CTI Weekly: Zero-Day Vulnerability Exploited by Ransomware Groups & CISA Directive on Network Device Security

Key Issue:

New victims disclosed in data theft campaigns leveraging MOVEit Transfer zero-day vulnerability

A critical zero-day vulnerability, CVE-2023-34362, in the MOVEit Transfer file transfer software has been exploited by malicious actors linked to FIN11 and Clop ransomware groups. These actors have used the vulnerability to gain unauthorized access and escalated privileges in both on-premise and cloud environments, resulting in extensive data theft campaigns.

UK-based organizations, including the BBC, British Airways, Ernst & Young, and Boots, confirmed being affected by the breach, primarily due to third-party agreements with Zellis, a human resources solutions vendor. Ofcom, the media watchdog, also suffered an impact, with confidential information and personal data of 412 employees being downloaded by Clop.

Clop has started posting the names of affected companies on its data leak site. Recently, security researchers released a Proof-of-Concept (PoC) exploit for CVE-2023-34362, indicating that the ransomware gang had been preparing to exploit this vulnerability since 2021.

This finding sheds light on Clop’s reconnaissance and weaponization strategies and emphasizes the need to secure supply chains and implement robust security measures to mitigate future compromises.

Other news:

Hacktivists v. Financial Sector

On June 8, 2023, the pro-Ukrainian group Cyber.Anarchy.Squad targeted Russian Internet service provider Infotel, leading to a loss of connectivity for multiple Russian financial institutions, including the Central Bank.

This resulted in over 34 hours of disruption to banking operations. On June 15, pro-Russian hacktivist groups KillNet and Anonymous Sudan announced a planned joint operation with ransomware operator Sodinokibi (REvil).

They warned that the upcoming operation, targeting the Western financial system including SWIFT, would cause severe disruption within 48 hours. Previous attacks by these groups on the financial system have had limited impact, but the recent attack on Infotel and the potential upcoming campaign indicate a notable increase in sophistication and pose a heightened threat to target entities.

Vulnerabilities

Fortinet has released a new security update to fix an undisclosed, critical pre-authentication remote code execution vulnerability impacting SSL VPN devices.

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a new directive instructing federal agencies to restrict internet access to management interfaces of networking equipment to minimise attack surfaces following the repeated exploitation of network devices by both cybercriminals and state-sponsored groups.

Subscribe below for more and to discover other significant cyber criminals, nation-state and hacktivist news.