Hacking group CL0Ps attacks on MOVEit point to ways that cyber extortion may be evolving, illuminating possible trends in who perpetrators target, when they time their attacks and how they put pressure on victims.
Malicious actors that successfully target software supply chains can maximize their reach, impacting the initial victims as well as their clients and clients clients. And Allan Liska, intelligence analyst at threat intelligence platform provider Recorded Future, noted that cyber extortion groups like CL0P have the money to buy zero-day vulnerabilities to compromise commonly used platforms.
Plus, perpetrators increasingly use threats to publish stolen data more so than file encryption to put pressure on victims and are exploring new ways of denying victims access to their data.
And other extortionists are likely watching the MOVEit incident play out and drawing their own takeaways.
With a lot of these, the first big attack, it gets the headlines, but these ransomware groups are learning at the same time, Hofmann said. They're seeing what worked well, what didn't, what tactics worked, and they're learning from each other. So, the next go-around is going to be different.
Groups like CL0P also appear to be putting attention on targeting widely used platforms and exploiting zero-day vulnerabilities.
The MOVEit compromise was CL0Ps third known attack on a file transfer service, each one netting more victims. Its 2020 Accellion exploit stole data from roughly 100 companies, while the hackers said their early 2023 attack on GoAnywhere impacted about 130 organizations, per Bleeping Computer. By early July, more than 200 organizations were believed to be affected by the MOVEit hacks, with data breaches affecting more than 17.5 million people, Emsisoft threat analyst Brett Callow told TechCrunch. Of course, hitting victims and getting money out of them are two separate matters.
Cyber criminals can buy zero-day vulnerabilities, said Liska. Paying six figures for zero days in top-name software like Microsoft Exchange may be too spendy for most, but many ransomware groups do have the money to shell out up to five figures to buy zero days in lower-profile, widely used platforms like MOVEit, he said.
You're not spending more than $100,000 and that. And as far as we can tell, CL0Ps made 100 times that at least from this particular attack, Liska said. So, in theory, if they reinvested all of that money, they could buy 100 more of these zero days to these types of platforms or more and still have money leftover to vacation in Sochi.
Still, organizations shouldnt forget about more traditional attack methods, Hofmann said. Roughly 90 percent of cyber extortionists still wage their attacks by taking advantage of unpatched Internet-facing systems, remote desktop protocol (RDP) connections where multifactor authentication (MFA) has yet to be implemented, or phishing and stolen credentials.
MOVEIt software creator Progress announced that the initially exploited vulnerability as well as one discovered a few weeks later took advantage of SQL injection vulnerabilities in the tool.
These are among the oldest forms of vulnerability and are the result of poor coding practices that are preventable, reported Ars Technica.
Federal efforts are underway to push software developers to design offerings with security baked in, thus improving overall safety of the software landscape.
Thats a good way to go, because a lot of these platforms that are heavily relied on are rickety, because they're not looked at they've been traditionally ignored by bad guys, and that picture is changing, Liska said.
Realizing that a secure-by-design vision could take decades, in the meantime, organizations should use a defense-in-depth approach to better protect themselves, Liska said.
In ransomwares early days, perpetrators encrypted files and demanded payment. But other methods may be gaining more popularity. A recent report found attackers increasingly pressuring victims by stealing their data and threatening to publish it, sometimes but not always pairing this with file encryption.
Organizations with sophisticated backup strategies may not need their files back, making traditional encryption-only extortion ineffective, said Lisa Forte, partner at cybersecurity training and consulting provider Red Goat Cyber Security. Plus encrypting and decrypting are tricky: Often the malware would be so aggressive that it would corrupt files, so even if the victim paid and they got the decryption key, the file would be corrupted. So, it was quite difficult to make a business case for companies to pay the ransom, Forte said. But threats to publish sensitive stolen data add new pressure.
And even when victims lack good backups making encryption attacks particularly painful some extortionists may still prefer the speed and efficiency of data theft-only attacks, Hofmann said.
Forte noted that while CL0P totally avoided encryption in its attack on MOVEit, many other threat actors have kept it in play. Even extortionists that, too, primarily use data theft as leverage against their victims often still lock up some parts of a victims network, as an opening salvo. The drama of a sudden file encryption and a ransomware splash screen appearing can grab victims attention.
One minute you think youre fine, and then next minute everything is locked, and youve got splash screens on every device, Forte said. That really brings the attention of the board. But definitely the main negotiating chip is the data thats stolen.
