The US Department of Justice adds litigators under its National Security Division to take on sophisticated cyber threats from adversarial nation-states.

The US Department of Justice has created a new National Security Cyber Section, also known as NatSec Cyber, to respond to increasing cybersecurity threats from nation-state actors.

The new NatSec Cyber division will work in coordination with the DoJ Criminal Division's Computer Crimes and Intellectual Property Section (CCIPS) and the FBI's Cyber Division, to quickly respond and prosecute cyberattacks from state-backed cybercriminals, according to the agency's announcement.

The naming of a dedicated team of DoJ cybercrime lawyers comes in the wake of major cyberattack campaigns targeting US interests including the Russian group Cl0P's ongoing ransomware attacks on the MOVEit file transfer zero-day flaw, and ramped-up cyber espionage attacks out of China including the recent Volt Typhoon cyberattacks.

"NatSec Cyber will give us the horsepower and organizational structure we need to carry out key roles of the Department in this arena," Assistant Attorney General Matthew G. Olsen of the Justice Department's National Security Division said in a statement announcing the new team. "This new section will allow NSD to increase the scale and speed of disruption campaigns and prosecutions of nation-state threat actors, state-sponsored cybercriminals, associated money launderers, and other cyber-enabled threats to national security."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

New DoJ Cyber Prosecution Team Will Go After Nation-State Threat Actors

Gen Digital, the parent company of the security companies, is the latest victim in a rash of Cl0p attacks on the bug in the MOVEit transfer software, leading to employee data being revealed.

Gen Digital, the parent company of cybersecurity subsidiaries such as Avast and Norton, confirmed on June 20 that the personal information of its employees was compromised in yet another a MOVEit attack by the Cl0p ransomware gang.

The company stated that it was affected by a cyberattack in response to inquiries, confirming that personal information such as names, addresses, employee IDs, and email addresses were revealed. 

"We use MOVEit for file transfers and have remediated all of the known vulnerabilities in the system. When we learned of this matter, we acted immediately to protect our environment and investigate the potential impact. We have confirmed that there was no impact to our core IT systems and our services and that no customer or partner data has been exposed," according to Gen Digital's public notice, which further confirmed that it informed all parties that may have been affected, as well as data protection regulators. 

The bug, a critical-severity SQL injection tracked as CVE-2023-34362, started out as a zero-day vulnerability that has been part of an exploitation campaign at the hands of Cl0p ransomware gang. The attacks are ongoing even post-patch, and has targeted more than 100 companies and organizations so far.

"As a general best practice, we advise never to directly allow for apps like MOVEit Transfer to be directly exposed to the Internet in cloud environments," said Amitai Cohen, attack vector intel lead at Wiz, in an emailed statement. "Instead, place the app behind a VPN, a reverse proxy or a single sign-on (SSO) landing page. This strategy will help to mitigate the effect of potential attacks exploiting vulnerable or misconfigured application endpoints and other attacks that are similar in nature."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Avast, Norton Parent Latest Victim of MOVEit Data Breach Attacks

The ransomware landscape is energized with the emergence of smaller groups and new tactics, while established gangs like LockBit see fewer victims.

There was a rise in the number of ransomware victims in May compared to the previous month, although LockBit, the leading ransomware group, saw a 30% decrease in observed victims (110 to 77) from April to May.

Ransomware heavyweight AlphV also experienced a decline in posted victims, with 38 observed victims in May compared to 51 in April.

That drying up was offset by several new branded groups entering the scene, contributing to an overall increase in observed ransomware victims, according to GuidePoint Security's latest GRIT report.

The May GRIT report highlighted a diverse slate of active threat groups, with 28 observed groups claiming victims. There was a 13.57% increase in publicly posted ransomware victims from April to May, and 410 incidents total, led by victims in the United States — far and away the most targeted country.

The report noted that the fledgling Akira ransomware group has gained particular prominence just since April (the name a potential nod to the 1988 Japanese anime cult classic in which a biker is turned into a rampaging psychopath). The gang is primarily known for a unique data-leak site designed as an interactive command prompt using jQuery.

Educational organizations have been disproportionately targeted by Akira, representing eight of its 36 observed victims. The group follows the "double extortion" approach: stealing data from victims and threatening to leak it if the ransom is not paid.

While there isn't enough data to make a definitive hypothesis, GuidePoint Security threat intelligence consultant Nic Finn notes he has observed some of the new groups significantly lowering their initial ransomware demand.

