[LIVE UPDATE] Clop Leaks: First Wave of Victims Named

[LIVE UPDATE] Clop Leaks: First Wave of Victims Named

Updated as of June 14, 2023, 1:00 p.m. EST – Updates will be provided here.

All eyes have been on the “Clop” ransomware group’s data-leak website since the group took credit for attacks exploiting the MOVEit Transfer zero-day vulnerability (CVE-2023-34362). On June 6, 2023, the data-stealing extortionists stated that MOVEit Transfer victims had one week to contact the group and begin negotiations. The group threatened to publicly name and shame victims if no ransom was paid, and then leak their data on the data-leak site, >_CLOP^_-LEAKS.

On June 14, 2023, Clop named its first batch of 12 victims. No victim data has been leaked at the time of writing. As the ReliaQuest Threat Research Team continues to monitor the site for more updates, let’s dig into what we’ve seen so far.

Figure: Clop data leakage website as of 1:00 PM ET on June 14, 2023

What We Know So Far

As of 1 p.m. EST on June 14, 2023, Clop has named 12 victims on its dark-website, but the group is actively adding new victims. So far, the majority of victims named are from the US. Other victims are from Switzerland, Canada, Belgium, and Germany. Expect to see more of Clop’s new victims named throughout the day.Traditionally, Clop mostly targets organizations in the US, followed by Canada, the UK, and Germany. So far, the MOVEit Transfer victims have been consistent with Clop’s previously targeted victims. Before the MOVEit Transfer leaks, most victims named on its data-leak website were involved in manufacturing (66 entities named), followed by technology (41) and healthcare (33) providers. We will continue to update on target sectors in the MOVEit Transfer leaks as victims are named.

What We Know So Far

As of 1 p.m. EST on June 14, 2023, Clop has named 12 victims on its dark-website, but the group is actively adding new victims. So far, the majority of victims named are from the US. Other victims are from Switzerland, Canada, Belgium, and Germany. Expect to see more of Clop’s new victims named throughout the day.

Traditionally, Clop mostly targets organizations in the US, followed by Canada, the UK, and Germany. So far, the MOVEit Transfer victims have been consistent with Clop’s previously targeted victims. Before the MOVEit Transfer leaks, most victims named on its data-leak website were involved in manufacturing (66 entities named), followed by technology (41) and healthcare (33) providers. We will continue to update on target sectors in the MOVEit Transfer leaks as victims are named.

Figure: Clop's victims shown by country on ReliaQuest's GreyMatter platform

Clop Strays from Its MO—Sort Of

This is the third time that Clop has exploited major vulnerabilities in enterprise managed file transfer (MFT) software to target third-party victims. The previous two times were:

  • In February 2023, the group claimed responsibility for more than 130 attacks exploiting a zero-day vulnerability in Fortra GoAnywhere MFT (CVE-2023-0669).
  • In December 2020, Clop exploited zero-days in Accellion’s legacy file-transfer application software, stealing data from more than 100 companies.

In all three campaigns, Clop did not deploy its eponymous ransomware. Instead, the group conducted data extortion: It didn’t encrypt victim systems but threatened to publicly release sensitive data stolen from MFT software. These supply-chain attacks are ruthlessly efficient, allowing Clop to target hundreds of victims at once.

One area where Clop strayed from its modus operandi (MO) was in posting a mass ransom notification on >_CLOP^_-LEAKS. Usually, the group attempts to extort victims one by one. In the case of the Fortra GoAnywhere attacks, Clop opted out of mass notification to victims, instead the group individually named at least 100 victims over one month on its site.

This change in tactics is likely to improve efficiency. Notifying victims individually is time-consuming. By putting the onus on victims to figure out if they’ve been breached and then get in touch with their extorters, Clop saves time and weeds out companies that won’t negotiate with ransomware operators from the get-go.

Although Clop has diverged from its MO when notifying victims, the group will probably operate as usual in the following ways:

  • Negotiations occur via a private chat room on the dark web.
  • The group names victims on its data-leak website (if negotiations are unsuccessful).
  • Data is leaked in parts until the full data set is exposed.

What’s Next?

By targeting vulnerable enterprise MFT software, Clop can efficiently compromise many organizations, even those with cybersecurity teams and budgets. We expect more companies to be named on >_CLOP^_-LEAKS in the immediate future. For those organizations that refuse to pay a ransom, we’d expect data to be leaked in stages.

With even more MOVEit Transfer vulnerabilities being released (CVE-2023-35036), future MOVEit attacks by Clop and other groups are a realistic possibility. With the group having added supply-chain attacks targeting MFT software to their arsenal, we expect similar Clop attacks in the next three to 12 months.

At the time of writing, we don’t know what percentage of all Clop MOVEit Transfer victims have been publicly named. About 2,500 vulnerable MOVEit Transfer servers were exposed on Shodan. But recent reports point to Clop having knowledge of the MOVEit Transfer vulnerability since as early as July 2021. The latest name dump may be only a drop in the bucket of the total MOVEit Transfer victim count.

After the second negotiation deadline passes (seven days after negotiations begin—meaning a fluid timeline depending on victim engagement), we should expect to see Clop post even more victims. But the real moment of truth, and opportunity to gauge the impact of the breaches, will come when Clop starts leaking data. Ransomware groups sometimes try to hoodwink victims into paying a ransom, falsely claiming that they’ve exfiltrated sensitive data. Until Clop starts leaking data, ReliaQuest will keep a close eye on the data-leak site.

How to Respond

In our June 7, 2023, blog, MOVEit Vulnerability Update: Clop Claims Responsibility, we outlined several ways for potential Clop victims—or any company worried about ransomware—to respond. Any organization with MOVEit Transfer versions pre-dating May 31, 2023, are vulnerable and should assume compromise if the instances were exposed online.

Clop has repeatedly targeted MFT services, making it fundamental for organizations to understand their MFT solution’s public footprint and take steps to harden their defenses. This includes restricting public MFT access to authorized users, setting up firewall rules to exclude unknown IP addresses, and quickly applying software patches.

Where ransomware is concerned, always expect the unexpected. But it’s a good bet that Clop’s exploitation of zero-days will continue in the coming year and other ransomware groups will play copycat. It’s not possible to prevent the exploitation of zero-day vulnerabilities, but effective detection and response are the best options for organizations to manage the ransomware threat.

submitted by /u/reliaquest_official
[link] [comments]


from hacking: security in practice https://ift.tt/ZWyxwcL

Comments