Top news stories this week
- MOVEit update. Cl0p continue to name victims, expose data, and demand payment as deadline passes.
- Downvote. Blackcat threaten to leak 80GB of stolen Reddit data if ransom is not paid.
- Darknet Parliament. KillNet, and REvil target the European financial system.
- Patch it. VMware issues urgent warning on critical vulnerability exploited in the wild.
- Imminent data flood. Hackers warn University of Manchester students of an impending data leak.
- InfoStealers. New versions of information stealing malware gain popularity.
- Tsunami alert. A publicly available botnet named Tsunami is uncovered.
1. List of victims increase as Cl0p release more names on their leak site
Cl0p, the group responsible for the MOVEit supply chain attack, has continued to list victims on their leak site. Since 14 June, the deadline set for victims to begin negotiations, a total of 51 victims have been named and eight have had their data exposed. Cl0p have stated that they have been slowly releasing names to ”give big companies time” to contact them and have also emailed victims directly, demanding a ransom to avoid leaking stolen data.
The US government’s Rewards for Justice program has put up a USD 10 million reward for information linking Cl0p to a foreign government. The reward was offered despite Cl0p’s insistence that they are financially-motivated and not interested in government data. They also claimed to have deleted any government data.
The zero-day vulnerability (CVE-2023-34362) which Cl0p exploited in their attack has been followed by the identification of two more critical vulnerabilities (CVE-2023-35036 and CVE-2023-35708) which also affect MOVEit Transfer.
It is imperative to perform immediate remediation action if you are using MOVEit Transfer by patching vulnerabilities.
2. Blackcat claim to have stolen 80GB of data in February attack on Reddit
Blackcat ransomware group have taken responsibility for the February attack on Reddit by threatening to leak 80GB of data unless it pays a USD 4.5 million ransom and reverses its contentious planned API price changes. Reddit confirmed that attackers were able to get access to their data after an employee fell victim to a phishing campaign.
Phishing awareness training and simulations are essential to prepare employees to identify and avoid phishing attacks.
3. KillNet claims attack against the European Investment Bank
KillNet and REvil appear to have stayed true to their word of launching an attack on the European banking system after the European Investment Bank (EIB) confirmed an attack affecting the availability of their websites. The attack appears to be politically motivated as the Russian-based hackers are looking to target financial institutions, specifically SWIFT, over support for Ukraine.
As hackers continue the Russia-Ukraine war online, organisations should continue to evaluate their risk exposure, taking into consideration where and who they conduct business with.
4. Critical VMware security flaw exploited
VMware has warned that attackers are exploiting a recently patched critical vulnerability (CVE-2023-20887) in their network analytic tool, Aria Operations for Networks. If exploited, attackers will be able to execute remote commands on impacted systems.
If your organisation leverages this VMware product, apply the latest patches to mitigate the vulnerability. Details on the patch can be found here.
5. Hackers warn University of Manchester students of an impending data leak
Hackers who conducted an attack on the University of Manchester are now sending emails to students, warning of an imminent data leak after the university failed to meet their ransom demand. The hackers claim to have stolen seven terabytes of data, including personal information, research data, and other sensitive documents.
Threat actors are resorting to more aggressive tactics if their demands are not met. Organisations must be prepared to handle such threats and take decisive actions to protect their data, reputation, and the interests of their stakeholders.
6. ‘Mystic Stealer’ and ‘Raccoon’ gain popularity
A new information stealer malware dubbed 'Mystic Stealer' is being promoted on hacking forums and darkweb markets. The malware steals data from web browsers, browser extensions, and password vaults. Using code manipulation techniques, the malware can avoid detection from certain anti-virus products.
Elsewhere, infostealers such as 'The Raccoon' have compromised over 100,00 devices running ChatGPT accounts in the past year.
Information stealing malware is typically downloaded when a user either clicks on a phishing attachment, visits a malicious website, or downloads infected software. Ensure your users understand the risks associated with each of these insecure practices.
7. Tsunami DDoS botnet uncovered
Researchers have discovered a distributed denial of service (DDoS) botnet campaign named Tsunami with its source code publicly available, allowing multiple threat actors to leverage it. Attackers are primarily using it to target Linux SSH servers and Internet of Things (IoT) devices via a brute force password attack.
If your company uses Linux SSH servers or IoT devices, make sure to enforce strong password policies and set up firewall rules to prevent brute force attacks.
S-RM are proud to have been voted Cyber Incident Response Team of the Year at Zywave’s 2023 Cyber Risk Awards. Read more here.