Also: LockBit Was Tops in 2022 and North Koreans Ape Web Portal
Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, the list of MOVEit victims grew and now includes the U.S. government. Also, CISA and its global peers crowned LockBit the world’s top ransomware threat, North Korean hackers copied a popular South Korean web portal, a massive impersonation campaign used SEO techniques to target top brands including Nike and Tommy Hilfiger, and the University of Manchester suffered a data breach.
MOVEit Victim List Grows
The U.S. government is among the growing list of victims who fell to a now-patched zero-day vulnerability in Progress Software’s MOVEit file transfer system that hackers used to steal data from hundreds of organizations.
The Russian-speaking Clop ransomware-as-a-service group took responsibility for the wave of MOVEit hacks unleashed on May 27 using an SQL vulnerability tracked as CVE-2023-34362 that Progress Software had patched on May 31 (see: Clop Ransomware Gang Asserts It Hacked MOVEit Instances).
“We don’t have a full understanding of what the impacts are, or whether there are impacts,” U.S. Cybersecurity Infrastructure and Security Agency Director Jen Easterly told MSNBC on Thursday afternoon. The government is confident that it will not see “significant impacts,” Easterly added.
In an afternoon call with reporters, Easterly called the attacks “opportunistic.” The hackers do not appear to have used the attacks as a jumping point to gain persistence or to steal specific, high-value information, she said. No government agency has reported receiving an extortion demand.
“This is not a campaign like SolarWinds that presents a systemic risk to our national security or our nation’s networks,” she said.
A senior CISA official said a “small number” of federal agencies are affected, and several of them are receiving support from the agency. “This is not a widespread campaign affecting a wide number of federal agencies,” the official said, adding that there does not appear to be any coordination between Clop and the Russian government.
As far as the government knows, Clop was behind the MOVEit hacks of federal agencies, the official said. “At this point we have not identified any other actors perpetrating intrusions exploiting the vulnerability, affecting either federal or nonfederal agencies.”
The Oregon Department of Transportation said Thursday that MOVEit hackers had accessed the data of 3.5 million Oregonians who have driver’s licenses or state IDs. “While much of this information is available broadly, some of it is sensitive personal information,” the department said.
British communications regulator Ofcom said MOVEit hackers had stolen “a limited amount of information about certain companies we regulate – some of it confidential” – along with the personal data of 412 employees.
Global cloud computing provider Extreme Networks also acknowledged that hackers had penetrated its MOVEit instance.
The Clop ransomware gang apparently began following through on an earlier promise to begin posting onto its leak website the names of affected organizations that did not proactively contact it. The named companies include U.S.-based financial services firms, a Swiss insurance company, Shell Oil and others.
Shell Oil in a statement said it has been affected by the MOVEit wave of attacks. “There is no evidence of impact to Shell’s core IT systems,” a spokesperson said, characterizing the company’s use of MOVEit as being limited to “a small number of Shell employees and customers.”
LockBit Named World’s Top Ransomware Threat
In a joint advisory, global authorities including the U.S. Cybersecurity and Infrastructure Security Agency and the U.K. National Cyber Security Center identified LockBit as 2022’s most-deployed ransomware variant.
The ransomware-as-a-service gang has extorted approximately $91 million from U.S. victims since it emerged in 2020, the FBI said. About 1 in 6 ransomware attacks on American state and local governments came from LockBit in 2022. Australian authorities said the group was responsible for nearly 2 in 10 of the known ransomware attacks that occurred in the 12-month period ending March 31.
One possible reason for the group’s success: The multigovernment advisory says that LockBit pays its affiliates before taking its cut. “This practice stands in stark contrast to other RaaS groups who pay themselves first and then disburse the affiliates’ cut.”
North Korean Hackers Mimic Online Portal
South Korea’s intelligence agency on Wednesday said North Korean threat actors had created a fraudulent domain that was “impossible to distinguish” from popular online portal Naver, often dubbed as the Google of South Korea.
The National Intelligence Service said the fraudulent domain –
naverportal.com is a facsimile of the web search and e-commerce platform Naver.
The agency said the fraudulent domain replicated real-time news and advertisement banners on Naver’s main screen and featured similar menu options, making it impossible for users to distinguish between the two websites.
Massive Impersonation Campaign Targets Top Brands
Brand protection company Bolster said it uncovered a widespread brand impersonation campaign employing search engine optimization techniques to deceive customers. The company said that hundreds of clothing, footwear and apparel brands – including Nike, Puma, Adidas and Casio – had been affected by a phishing campaign that began in June 2022 and impersonates popular fashion brands. Phishing activity was at a peak between November 2022 and February. Perpetrators registered numerous domains to target unsuspecting shoppers into making purchases from fraudulent websites. If any product does arrive, it’s a low-quality dupe.
University of Manchester Suffers Data Breach
The United Kingdom’s University of Manchester suffered a data breach incident on Friday, and personal data possibly was stolen in the attack.
“We have no indicators to believe that this incident is the work of the same or associated perpetrators of the hacks at MoveIT and Zellis,” the university said on a FAQ page. Zellis is a U.K. payroll company affected by the MOVEit attacks. Through it, British Airways, Aer Lingus, the BBC and U.K. drugstore chain Boots were all affected by the attack.
Other Coverage From Last Week
With reporting from ISMG’s Jayant Chakravarti in Pune, India, and David Perera in Washington, D.C.