"If this trend continues, it could indicate that ransomware groups are attempting to shorten the time between victimization and ransomware payment," he says.

Overall, though, the GRIT findings echoed the 2023 Verizon Data Breach Investigations Report in noting escalating ransomware costs.

**Emergence of New Ransomware Groups**

GRIT has also identified other fresh-faced ransomware groups on the scene, such as 8Base, Malas, Rancoz, and BlackSuit, each with its own distinct characteristics and targets.

8Base, which claimed 67 victims in the past year, has primarily targeted the banking and finance industry and is focused primarily on the US and Brazil, while the extortion group Malas was observed performing mass exploitation of business email and collaboration software Zimbra.

There is little known about Rancoz, which has posted just two victims so far — one in the tech sector and one in manufacturing — while BlackSuit was flagged for the maturity of its operations despite only one observed victim.

These emerging threat groups have deployed a combination of established and innovative tactics, aiming to blend in and profit amid the crowded ransomware landscape, explains Finn.

He notes one method that's been observed lately is a shift toward single extortion, focused around exfiltrated data — no encryption necessary.

"This is much more sustainable for ransomware groups because it involves less troubleshooting with victims when the decryptors fail," he says.

Finn explains the recent behavior of ransomware groups suggests they are following whatever tactics they believe to be more novel and successful.

"The trend back toward single extortion through the threat of data publication could be the result of perceived success by other groups, or it could be a determination they are making based on their interactions with victims," he says.

For example, if a good portion of their victims are asking to lower the ransom demand in exchange for just proof of deletion and guarantees not to attack them again, this may lead ransomware groups to assume that a good portion of their victims have backups in place, making it the effort of encrypting a victim network seem superfluous.

"Organizations following data backup best practices should remain diligent about developing detections and monitoring activity for any potential data exfiltration efforts, as this single extortion trend will definitely continue and likely grow throughout 2023," Finn says.

**Education Sector in the Sights**

As evidenced by Akira and older groups like Vice Society, ransomware groups are increasingly targeting educational institutions, from daycare centers to major universities. In total, ransomware groups posted 35 unique victims in the education industry in May.

"A recent influx in vulnerabilities affecting software commonly used in schools, such as the PaperCut MF/NG vulnerability," the report noted.

"It seems like the education sector is seeing heavy targeting because there is so much personally identifiable (PII) and sensitive student data available in the resulting data," Finn says. "Additionally, the number of individuals impacted is exponential to the size of the victim organization."

For example, a school system with just a thousand or so active students could still house records and data on thousands more former students, plus information relating to parents of the students who have data at risk.

"Another big factor is media attention," he adds. "Ransomware actors follow the trends that get them media coverage. The cyberattack against the LA Unified School District brought about a lot of media attention, so it's likely that more groups are matching that trend to replicate the coverage."

**MOVEit and Mass Exploitation**

Another factor in the recent growth of successful ransomware attacks is the phenomenon of ransomware groups are exploiting zero-day vulnerabilities _en masse_, the report noted, conducting exfiltration, and expecting victims to reach out to them to coordinate for ransoms.

The ongoing Cl0p attacks exploiting the MOVEit vulnerability against hundreds of organizations are emblematic of the trend, which is also seen with the DeadBolt ransomware variant and another recently exploited by a threat actor to deploy Nokoyawa ransomware.

"It appears that Cl0p has a team of highly technical hackers working on mass exploitation, especially of file transfer software," Finn adds.

Recent reporting indicates that the group began working on the MOVEit exploitation as far back as 2021, and even delayed the mass exploitation of the vulnerability until it completed a different mass exploitation campaign against the GoAnywhere MFT service earlier this year.

"This indicates a significant strategic planning capability, even down to the decision to begin exploitation of this MOVEit vulnerability over the Memorial Day weekend, when less staff is available to respond right away," he says.

While there has been a noted slowdown in ransomware activity over the summer for the past two years, which Finn adds may still occur this year, there's also "a good chance" that other ransomware groups attempt to mimic the behavior of groups like Cl0p and attempt mass exploitation, which could offset declines in activity elsewhere.

Fresh Ransomware Gangs Emerge as Market Leaders Decline

By Waqas
BreachForums is a recently resurfaced alternative to the popular hacker and cybercrime forum, Breach Forums, which is now defunct.
This is a post from HackRead.com Read the original post: Data Breach at New BreachForums: 4,000 members’ data leaked

**BreachForums disclosed that the data breach was carried out by a rival hacker forum, which exploited a zero-day vulnerability in MyBB, the free and open source forum software.**

In a recent exclusive report by Hackread.com, it was revealed that BreachForums has made a comeback under the control of the notorious ShinyHunters hackers, who are collaborating with the original moderator team from the original BreachForums.

