of emerging activity may provide additional insights," Mandiant said. "It's likely many more victims of the MOVEit breach will come to light over the next few days," adds TechCrunch.
"Shodan, a search engine for publicly exposed devices and databases, showed that more than 2,500 MOVEit Transfer servers were discoverable on the internet."
networked apps are security holes (Score:2)
Re: (Score:2)
Just one more factor - if you have an admin account that has rights to update the Active Directory you shouldn't use that when accessing the internet.
We are at the moment having a major ransomware attack at work caused by some to me unknown factor that allowed the intruders to dump the AD and be able to crack the passwords of some admin accounts.
For some reason as soon as the intrusion was performed the passwords weren't forced to be changed right away so now we sit in a global quagmire.
Re: (Score:2)
That and windows tends to store the login token of the admin account when it access devices. Mimikatz still works AFAIK.
Re: (Score:2)
Re: (Score:2)
Think of a global corporation 4 times the size of City of Dallas and you'll be closer to the scope.
Is the issue a lack of end-to-end encryption? (Score:2)
Seems like the type of story that should help policy makers understand that they shouldn't ban end-to-end encryption. The EU is talking of banning e2ee.
But can someone confirm that encryption would have prevented this?
The linked story says "The vulnerability allows hackers to gain unauthorized access to an affected MOVEit serverâ(TM)s database." So I guess the data was unencrypted on the server.
Re: (Score:2)
Thanks for clarifying, guruevi.
I was hoping to gather examples of data being stolen when services not using e2ee. Would be a useful thing to document so that policy makers can understand why they shouldn't ban e2ee.
If anyone has examples, I'd be very interested.
That's not what happened, this is what happened (Score:2)
I like to move it move it, I like to move it! (Score:2)
https://www.youtube.com/shorts... [youtube.com]
Can't touch this!
https://youtu.be/keAhk3Lz6E8?t... [youtu.be]
Yes but actually no. (Score:2)
No doubt criminals perpetrated the crime but the ones who actually responsible is the company that wrote the application. There will always be a criminal waiting to exploit a program but only if there are easily exploited programs.