Liska has also seen some attackers adopt a new method of denying victims access to their files, creating a dramatic disruption while avoiding the technical complications and hassles of encryption. In these attacks, perpetrators exfiltrate their targets data then secure delete those files. Such a move rewrites the erased files with meaningless data, to prevent victims from being able to recover them. Extortionists can then demand ransom in exchange for sending victims back a copy of that exfiltrated data.
When we talk about taking the data and then secure deleting it, in effect you are actually stealing it at that point, because the data is no longer sitting on their [hard drives] unless it can be restored from backups. That's where I think this is going to go I think we'll see more of that, Liska said.
Of course, as Liska noted, victims might restore data from backups. But extortionists could still threaten to publish it.
In the MOVEit compromise, not even CL0P seemed prepared for how much data it managed to steal.
The hackers appeared to hurry to exploit as many systems as possible with the zero day before a patch could be issued. That meant they were scooping up data without necessarily knowing who it came from. Since then, the hackers have been working to sort through their stores of data, Liska said.
Notably and unusually rather than contact its victims with extortion demands, CL0P instead posted a message on its dark website telling victims to contact it.
They basically said, Hey, if you were one of the victims, email us, Liska said. They didn't even have a good accounting of who all they hit.
Organizations should take the threat seriously but shouldnt rush to comply, Hofmann said. Past incidents have seen some threat actors only discover who theyd hit when the victims got in touch, and victims that begin negotiations without a clear plan in place risk making the situation worse for themselves. They draw threat actors attention and might make mistakes, such as inadvertently revealing how badly attacks have affected them, thus handing leverage to the extortionists. In general, victims should never reveal anything that isnt already public knowledge, he said.
And victims should be wary of believing threat actors claims: Sometimes extortionists mistakenly think theyve impacted an organization, when theyve really hit another with a similar-looking website or one of the organizations subsidiaries, Hofmann said. CL0P may have made such mistakes, with ZDNET reporting in 2022 that CL0P tried to extort Thames Water, when it appeared to have actually hit South Staffordshire Water.
All this underscores the need for organizations including C-suite executives to participate in practicing and planning incident response and negotiations, to be ready should an extortion attack hit. For example, entities need to pin down details like, how much to tell the public; at what point they might engage with the extortionists and who will do that; as well as who will decide whether to pay and how that transaction will be made.
Despite the messiness of the attack, Liska believes CL0P has been improving its extortion tactics. Tracking of publicly known wallets suggests that the GoAnywhere hack didnt produce a lot of profit, but this time around, CL0P seems to have better determined how to monetize, he said.
CL0P has been gradually revealing its victims. This may in part indicate that its still working to sort through the stolen data, but also can be strategic, Liska said. Each new victim announcement returns public attention to the incident, keeping it in the news for months rather than weeks which may put more pressure on victims. Still, Hofmann said that, unlike for some past incidents, media reporting on MOVEit hasnt been critical of the impacted organizations: The optics of it, from a public perspective, are a little bit different, because many entities were affected via a trusted third-party vendor who was brought in specifically for protecting sensitive data.
Forte said CL0P appeared to struggle at first to determine which entities to extort in the affected software supply chain. Theyd compromised a file transfer tool created by Progress, and doing so let them obtain data handled by U.K. payroll solutions provider Zellis, for example. That data included payroll information on Zellis own clients, such as the BBC and British Airways.
There was a lot of confusion in the early days as to whether they were asking the actual end victims i.e., the BBC, British Airways, etc. or whether they were asking Zellis, or whether they were asking the company behind the MOVEit software, Forte said. The problem they had was that they didn't realize the complexity of the supply chain that they were hitting.
When choosing which impacted entities to threaten, cyber extortionists are often playing for media attention, Liska said. They typically threaten publish data from whichever impacted entities within the supply chain have the biggest name recognition. Threatening widely recognized end users will get more publicity, even if it technically was another entity's software that was compromised.
It doesnt matter whether or not they actually hit Ernst & Young or PwC. What matters is there's EY and PwC data that they got there, Liska said. You have to write about that as a journalist, because they are such big companies and they [cyber extortionists] know that.
CL0P said it would delete any data it had stolen from government, per TechCrunch. Opinions vary over whether organizations can believe these kinds of claims.
On the one hand, cyber criminals have a brand to protect, and some ransomware groups have followed through on promises to help restore data stolen from hospitals, for example, Forte said.
Victims have little motive to pay criminals who are known to go back on their word: The ransomware groups in general tend to be quite honorable to their word. They need to do that because they have to maintain a good brand image to get insurers, etc., to pay them when they hit other companies.
