Healthcare Cybersecurity

TimisoaraHackerTeam Ransomware Group Linked to Recent Attack on U.S. Cancer Center

Posted by Steve Alder

An alarm has been sounded about a relatively unknown threat group called TimisoaraHackerTeam following a recent attack on a U.S. medical facility. TimisoaraHackerTeam is believed to be a financially motivated threat group, which in contrast to many cybercriminal and ransomware groups, has no qualms about attacking the healthcare and public health (HPH) sector and appears to actively target HPH sector organizations, mainly conducting attacks on large organizations. The group was first identified in July 2018 but has largely stayed under the radar.

According to the Healthcare Sector Cybersecurity Coordination Center (HC3), which issued the alert on June 16, the group has resurfaced and conducted a June 2023 ransomware attack on a U.S. cancer center which rendered its digital services unavailable, put the protected health information of patients at risk, and significantly reduced the ability of the medical center to provide treatment for patients.

The group has exploited known vulnerabilities to gain initial access to HPH sector networks, then escalates privileges, moves laterally, and encrypts files. The group uses Microsoft’s native disk encryption tool, BitLocker, along with Jetico’s BestCrypt, rather than custom ransomware. This allows the group to encrypt files without being detected by security solutions. Previous attacks that have been loosely attributed to TimisoaraHackerTeam include an attack on a French hospital in April 2021 which involved similar living-off-the-land tactics, and an attack on Hillel Yaffe Medical Center in Israel, which resulted in the cancellation of non-elective procedures and forced the medical center to switch to alternative systems to continue to provide patient care.

According to the cybersecurity firm Varonis, the attack on Hillel Yaffe Medical Center in Israel is thought to have involved the exploitation of a known and unpatched vulnerability in the Pulse Secure VPN, with the hackers then using living-off-the-land techniques for the next stages of the attack to evade security solutions. Varonis says reports of attacks by TimisoaraHackerTeam mostly date to 2018, and while it is possible that the group has resurfaced, the DeepBlueMagic threat group may be an evolution of TimisoaraHackerTeam or DeepBlueMagic may have simply adopted the same tactics as TimisoaraHackerTeam. The same tactics have also been used by hackers in China, with those attacks attributed to an Advanced Persistent Threat Group that is tracked as APT41, although it is unclear to what extent, if any, these threat actors are linked.

In addition to exploiting Pulse Secure VPN vulnerabilities, TimisoaraHackerTeam has targeted vulnerabilities in Microsoft Exchange Server and Fortinet firewalls and uses poorly configured Remote Desktop Protocol to move laterally within networks. The recent attack on the cancer center serves as a warning that the group is still active, and that network defenders should take steps to improve monitoring and protect their networks from attacks. Further details on the group and its tactics, techniques, and procedures can be found in the HC3 HPH Sector Cybersecurity Notification.

The post TimisoaraHackerTeam Ransomware Group Linked to Recent Attack on U.S. Cancer Center appeared first on HIPAA Journal.

Progress Software Warns of New MOVEit Zero-Day Vulnerability – Immediate Action Required

Posted by Steve Alder

Progress Software has issued a warning about another vulnerability in its MOVEit Transfer file transfer software, an exploit for which is in the public domain. The announcement comes as the Clop ransomware group starts to name companies that were attacked by exploiting a separate zero-day bug in May, and CISA confirms the victims include several federal agencies.

The CVE for the latest vulnerability is still pending and there is no CVSS severity score at present; however, this is a critical vulnerability and a Proof-of-Concept (PoC) exploit for the new zero-day flaw has been shared by a security researcher on Twitter, although at the time of release, code execution is not believed to have been achieved. The attacks by the Clop gang demonstrate that MOVEit vulnerabilities can be weaponized and exploited in mass attacks, so mitigations should be implemented immediately and patches applied as soon they are released.

