CTI Weekly: Important Updates – Clop Ransomware, Anonymous Sudan DDoS, Russian Threat Actors, and VMWare Security Advisory

Key Issue:

Clop ransomware group starts extorting victims of MOVEit data theft campaign

The Clop ransomware group has been actively posting the names, details, and data of companies that were compromised through the exploitation of the zero-day MOVEit Transfer vulnerability.

After claiming to have stolen data from numerous companies, Clop set a deadline of 14 June 2023 to post the details and stolen data if payment negotiations failed. Since the deadline has passed, Clop has listed 57 companies on their data leak site, including well-known organizations such as Sony, Aon, Shell, EY, and PwC.

They have released partial or full data from eight of these companies, including Shell and Aon, along with data related to Aon’s customers. The sensitive nature of the data obtained and the involvement of managed services providers like Aon suggests that the impact of this operation may be much larger than what is currently known.

Other threat actors may also exploit the data to conduct further operations. It is expected that more significant data breaches will be disclosed in the coming weeks as Clop continues to reveal victims and the true impact on affected organizations becomes clearer. Orpheus is actively monitoring the organizations affected by this breach.

Other news:

Pro-Russian hacktivism

On June 19, 2023, the hacktivist group Anonymous Sudan conducted a Distributed Denial-of-Service (DDoS) attack, causing the websites of the European Investment Bank to experience downtime.

This attack is believed to be part of a collaborative operation between Anonymous Sudan, Killnet, and Sodobniki (REvil) targeting the Western financial sector. Additionally, Microsoft confirmed on June 16 that Anonymous Sudan was responsible for DDoS attacks that affected its cloud hosting services in early June.

Critical National Infrastructure

Canada’s Signal Intelligence agency has evaluated that Russian threat actors have an equal likelihood of targeting Canada’s oil and gas sector through a disruptive attack. This assessment is significant as Canada has been a staunch supporter of Ukraine in its ongoing conflict with Russia.

Furthermore, Canada is recognized as the fourth-largest oil producer globally, making its energy sector a potentially attractive target for Russian adversaries.

Emerging techniques

The Russian state-linked APT29 group has been carrying out credential stuffing attacks on various targets, including governments, IT service providers, NGOs, defense, and critical manufacturing sectors. To mask their location information, they have been utilizing residential IP addresses.

Critical vulnerability

VMWare has issued a security advisory alerting users to a remote code execution vulnerability, CVE-2023-20887, which is currently being actively exploited by malicious actors. The severity of the vulnerability is rated high, with a CVSS score of 9.8 and an OVSS score of 90. Additionally, a Proof-of-Concept exploit for this vulnerability has been made public.

Subscribe below for more and to discover other significant cyber criminals, nation-state and hacktivist news.