This comes after the old forum was seized by the FBI and its alleged owner, PomPomPurin (real name: Conor Brian Fitzpatrick), was arrested in New York. Fitzpatrick was arrested by a team of investigators at his home in Peekskill, New York and charged with a single count of conspiracy to commit access device fraud.

Now, the revived forum has fallen victim to data breach, resulting in the exposure of personal information belonging to more than 4,000 registered members. Initially, the identity and motives of the hackers behind this breach were unclear, given the complex dynamics involving security agencies and the past and current administrations of BreachForums.

**Hackers vs. Hackers**

However, during a communication on Telegram, one of the forum’s administrators known as “Weep” confirmed the occurrence of a cyber attack. Weep addressed the members of BreachForums and attributed the data breach to a rival forum called OnniForums, which prides itself as a dark web forum focused on security and anonymity.

Weep urged the forum members to reset their passwords and disclosed that the breach was facilitated by exploiting a zero-day vulnerability in MyBB. It is important to note that the BreachForums had been offline since the early morning of Monday, June 19th, 2023, but at the time of writing, the forum was back online.

Meanwhile, tweets allegedly from the official Twitter account of OnniForums have claimed responsibility for the attack. Another tweet from the same forum’s handle asserts their involvement in breaching another hacker forum known as “Exposed.” Notably, in May 2022, a partial database containing details of 460,000 members from the now-seized RaidForums was leaked on ExposedForum.

On left, BreachForums admin Week addressing the members – On right, OnniForum claiming the breach (Image: Hackread.com)

While uncertainties persist, initial analysis suggests the authenticity of the leaked data. The compromised information includes the following:

*   Login keys
*   Usernames
*   Email addresses
*   IP addresses
*   Password hashes
*   Registration dates
*   Members’ last visits and posts.
*   Number of posts and, last activity
*   Social media handles with profile links and more.

BreachForums, notorious for its role in facilitating discussions and trade of stolen data, has once again become a focal point for cybersecurity concerns. The return of the forum, coupled with this recent breach, underscores the ongoing challenges faced by online communities in safeguarding user information and preventing unauthorized access.

Emails, IP address and other data analysed by Hackread.com

**Impact**

If the personal data of cybercriminals is leaked online, it can have several potential outcomes. First and foremost, their identities and activities may be exposed to law enforcement agencies, making it easier for authorities to track and apprehend them. This can significantly impede their ability to continue engaging in illegal activities anonymously.

Furthermore, their reputation within the cybercriminal community may be tarnished, resulting in diminished trust and collaboration with other hackers. The leaked data could also provide valuable insights and intelligence to cybersecurity professionals, allowing them to better understand cybercriminal tactics and develop stronger defence mechanisms.

Overall, the leakage of personal data belonging to cybercriminals can have a substantial impact on their operations and make it more difficult for them to operate clandestinely.

**RELATED ARTICLES**

1.  Nulled.IO Hacking Forum Hacked, Trove of Data Stolen
2.  Russian hacking forums warming up to Chinese hackers
3.  US Marshals Service Data Sold on Russian Hacker Forum
4.  BidenCash Market Leaks 2M Credit Cards in Birthday Blitz
5.  OGUsers hacker forum hacked for 4th time; database leaked

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Data Breach at New BreachForums: 4,000 members’ data leaked

Categories: News
Categories: Ransomware
Tags: Cl0p

Tags:  ransomware

Tags:  RFJ

Tags:  10 million

Tags:  MOVEit

Rewards for Justice (RFJ) is offering a reward of up to $10 million for information the Cl0p ransomware gang is acting at the direction or under the control of a foreign government.



(Read more...)




The post US dangles $10 million reward for information about Cl0p ransomware gang appeared first on Malwarebytes Labs.

The US Department of State’s national security rewards program, Rewards for Justice (RFJ), is offering a reward of up to $10 million for information linking the Cl0p ransomware gang, or any other malicious cyber actors targeting US critical infrastructure, to a foreign government.