MOVEit Transfer Zero Day Mitigations and Fixes

According to Progress Software, all users must take action to address the latest MOVEit zero day bug. The steps that need to be taken are dependent on whether patches have been applied to fix the zero-day bug (CVE-2023-34362) that was exploited by Clop and patched on May 31, 2023, and a second critical SQL injection vulnerability – CVE-2023-35036 – a patch for which was released on June 9. The May 31 and June 9 patches and remediation steps should be followed first, if they have not been already, then the June 15, 2023, patch can be applied to fix the third zero-day (CVE pending).

If it is not possible to immediately apply the June 15, 2023, patch, users should disable all HTTP and HTTPs traffic to the MOVEit Transfer environment immediately (ports 80 and 443) to prevent unauthorized access. HTTP and HTTPs traffic should not be re-enabled until the June 15, 2023, patch has been applied. While this mitigation will prevent users from being able to log into their accounts via the web user interface, transfers will still be available since the SFTP and FTP/s protocols will continue to work, and admins will still be able to access MOVEit Transfer by connecting to the Windows server via remote desktop, and then navigating to https://localhost/

Details on patching all three vulnerabilities and the mitigation steps are detailed in the latest Progress Software alert.

Progress Software said, “We have taken HTTPs traffic down for MOVEit Cloud in light of the newly published vulnerability and are asking all MOVEit Transfer customers to immediately take down their HTTP and HTTPs traffic to safeguard their environments while the patch is finalized.”

Clop Starts Publishing Victims’ Names on Dark Web Data Leak Site

The Clop gang claimed responsibility for the attacks which exploited the May 2023 vulnerability (CVE-2023-34362), and while the victim count is not known, several hundred companies are understood to have been affected. Clop provided a deadline of June 14, 2023, for payment of the ransom demands, after which the group claimed it would start releasing the stolen data. On Wednesday, names started to be published on its data leak site which include the oil and gas company Shell, the University of Georgia (UGA) and University System of Georgia (USG), UnitedHealthcare Student Resources (UHSR), Putnam Investments, Heidelberger Druck, and Landal Greenpark. Several other companies have confirmed that they were affected although they have yet to be listed on the data leak site. Those companies include Zellis, Boots, Aer Lingus, and the BBC.

CISA Confirms Federal Agencies Impacted

The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that several federal agencies were attacked by the Clop gang by exploiting the May 2023 vulnerability and that it is providing support to the agencies that have suffered intrusions. Eric Goldstein, CISA executive assistant director for cybersecurity, confirmed to CNN that it is currently trying to understand the impact of those intrusions. CISA Director, Jen Easterly, said the May 2023 attacks were opportunistic in nature and were not targeted at government agencies, and while Clop is a Russian ransomware group, the attacks are not believed to be connected to the Russian government. “Although we are very concerned about this campaign, this is not a campaign like SolarWinds that poses a systemic risk,” said Easterly. Government agencies known to have been affected include the Energy Department, which confirmed that two entities within the Department have been compromised.

The post Progress Software Warns of New MOVEit Zero-Day Vulnerability – Immediate Action Required appeared first on HIPAA Journal.

Senate Committee Advances Rural Hospital Cybersecurity Enhancement Act

Posted by Steve Alder

The Senate Homeland Security and Governmental Affairs Committee has advanced a bill that seeks to address the current shortage of cybersecurity skills in rural hospitals, which are increasingly targeted by cybercriminals. Rural hospitals do not have the resources available to invest in cybersecurity and struggle to recruit skilled cybersecurity professionals and, as such, are seen as soft targets by cybercriminals.

The Rural Hospital Cybersecurity Enhancement Act, which was introduced by Sen. Josh Hawley (R-MO) and co-sponsored by Sens. Gary Peters (D-MI) and Jon Ossoff (D-GA), calls for the development of a comprehensive rural hospital cybersecurity workforce development strategy to address the current shortage of cybersecurity staff at rural hospitals. The Rural Hospital Cybersecurity Enhancement Act requires the Secretary of the Department of Homeland Security to develop a comprehensive rural hospital cybersecurity workforce development strategy to address the growing need for skilled cybersecurity professionals in rural hospitals within a year of enactment of the act.