Plus, ransomware actors may hope that deleting data from entities like governments and hospitals could make them less of a priority for federal law enforcement. They also may hope it helps their image so they dont look quite so evil, she said.
Liska, meanwhile, said cyber criminals often give lip service to deleting the data in hopes of easing authorities attention on them, but he expects CL0P to still share or sell the government data.
You should never assume a ransomware actor is actually going to delete stolen data they will claim it up and down [but] once that data is stolen, that is out there and you have to assume that its going to be out there forever, Liska said.
One possible buyer? The Russian government. There appears to be some evidence suggesting a level of coordination between some cyber crime groups and the Russian government, which could enable gangs like CL0P to make such a sale, Liska said. But he cautioned against overstating this relationship, emphasizing the unavailability of evidence to indicate the Russian government is controlling the cyber criminals.
View original post here:
Cyber Extortion Trends: Lessons from CL0P and MOVEit - Government Technology
- WhatsApp overhauling status tab with encrypted Snapchat Stories-like feature - 9 to 5 Mac [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- GOP demands inquiry into EPA use of encrypted messaging apps - CNET [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- Encryption Apps Help White House Staffers Leakand Maybe Break the Law - WIRED [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- World Wide Web Creator Calls for Internet Decentralization & Encryption - The Data Center Journal [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- What It Means to Have an 'Adult' Conversation on Encryption - Pacific Standard [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- Confide in me! Encryption app leaks sensitive info from Washington DC - SC Magazine UK [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- Gmail v7.2 Prepares to Add Support for S/MIME Enhanced Encryption - XDA Developers (blog) [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Top 6 Data Encryption Solutions - The Merkle [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Your Guide to the Encryption Debate - Consumer Reports - ConsumerReports.org [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Google helps put aging SHA-1 encryption out to pasture - Engadget [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Decipher your Encryption Challenges - Infosecurity Magazine [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- How the Politics of Encryption Affects Government Adoption - Freedom to Tinker [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- How Encryption Makes Your Sensitive Cloud-Based Data an Asset, Not a Liability - Security Intelligence (blog) [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- Set up VMware VM Encryption for hypervisor-level security - TechTarget [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- How The Media Are Using Encryption Tools To Collect Anonymous Tips - NPR [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- Encryption patent that roiled Newegg is dead on appeal | Ars Technica - Ars Technica [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- Research proposes 'full-journey' email encryption - The Stack [Last Updated On: March 1st, 2017] [Originally Added On: March 1st, 2017]
- Database-as-a-service platform introduces encryption-at-rest - BetaNews [Last Updated On: March 1st, 2017] [Originally Added On: March 1st, 2017]
- Encrypted Messaging Service 'Signal' Adds Video Call Option - Top Tech News [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- Germany, France lobby hard for terror-busting encryption backdoors ... - The Register [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- How to Send Encrypted Nudes, a Guide for the Discerning Lover - Inverse [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- Ironclad Encryption Corporation Announces New Ticker Symbol OTCQB: IRNC - Yahoo Finance [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- The Best Email Encryption Software of 2017 | Top Ten Reviews [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- No, you shouldn't delete Signal or other encrypted apps - TechCrunch [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Best encryption software: Top 5 - Computer Business Review [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Encryption Backdoors, Vault 7, and the Jurassic Park Rule of Internet Security - Just Security [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- That Encrypted Chat App the White House Liked? Full of Holes - WIRED [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- What the CIA WikiLeaks Dump Tells Us: Encryption Works - New York Times [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Snake-Oil Alert Encryption Does Not Prevent Mass-Snooping - Center for Research on Globalization [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Customer Letter - Apple [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Don't Let WikiLeaks Scare You Off of Signal and Other Encrypted Chat Apps - WIRED [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- BT to offer customers encryption service for data - Capacity Media (registration) [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- Encryption - technet.microsoft.com [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- Use FileVault to encrypt the startup disk on ... - Apple Support [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- Viber launches secret chats to go beyond encryption - SlashGear [Last Updated On: March 13th, 2017] [Originally Added On: March 13th, 2017]
- Zix wins 5-vendor email encryption shootout - Network World [Last Updated On: March 13th, 2017] [Originally Added On: March 13th, 2017]
- A lesson from the CIA WikiLeaks dump: Encryption works - The Seattle Times [Last Updated On: March 13th, 2017] [Originally Added On: March 13th, 2017]
