The fallout from Progress Software’s MOVEit file transfer application continues as the Clop ransomware gang continues to expose victims' confidential data. Significantly, Progress continues to uncover and announce further vulnerabilities in its product, some of which are being actively exploited.
Progress has released the first in a scheduled series of service packs for both MOVEit Transfer and MOVEit Automation.
The inaugural pack includes solutions for three freshly revealed Common Vulnerabilities and Exposures (CVEs), listed in numerical sequence as:
CVE-2023-36932 - multiple SQL injection weaknesses within the MOVEit Transfer web application, potentially allowing authenticated assaulters access to the MOVEit Transfer database.
CVE-2023-36933 - a defect that facilitates an assailant to provoke a process resulting in an unmanaged exception, leading to an unanticipated termination of MOVEit Transfer.
CVE-2023-36934 - an additional SQL injection vulnerability, resembling the first.
So far the MOVEit incident has impacted nearly 300 victims and likely affected data from around 17 million individuals. Victims are globally widespread, with the largest numbers in the US, totalling over 190, followed by Germany with 28, Canada with 21, and 17 in the UK, notably including high-profile entities like the BBC, Boots and British Airways.
Recently, organisations "named and shamed" by the Clop ransomware operation encompass real estate corporation Jones Lang LaSalle, hospitality giant Radisson, and GPS expert TomTom.
Fortescue Metals, an Australian iron ore mining firm, has been subject to a cyber-attack with Russian ransomware collective C10pm allegedly responsible. The mining firm confirmed that a breach, labelling it a “low-impact cyber incident” had transpired on May 28th .
According to a Fortescue statement, the data revealed was not of a confidential nature, leading to the exposure of a minor segment of data from their networks. The authenticity of C10p’s assertions regarding the breach's nature remains unverified.
Following the gangs usual modus operandi the ransomware group chastised the firm, stating: “The company doesn’t care about its customers, it ignored their security!!!” A phrase they regularly use following their claimed cyber-attacks.
So far no Fortescue files or data have been disclosed yet, providing the world’s fourth-largest iron ore exporter an opportunity to discuss a potential ransom.
According to a study by Check Point Research (CPR) The number of recorded cyber-attacks reached a two year high peak in Q2 2023, propelled by increased hacktivist and ransomware group activity. The report showed an 8% surge in attack frequency, with organisations worldwide enduring an average of 1,258 strikes weekly.
The education and research sector, despite experiencing fewer attacks compared to the previous year, remained the most targeted in Q2. UK academic institutions have been particularly affected in 2023, with the University of Manchester experiencing a major breach in June that compromised research data of over 1.1 million NHS patients.
The healthcare sector, a consistent target for cybercriminals, witnessed a substantial year-on-year attack surge in Q2, averaging 1,744 attacks per week - a 30% YoY increase. The ALPHV ransomware group recently targeted Barts NHS Trust, claiming to have stolen over 70 terabytes of data, constituting the largest healthcare data breach in the UK to date.
High-profile ransomware groups have also made a resurgence with alternative analysis from FlashPoint suggests that LockBit and Cl0p alone accounted for nearly 40% of all recorded ransomware attacks in June, targeting almost half of US-based organisations.
Cl0p claimed responsibility for the MOVEit supply chain attack, which had a domino effect on organisations worldwide, including British Airways, Boots, and the BBC. Meanwhile, LockBit continues its aggressive streak, including an attack on Taiwanese chipmaker, TSMC's third-party supplier.
Overlooked or missing vulnerability disclosures present another concern, with 395 out of 1,828 new vulnerabilities in June missed by the Common Vulnerabilities and Exposures (CVE) program. Over one-third of these missed disclosures are rated as high or critical vulnerabilities, posing a significant risk to organisations.
On Monday, Tomra, a Norwegian firm operating in the recycling, mining and food sectors, announced that it was the victim of a widespread cyberattack.
The firm's data systems have been directly impacted by the cyber attack. Tomra confirmed that relevant authorities had been informed, and efforts are underway internally and externally to manage and neutralise the situation. The intrusion was detected on the morning of July 16, and immediate steps were taken to halt the attack and minimise its consequences.
In a statement the company said that certain systems were swiftly disconnected to curtail the cyber attack's spread. The company is currently assessing whether the stability of its services offered to customers and employees might be affected.
While Tomra did not comment on whether it was a ransomware attack, the company's primary objective is to swiftly restore all systems. So far no cybercriminal group had claimed responsibility for the attack.
Tomra is renowned for its automated tools, especially its machines that collect metal, plastic, and glass beverage containers for recycling. The company also significantly contributes to waste and metal recycling, mining and food production.
If the incident is indeed a ransomware attack, it adds to a growing list of similar attacks targeting mining and food industries. Over the past year, companies like Copper Mountain Mining, Dole, Sysco, Mondelez, Americold, Maple Leaf Foods, and various fast-food chains have been attacked. There were 52 ransomware attacks on the food and beverage supply chain sector in 2022.
On Tuesday, cosmetics company Estée Lauder (EL.N) disclosed that a cybercriminal had accessed some of its data, causing ongoing disruptions to portions of the company's business operations.
Estée Lauder said it was taking necessary measures to restore the affected systems and fortify its operations. As part of its immediate response, it had to take certain systems offline to limit the impact of the cyber incident. The nature and extent of the compromised data are currently under investigation, but no additional details concerning the operational impact have been shared.
This cyber breach emerges at a critical juncture for the company, which had previously projected lower-than-expected sales and profit for the year in May, citing sluggish recovery in duty-free and travel locations, particularly in Asia.
In its official statement, it confirmed that it had engaged with law enforcement agencies and cyber security specialists in response to the incident. Both the BlackCat and Clop ransomware gangs have claimed responsibility. Clop listed the company on its dark web leak site after claiming Estee Lauder failed to negotiate. Later on the same day BlackCat listed the company on its own leak site.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.
The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.
If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.
We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.
Join us in Dublin or London for the Security First 2022 conference. We'll be bringing together industry professionals and specialist experts to discuss the latest cyber security trends and offer actionable advice on preparing your business to put security first in 2022.