When developing the cybersecurity workforce development strategy, the Secretary should consider partnerships between rural hospitals, private sector entities, educational institutions, and non-profits to expand cybersecurity education and training programs tailored to the needs of rural hospitals, the development of a cybersecurity curriculum and teaching resources for rural educational institutions, and make recommendations for legislation, rulemaking, and/or guidance for implementing the strategy.

Rural hospitals are operating under increasing financial pressure and lack the necessary funding for cybersecurity. Currently, few rural hospitals have dedicated cybersecurity workers and IT staff are generally in short supply and overworked. Cybersecurity positions in rural hospitals typically have low remuneration, and the lack of funding means individuals who take on cybersecurity roles do not have access to the latest cybersecurity tools that would be at their disposal in other positions. The global shortage of skilled cybersecurity professionals is unlikely to be resolved in the short to medium term, so the aim of the bill is to address the shortage through teaching programs at rural educational institutions and developing rural hospital workforces through education on fundamental aspects of cybersecurity.

Sen. Rand Paul (R-TX) tabled an amendment to the original bill, stipulating that CISA should not ask for additional funds for the proposed measures, and the amended bill will now head to the Senate floor for a vote. The advancement of the Rural Hospital Cybersecurity Enhancement Act occurred a few days after the announcement that a rural hospital in Illinois will permanently close on June 16, 2023, due, in part, to the financial pressures caused by a ransomware attack.

“I am encouraged Congress is taking bipartisan action to shore up the ability of small-town hospitals to defend themselves from cyberattacks,” said Senator Hawley. “We must continue working diligently to improve cybersecurity preparedness in rural hospitals to both protect the sensitive medical and personal data of American patients and defend our national security.”

The post Senate Committee Advances Rural Hospital Cybersecurity Enhancement Act appeared first on HIPAA Journal.

Comprehensive LockBit Ransomware Cybersecurity Advisory Issued by CISA & Partners

Posted by Steve Alder

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and its international cybersecurity agency partners have issued a cybersecurity advisory about the LockBit ransomware operation, which has extorted $91 million from organizations in the United States since 2020 across 1,700 attacks.

“This joint advisory on LockBit is another example of effective collaboration with our partners to provide timely and actionable resources to help all organizations understand and defend against this ransomware activity,” said CISA Executive Assistant Director for Cybersecurity, Eric Goldstein. “As we look to the future, we must all work together to evolve to a model where ransomware actors are unable to use common tactics and techniques to compromise victims and work to ensure ransomware intrusions are detected and remediated before harm can occur.”

The LockBit ransomware-as-a-service operation is the most prolific RaaS group, having listed more victims on its data leak site than any other ransomware operation. LockBit was behind 16% of ransomware attacks on state, local, tribal, and tribunal (SLTT) governments in 2022 and was the most commonly deployed ransomware variant last year. The group has attacked organizations of all sizes, including critical infrastructure entities such as financial services, food & agriculture, education, and healthcare, and 2023 attacks have continued in high numbers.

There are several reasons why LockBit has become the most prolific RaaS operation. Affiliates are recruited to conduct attacks and receive a share of the ransoms they generate, as is the case with other RaaS operations; however, LockBit pays its affiliates faster and provides them with their cut of ransom payments before payment is received by core members of the group. The group has developed an easy-to-use interface for its affiliates which lowers the bar for new affiliates, who require less technical skill to start conducting ransomware attacks than with other ransomware variants. The group also engages in publicity-generating exercises, disparages other RaaS operations, and has even taken steps to discourage individuals from disclosing the identity of the lead member of the group (LockBitSupp) to law enforcement by offering a $1 million bounty on information that could lead to LockBitSupp’s identification.