- What the CIA WikiLeaks Dump Tells Us: Encryption Works - NewsFactor Network [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Panicked Secret Service Says It Lost Encrypted Laptop But It's Fine, Everything's Fine - Gizmodo [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Google Cloud adds new customer-supplied encryption key partners ... - ZDNet [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Preseeding Full Disk Encryption - Linux Journal [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Bypassing encryption: 'Lawful hacking' is the next frontier of law enforcement technology - Boston Business Journal [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- SecurityBrief NZ - Gemalto introduces on-prem encryption key solution for 'highly regulated' organisations - SecurityBrief NZ [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- 'Always Be Concerned': US Court Slaps Down Fifth Amendment Defense of Encryption - Sputnik International [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- Quantum Key System Uses Unbreakable Light-Based Encryption to Secure Data - Photonics.com [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- Wikileaks Only Told You Half The Story -- Why Encryption Matters More Than Ever - Forbes [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- EPA Sued For Withholding Info On Encrypted Text Messages | The ... - Daily Caller [Last Updated On: March 22nd, 2017] [Originally Added On: March 22nd, 2017]
- Opinion Data encryption efforts ramp up in face of growing security threats - Information Management [Last Updated On: March 22nd, 2017] [Originally Added On: March 22nd, 2017]
- Bypassing encryption: Lawful hacking is the next frontier of law enforcement technology - Salon [Last Updated On: March 22nd, 2017] [Originally Added On: March 22nd, 2017]
- NeuVector Announces Container Visualization, Encryption, and Security Solution for NGINX Plus - DABCC.com [Last Updated On: March 23rd, 2017] [Originally Added On: March 23rd, 2017]
- Is encryption one of the required HIPAA implementation specifications? - TechTarget [Last Updated On: March 23rd, 2017] [Originally Added On: March 23rd, 2017]
- Paper Spells Out Tech, Legal Options for Encryption Workarounds - Threatpost [Last Updated On: March 23rd, 2017] [Originally Added On: March 23rd, 2017]
- Encryption debate needs to be nuanced, says FBI's Comey - TechTarget [Last Updated On: March 25th, 2017] [Originally Added On: March 25th, 2017]
- Comey Renews Debate Over Encryption - 550 KTSA [Last Updated On: March 25th, 2017] [Originally Added On: March 25th, 2017]
- UK minister says encryption on messaging services is unacceptable - Reuters [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- The why and how of encrypting files on your Android smartphone - Phoenix Sun [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- UK targets WhatsApp encryption after London attack - Yahoo News [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- Critical flaw alert! Stop using JSON encryption | InfoWorld - InfoWorld [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- SecureMyEmail is email encryption for everyone - TechRepublic - TechRepublic [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- Apple iOS 10.3 will introduce encryption which makes it MORE difficult for cops and spooks to crack into ISIS nuts ... - The Sun [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- How to Analyze An Encryption Access Proposal - Freedom to Tinker [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Questions for the FBI on Encryption Mandates - Freedom to Tinker [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Justice Department anti-terror chief keeps pressing on encryption - Politico (blog) [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- UK government can force encryption removal, but fears losing, experts say - The Guardian [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Encryption FAQs [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Why isn't US military email protected by standard encryption tech? - Naked Security [Last Updated On: April 9th, 2017] [Originally Added On: April 9th, 2017]
- How have ARM TrustZone flaws affected Android encryption? - TechTarget [Last Updated On: April 9th, 2017] [Originally Added On: April 9th, 2017]
- Keeping the enterprise secure in the age of mass encryption - Information Age [Last Updated On: April 9th, 2017] [Originally Added On: April 9th, 2017]
- Lack of encryption led to Dallas siren hack - WFAA [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Internet Society tells G20 nations: The web must be fully encrypted - The Register [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Make Encryption Ubiquitous, Says Internet Society - Infosecurity ... - Infosecurity Magazine [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Can we encrypt the web while giving governments a backdoor to snoop? - SC Magazine UK [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Why we need to encrypt everything - InfoWorld [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Hacked Dallas sirens get extra encryption to fend off future attacks - Computerworld [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- SHA-1 Encryption Has Been Broken: Now What? - Forbes [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Hewlett Packard Enterprise touts encryption tool for federal clients - The Hill [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Encryption on the Rise in Age of Cloud - Infosecurity Magazine - Infosecurity Magazine [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Lawmaker Pushes Bill That Requires Encryption by Pennsylvania State Employees - Government Technology [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Disk encryption - Wikipedia [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- The apps to use if you want to keep your messages private - Recode [Last Updated On: April 15th, 2017] [Originally Added On: April 15th, 2017]