> — Rewards for Justice (@RFJ\_USA) June 16, 2023

This is not really new. RFJ’s statutory authorities offers rewards for information in four broad categories and one of them is:

**Malicious Cyber Activity** For information that identifies or locates any individual who, while acting at the direction or under the control of a foreign government, aids or abets a violation of the Computer Fraud and Abuse Act  (“CFAA”), 18 U.S.C. § 1030. This includes foreign election interference.

But the Tweet explicitly mentioning Cl0p is new. The gang is thought to be behind a recent ransomware spree that compromised a large number of organizations by exploiting a zero-day flaw in Progress’ MOVEit Transfer software.

With as many as 2,500 targets exposed on the Internet, the number of potential victims could be in the hundreds. Some of them have already confirmed, either by the firms themselves or by  being mentioned on the Cl0p leak site.

Campaigns like Cl0p's abuse of the MOVEit vulnerability, or high profile attacks like the one on Colonial Pipeline in 2021, can trigger an extra focus on the specific ransomware group responsible. Perhaps aware of this, Cl0p took to its website to preemptively promise that it was not going to use data stolen from government organizations and would delete it instead.

It seems that was not enough to avoid getting in the cross-hairs of the US federal government, as we predicted just hours before. The tweet appeared shortly after our own Cybersecurity Evangelist, Mark Stockley, expressed his doubts that Cl0p's plan would help them avoid unwanted attention from law enforcement.

> "Cl0p's approach supposes that the US government would react more strongly to sensitive data being leaked than it would to multiple simultaneous breaches by the same criminal organisation. This ignores the fact that by using zero-days to attack hundreds of targets simultaneously, including parts of the federal government, Cl0p has already made itself ransomware's squeakiest wheel."

And don’t think that all these ransomware operators sit safely out of reach, behind what used to be an iron curtain. The recent arrest of Ruslan Magomedovich Astamirov, a ransomware actor associated with LockBit, in Arizona, shows that the cybercriminals think they can hide anywhere if they are careful enough.

US Attorney Philip R. Sellinger for the District of New Jersey said:

> “Astamirov is the third defendant charged by this office in the LockBit global ransomware campaign, and the second defendant to be apprehended. The LockBit conspirators and any other ransomware perpetrators cannot hide behind imagined online anonymity. We will continue to work tirelessly with all our law enforcement partners to identify ransomware perpetrators and bring them to justice.”

Also, some criminals can’t help themselves and need to show off how rich they are or how clever they think they are. The best example may be Mark Sokolovsky. This Ukrainian national and alleged cybercriminal loved posting selfies with fistfuls of cash. When the Russian invasion of Ukraine caused him to flee the country, his girlfriend posted pictures of the couple’s journey on her Instagram account. Sokolovsky was arrested in the Netherlands and is awaiting extradition to the US, accused of being a key player in the cybercrime operation behind Raccoon Stealer.

So, if you're in the market for a $10 million reward, happy hunting. And for anyone eligible, I’m throwing in a free copy of Malwarebytes Premium. You’ll need it.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

US dangles $10 million reward for information about Cl0p ransomware gang

By Waqas
According to researchers, these fake accounts on GitHub and Twitter are spreading malware that infects both Windows- and Linux-based systems.
This is a post from HackRead.com Read the original post: Warning: Fake GitHub Repos Delivering Malware as PoCs

Around half a dozen fake accounts were discovered on GitHub, and several were found on Twitter. All of them used headshots of renowned security researchers and hosted zero-day exploits.

Supply chain attacks could be highly destructive if the target is as high-profile and widely used as GitHub. Cybersecurity researchers at VulnCheck have discovered a supply chain attack targeting GitHub and Twitter.

According to their report, multiple accounts on GitHub and Twitter claim to distribute PoC (proof-of-concept) exploits for zero-day exploits in popular software. However, these are fake accounts, and the PoCs deliver malware.

****Campaign Discovery****

VulnCheck discovered this campaign in May 2023 when it checked a GitHub repository hosting code that the author claimed was a zero-day for the Signal app. The next day, they discovered another account offering a WhatsApp zero-day.

Researchers kept finding bogus accounts throughout May 2023, all offering zero-day exploits for apps such as Google Chrome, Signal, Microsoft Exchange Server, and Discord. Later in May, researchers came across similar accounts on Twitter.

Around half a dozen fake accounts were discovered on GitHub, and several were found on Twitter. All of them used headshots of renowned security researchers and hosted zero-day exploits.

****Beware of Fake Accounts on GitHub, Twitter****

According to VulnCheck, unidentified threat actors have created a network of fake accounts on GitHub and Twitter that appear to be associated with cybersecurity researchers. To generate credibility for these accounts, the threat actors have used profile pictures of actual security researchers.