Due to the large number of affiliates working within the LockBit operation, the tactics, techniques, and procedures (TTPs) used in attacks are diverse so network defenders face significant challenges defending against attacks. The security advisory details the TTPs that CISA, the FBI, and their international cybersecurity partners have observed in LockBit ransomware attacks over the past 3 years, along with a lengthy list of mitigations to help network defenders take proactive steps to improve their defenses against LockBit attacks. The advisory includes around 30 different freeware and open source tools that have been used by LockBit affiliates, 9 CVEs that are known to have been exploited, and more than 40 MITRE ATT&CK techniques for initial access, discovery, credential access, privilege escalation, lateral movement, persistence, defense evasion, collection, command and control, data exfiltration, and execution.

“The FBI encourages all organizations to review this CSA and implement the recommended mitigation measures to better defend against threat actors using LockBit,” said Bryan Vorndran, Assistant Director of the FBI’s Cyber Division, and encouraged all victims of cybercrime to report incidents to their local FBI field office.

The post Comprehensive LockBit Ransomware Cybersecurity Advisory Issued by CISA & Partners appeared first on HIPAA Journal.

Ransomware Attack Key Factor in Decision to Close Rural Illinois Hospital

Posted by Steve Alder

Ransomware attacks can cause healthcare facilities to temporarily close and small healthcare practices have made the decision not to reopen after a ransomware attack, but hospitals and health systems are usually financially resilient enough to remediate the attacks and recover, but not St. Margaret’s Health. Like many rural hospitals and health systems, St. Margaret’s Health has been struggling to maintain operations in the face of increasing financial pressures, then fell victim to a ransomware attack that sent it into a downward financial spiral. The attack, in combination with several other factors, resulted in the decision to permanently close its 44-bed Spring Valley location in Illinois. St Margaret’s Health also operates a 49-bed hospital in Peru, IL, which was under a temporary suspension that was announced in January this year. All operations at the two hospitals will permanently end on Friday, June 16, 2023.

The Sisters of Mary of the Presentation founded St. Margaret’s Health in 1903, and in 2021, St. Margaret’s Hospital – Spring Valley and Illinois Valley Community Hospital (IVCH) in Peru consolidated their operations and formed a regional health network run by the SMP Health ministry, with IVCH changing its name to St. Margaret’s Hospital – Peru. St. Margaret’s Health tried to integrate the new hospital into St. Margaret’s Health so that the two hospitals and their associated clinics could continue to provide catholic healthcare in the Illinois valley, but the challenges proved too great. Like many rural hospitals, St. Margaret’s Health has faced increasing financial pressures in recent years, and the COVID-19 pandemic, continuing staff shortages, and the ransomware attack on St. Margaret’s Hospital – Spring Valley’s computer systems in February 2021 proved too much and made it impossible to sustain its ministry. The ransomware attack itself did not trigger the closure, but it did play a key part in the decision to close. The ransomware attack prevented the hospital from submitting claims to insurers, Medicare, and Medicaid for months, piling even more financial pressure on the already struggling St. Margaret’s Health.

Suzanne Stahl, chair of SMP Health, said St. Margaret’s Health has signed a non-binding letter of intent with OSF Healthcare to acquire the Peru campus and related ambulatory facilities, and the proceeds of the sale will be used to pay off a portion of St. Margaret’s debts and will help to ensure that catholic-based healthcare will continue to be provided in the Illinois valley and the surrounding areas. The transition will take some time, and while OSF Healthcare is working to accomplish the purchase as quickly as possible, it is not able to provide a time frame for when care will resume. “The hospital closure will have a profound impact on the well-being of our community. This will be a challenging transition for many residents who rely on our hospital for quality healthcare,” said Melanie Malooley-Thompson, Mayor of Spring Valley. The closure will mean that patients will be forced to travel much further for emergency room and obstetrics services.

