16 June 2023

6 min read

Victims named on Cl0p leak site as MOVEit negotiation deadline passes | Cyber Intelligence Briefing: 16 June

June 2023
Victims named on Cl0p leak site as MOVEit negotiation deadline passes | Cyber Intelligence Briefing: 16 June placeholder thumbnail


Top news stories this week

  1. Dumped. Cl0p begins naming victims on leak site after MOVEit negotiation deadline passes.
  2. Caught in the crossfire. Pro-Russian hackers hit Swiss and Dutch targets over support for Ukraine.
  3. Snooping. Chinese government spies exploited vulnerability in Barracuda email appliances.
  4. Cashed out. Bitcoin wallets of Russian security agencies identified and drained by hacker.
  5. Flytrap. RDP honeypot hit 3.5 million times between June and September last year.
  6. Patch it. Microsoft addresses multiple vulnerabilities in June's Patch Tuesday, Fortinet patches critical firewall vulnerability.

Cyber Incident Response Team of the Year


1. Victims named on Cl0p leak site as MOVEit negotiation deadline passes

Cl0p has begun naming businesses on their leak site following the passing of the 14 June deadline for MOVEit cyber attack victims to begin negotiations over their stolen data. 12 companies were added on 15 June, and a further batch of 14 appeared in the morning of 16 June.

Companies impacted by the breach include hydrocarbon giant Shell, financial services firm 1st Source Bank, and professional services firm EY. The UK communications regulator Ofcom and a number of US federal agencies have also been impacted.


So what?

The impact of the breach is likely to grow over the coming days, as security researchers have identified over 2,500 vulnerable MOVEit servers which may have been exploited. If you’re concerned about your exposure to the breach, get in touch.



2. Wave of DDoS attacks on Swiss and Dutch websites over support for Ukraine

The pro-Russian hacking group NoName has claimed responsibility for a series of distributed denial of service (DDoS) attacks on Geneva and Zurich airports, Swiss Federal Railways, and several government bodies. The websites of several ports in the Netherlands were also hit.

NoName claimed the attacks were retribution for Switzerland’s adoption of EU sanctions and the Netherlands’ plans to purchase Swiss tanks for Ukraine.

So what?

While no data is lost in a DDOS attack, the disruption caused by service interruptions can be significant. Organisations should consider investing in mitigation solutions.  



3. Chinese government spies exploited Barracuda vulnerability 

Security researchers have linked data-theft attacks exploiting a now patched zero-day vulnerability in Barracuda email gateway appliances to Chinese state-backed hackers. Hundreds of public and private sector organisations were reportedly impacted, including various government agencies. The attackers began exploiting the vulnerability last October.

So what?

Zero-day exploits target software vulnerabilities which are unknown to the cyber security community. They are impossible to prevent, but a defence in depth approach can help limit the impact of a breach.



4. Hacker labels and drains Bitcoin wallets of Russian government organisations 

An unknown individual has used a blockchain feature to identify 986 wallets allegedly controlled by Russian security agencies. Many of the wallets have also been linked to malicious Russian cyber activity, such as the 2021 SolarWinds attack and 2016 election disinformation campaign.

So what?

Blockchain analysis can be used to determine sanctions exposure and identify other risks. Contact us if you are concerned about a historical or prospective payment. 



5. RDP honeypot attracts 3.5 million hits in 3 month period

Over a 3 month period, security researchers observed over 3.5 million login attempts to a public-facing Remote Desktop Protocol (RDP) connection which was set up as a honeypot to observe malicious activity. The attackers used automated brute-forcing to gain access to the server before manually searching for critical files.

So what?

Threat actors are continuously scanning the web for publicly exposed RDP, Microsoft’s built-in remote administration tool. Organisations should avoid having RDP open externally to reduce their attack surface.



6. Patch time

Microsoft's June 2023 Patch Tuesday brings security updates for 78 flaws. While no zero-day vulnerabilities or actively exploited bugs were fixed, six critical flaws were identified, including denial of service attacks and privilege elevation.

Separately, Fortinet released a patch for a critical FortiGate firewall vulnerability (CVE-2023-27997) that could allow attackers to remotely access vulnerable systems, bypassing multi-factor authentication (MFA).


So what?

Protect your organisation by keeping your systems up to date with the latest security patches. 


Cyber Intelligence Briefing

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.


Miles Arkwright
Miles Arkwright
Associate, Cyber Security
James Tytler
James Tytler
Associate, Cyber Security

James Tytler is a cyber security associate in S-RM’s incident response team. In addition to responding to a wide range of cyber security incidents, he also supports clients with cyber threat intelligence services.

Before joining S-RM’s cyber security team, James worked at a London-based corporate intelligence firm, where he specialised in Middle Eastern subjects.

James has a BA in Arabic and Persian from the University of Cambridge, and an MA in International Security from Sciences Po Paris. He speaks fluent French.

Miles Arkwright
Miles Arkwright

Associate, Cyber Security

James Tytler
James Tytler

Associate, Cyber Security

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.