Longstanding pressures on rural hospitals resulted in 136 rural hospital closures between 2010 and 2021, according to a 2022 report from the American Hospital Association, including 19 closures in 2020 alone. Rural hospitals typically have low reimbursement, staff shortages, and low patient volumes, and also had to deal with the COVID-19 pandemic. Cyberattacks are enough to send them over the edge.

Tragically, this is unlikely to be the last ransomware attack that proves too much for a rural hospital. Increasing financial pressure limits the ability of rural hospitals to invest in cybersecurity and they also struggle to attract and retain skilled cybersecurity staff. That makes rural hospitals an easy target for ransomware gangs, which are increasingly targeting these healthcare facilities. Even when rural hospitals are not specifically targeted, they can still fall victim to non-targeted attacks due to the lack of appropriate cybersecurity.

The post Ransomware Attack Key Factor in Decision to Close Rural Illinois Hospital appeared first on HIPAA Journal.

HPH Sector Urged to Make FIN11 Threat Group a Priority for Security Teams

Posted by Steve Alder

The Health Sector Cybersecurity and Coordination Center (HC3) has compiled a profile of the FIN11 threat group (TA505/Lace Tempest/Hive0065) which is known to target organizations in the healthcare and public health (HPH) sector. Historically, FIN11 has conducted phishing campaigns but has now migrated to other attack vectors against companies in North America and Europe. The group is financially motivated and often engages in data theft for extortion, with or without ransomware.

Recent attacks include the exploitation of zero day vulnerabilities in file transfer solutions to gain access to sensitive data, which is stolen and threatened to be released if a ransom is not paid. FIN11 often deploys CLOP ransomware in its attacks, although it is unclear exactly how many CLOP ransomware attacks FIN11 has conducted. The ransom demands in these attacks vary based on the perceived ability of the victim to pay and typically range from a few hundred thousand dollars to $10 million.

FIN11 phishing and spear phishing campaigns have used a combination of malicious attachments and hyperlinks, and fake download pages have been used to trick people into downloading malware. FIN11 is thought to have been involved in the mass exploitation of vulnerabilities in the MOVEit and Accellion FTA file transfer solutions, the PaperCut MF and NG vulnerability in 2023, the Windows ZeroLogon vulnerability in October 2020, and several other vulnerabilities. FIN11 also targeted HPH sector organizations during the COVID-19 pandemic.

FIN11 is known to deploy a range of different malware variants after gaining initial access to networks. In addition to CLOP ransomware, the group has deployed the LEMURLOOT web shell, P2P RAT, FlawedAmmyy and FlawedGrace remote access Trojans, and Cobalt Strike, along with a host of other tools to allow the group to achieve its objectives.

Due to the range of different attack vectors, mitigations are varied and involve strong email security measures, prompt patching of known vulnerabilities, endpoint detection solutions, and active monitoring of security alerts for signs of compromise. HC3 recommends that healthcare organizations consider FIN11 a top priority for their security teams, as the group poses a significant threat to the HPH sector.

The post HPH Sector Urged to Make FIN11 Threat Group a Priority for Security Teams appeared first on HIPAA Journal.

Immediate Patching Recommended for Critical Fortinet FortiOS & FortiProxy Vulnerability

Posted by Steve Alder

A critical vulnerability in Fortinet’s FortiOS and FortiProxy SSL VPN has potentially already been exploited by malicious actors. The vulnerability, tracked as CVE-2023-27997, is a heap buffer overflow issue in FortiOS and FortiProxy SSL-VPN which can be exploited remotely, pre-authentication, to execute code via malicious requests to vulnerable devices. The flaw can be exploited even if multifactor authentication has been enabled.

Fortinet firewalls and VPNs are widely used and vulnerabilities are actively sought by malicious actors and have been rapidly exploited in the past. A search on the Shodan search engine indicates around 250,000 Fortinet firewalls are accessible over the Internet and the majority of those are thought to be vulnerable. Fortinet said the vulnerability was identified during a code audit conducted in response to a series of attacks exploiting a separate zero-day vulnerability – CVE-2022-42475 – in FortiOS SSL VPN that was disclosed in January. Those attacks were linked to the Chinese state-sponsored threat group, Volt Typhoon, which has been active since mid-2021 and has previously targeted critical infrastructure entities in the United States. Fortinet has not linked exploits of the most recently disclosed vulnerability to Volt Typhoon, but said the threat actor and other threat groups will likely target the vulnerability and that there may already have been limited attacks against government, manufacturing, and critical infrastructure.

Fortinet issued a security advisory on June 12 about the vulnerability, which affects virtually all versions of FortiOS and FortiProxy. Patches have been released to fix the vulnerability and customers have been urged to update their firmware to the latest version. Fortinet said the vulnerability is mitigated if customers are not operating SSL-VPN; however, all users have been recommended to update to the latest firmware version regardless.

While there is only believed to have been limited exploitation of the flaw, now that patches have been released threat actors will compare the new releases with previous firmware versions to work out what has changed and will likely rapidly discover and develop exploits for the vulnerability, so immediate patching is strongly recommended.  All users should ensure they have updated to the following firewall and VPN versions:

FortiOS-6K7K

  • FortiOS-6K7K version 7.0.12 or above
  • FortiOS-6K7K version 6.4.13 or above
  • FortiOS-6K7K version 6.2.15 or above
  • FortiOS-6K7K version 6.0.17 or above

FortiOS

  • FortiOS version 7.4.0 or above
  • FortiOS version 7.2.5 or above
  • FortiOS version 7.0.12 or above
  • FortiOS version 6.4.13 or above
  • FortiOS version 6.2.14 or above
  • FortiOS version 6.0.17 or above

FortiProxy

  • FortiProxy version 7.2.4 or above
  • FortiProxy version 7.0.10 or above

The post Immediate Patching Recommended for Critical Fortinet FortiOS & FortiProxy Vulnerability appeared first on HIPAA Journal.

HC3 Raises Awareness of Diverse Threat Actors Targeting the HPH Sector

Posted by Steve Alder

The HHS’ Health Sector Cybersecurity Coordination Center has issued a threat brief to highlight the types of cyber threat actors that target the health and public health sector (HPH), and their differing objectives, tactics, techniques, and procedures.

The HPH sector is a relatively easy target for cybercriminals compared to other industry sectors. There is a complex supply chain involving many different vendors, a large attack surface with many IoT and IoMT-connected devices that are difficult to secure, reliance on outdated software and operating systems that have reached end-of-life, and HPH sector organizations often find it difficult to recruit and retain skilled cybersecurity staff.

HPH sector organizations also store large quantities of data that can be easily monetized and used for a range of nefarious purposes such as identity theft, blackmail, and insurance fraud. Since the sector is highly regulated, there are often costly legal ramifications for healthcare organizations that suffer data breaches, and successful attacks can cause significant reputational damage which makes the HPH sector an ideal target for extortion. Nation-state actors often target HPH sector organizations to steal research data to gain a technological advantage and collect sensitive data and cause disruption in line with national priorities.

The HPH sector is targeted by financially motivated cybercriminals, politically motivated hacktivists and nation-state actors, malicious insiders for financial gain or retaliation, cyberterrorists who wish to cause harm, and script kiddies who seek attention, want to create chaos, gain kudos within the hacking community, or simply have fun. Regardless of the threat actor, the attacks can have serious financial and reputational implications and often put patient safety at risk.

While the motivations behind healthcare cyberattacks are varied, there are common initial access vectors that are used by the different types of threat actors. Phishing and social engineering attacks exploit human weaknesses to gain initial access to healthcare networks and sensitive data. Vulnerabilities in software and operating systems are targeted for initial access, man-in-the-middle attacks intercept sensitive data, and Distributed-Denial-of-Service attacks and wiper malware are used to cause disruption to critical systems. Attacks often involve malware that steals data and provides persistent access to networks, adware is used for tracking, information theft, and driving traffic to websites, and ransomware is often deployed for data theft and extortion.

The threat brief provides information on the different types of threat actors and their motivations to help network defenders gain a better understanding of their adversaries, and includes information on the most active threat groups that are known to target the HPH sector.

The post HC3 Raises Awareness of Diverse Threat Actors Targeting the HPH Sector appeared first on HIPAA Journal.

Update on MOVEit Vulnerability Exploitation and Extortion: Victims Given Until June 11 to Pay Ransoms

Posted by Steve Alder

A zero-day vulnerability in the MOVEit file transfer service (CVE-2023-34362) started to be exploited by a cyber threat actor at scale over the Memorial Day weekend. Progress Software issued an advisory about the vulnerability on May 31, 2023, and rapidly released patches to fix the flaw, but not in time to prevent mass exploitation of the vulnerability. Remote exploitation of the flaw allowed access to be gained to the MOVEit server database, providing access to customer data.

A few days later, several major companies confirmed they had been impacted by the attacks, including the airlines British Airways and Aer Lingus, the UK drugstore chain Boots, the University of Rochester in New York, and the Nova Scotia provincial government, which had all fallen victim and had data exfiltrated through their payroll and HR service provider, Zellis. Nova Scotia Health has confirmed that the personal information of up to 100,000 employees was stolen in the attack.

The Clop ransomware gang and associated FIN11 threat group were suspected of involvement in the mass exploitation of the vulnerabilities as they had previously targeted vulnerabilities in file transfer solutions, exploiting zero-day vulnerabilities in the Accellion FTA and Fortra’s GoAnywhere MFT. Microsoft, Mandiant, and others attributed the attacks to Clop/FIN11, with Microsoft attributing the attacks to a Clop affiliate it tracks as Lace Tempest, and Mandiant attributed the attacks to a newly created threat cluster it tracks as UNC4857, also linked to Clop/FIN11. Mandiant confirmed to The HIPAA Journal that it has seen evidence of data exfiltration at multiple companies and that targeted applications were infected with a webshell called LEMURLOOT. Shodan scans revealed more than 2,500 instances of MOVEit software are exposed to the Internet and Censys reported more than 3,000 hosts running the service, all of which were potentially vulnerable.

Clop Ransomware Group Claims Responsibility for the Attacks

Around a week after the news broke about the exploits, the Clop ransomware gang claimed responsibility for the attacks and confirmed that ransom demands had been issued along with threats to release the stolen data if the ransoms are not paid, giving breached firms until June 14 to pay up or face data exposure. While the Clop group uses ransomware, these attacks involved data theft and exploitation without encryption, as was the case with the attacks on the Accellion FTA and GoAnywhere MFT.

On June 7, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint security advisory and provided a list of recommended mitigations to reduce the impact of Clop exploits. A few days earlier, on June 2, the Health Sector Cybersecurity Coordination Center (HC3) issued a sector alert, warning that the health and public health sector was potentially at risk from the vulnerability.

The number of victims has yet to be determined, and in contrast to the GoANywhere MFT attacks, the Clop group has not publicly stated how many attacks were conducted but did say it was in the hundreds. The scale of the attacks should start to become clearer from June 14 if Clop is true to its word and starts publishing stolen data, although it may take several weeks or months before the full extent of the exploitation of the vulnerability is known.

Clop May Have Known About Vulnerability for 2 Years

Cybersecurity firm GreyNoise reports that it traced scanning activity associated with the vulnerability to March 3, 2023, and security experts at Kroll said they found evidence to indicate Clop was testing ways to exploit the vulnerability and obtain data in April 2023; however, they also found evidence of similar manual activity related to the exploit as early as July 2021, suggesting the Clop actors have known about the vulnerability for almost two years. The researchers suggest they waited until they had the automation tools available to allow exploitation at scale.

The post Update on MOVEit Vulnerability Exploitation and Extortion: Victims Given Until June 11 to Pay Ransoms appeared first on HIPAA Journal.