Researchers have noted that these fake repositories are promoted as part of a non-existent firm called High Sierra Cyber Security. Each account features a headshot, Twitter handle, associated organization, followers, a link to the company’s website, and a hidden, malicious repository.

Greg and 6 other fake profiles on GitHub (Left) – Fake account on Twitter (Right) – VulnCheck

****Malicious Objectives Behind Fake Accounts****

These fake accounts distribute a Python script through which a malicious binary is downloaded and executed on the device. It is worth noting that the malware can work on both Windows and Linux-based systems. GitHub accounts have been suspended, but Twitter accounts remain online.

****What are the Dangers?****

Researchers believe that this supply chain attack is very elaborate and can have serious consequences. The SolarWinds attack is one of the most devastating supply chain attacks, affecting many public and private sector agencies and causing extensive damage. A malware-infected software was responsible for this attack.

Considering that GitHub is the world’s largest open-source code repository, the consequences of this particular supply chain attack could be even more drastic. Injecting malicious code into a repository or compromising it can impact various software used by countless endpoints. Attackers can deploy malware to steal sensitive data, perform identity theft, or launch ransomware attacks and wire frauds.

Researchers are unclear whether this is an experiment or a campaign. Nevertheless, it is essential to be cautious when accessing untrusted sources for executing code. Check the full list of fake accounts here.

**RELATED ARTICLES**

1.  Portion of Twitter’s proprietary source code leaked on GitHub
2.  Commit metadata spoofed to create false GitHub repositories
3.  SolarWinds Hackers Use Post-Exploitation Backdoor ‘MagicWeb’

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Warning: Fake GitHub Repos Delivering Malware as PoCs

The Clop ransomware group has claimed responsibility for exploiting the vulnerability to deploy a previously unseen web shell, LemurLoot.

Friday, June 16, 2023 14:06

*   Cisco Talos is monitoring recent reports of exploitation attempts against CVE-2023-34362, a SQL injection zero-day vulnerability in the MOVEit Transfer managed file transfer (MFT) solution that has been actively targeted since late May 2023.
*   Successful exploitation could lead to remote code execution (RCE), allowing unauthenticated adversaries to execute arbitrary code to support malicious activity, such as disabling anti-virus solutions (AV) or deploying malware payloads.
*   The Clop ransomware group has claimed responsibility for exploiting the vulnerability to deploy a previously unseen web shell, LemurLoot, to exfiltrate victims’ data and extort payments, and Microsoft has attributed these attacks to the same group, according to public reporting.
*   Two more vulnerabilities have since been found in MOVEit Transfer solutions, CVE-2023-35036 and CVE-2023-35708, although at this time, they are reportedly not being actively exploited.

**CVE-2023-34362 details and ongoing exploitation**

On May 31, the Progress Software Corporation released a security advisory warning customers of a vulnerability in internet-facing and on-premises instances of their MOVEit Transfer solution, which could lead to escalated privileges and potential unauthorized access to an environment. The vulnerability, CVE-2023-34362, has been actively exploited since May 27, but the threat actors may have begun experimenting to compromise it as early as 2021.

As of late May, there were approximately 2,500 exposed MOVEit instances primarily located in the U.S., according to public reporting, highlighting its prevalence in enterprise environments.

**Vulnerability details**

The MOVEit Transfer vulnerability, CVE-2023-34362, covers multiple flaws that an attacker can chain together to achieve RCE with elevated privileges. The first part of the exploit chain uses SQL injection to obtain a sysadmin API token. That token can then be used to call a deserialization function that does not properly validate input, allowing for remote code execution.

A second vulnerability, CVE-2023-35036, was assigned and Progress Software released patches and an advisory addressing this issue. Patches for CVE-2023-35036 are meant to mitigate multiple parts of the successful exploit chain initially discovered to have been used during the exploitation of the first vulnerability, CVE-2023-34362.

On June 15, 2023, another vulnerability was identified, CVE-2023-35708. Progress Software is in the process of releasing installable patches for this issue although DLL drop-ins.

**Ongoing exploitation**

The Clop ransomware group released a public statement on their Tor data leak site on June 5, claiming responsibility for the attacks and threatening to publish victims’ data if the extortion demand is not paid. The group provided a deadline of June 14 for victims to initiate contact or else their company name would be posted on the data leak site as a warning. At this time, no data has been published but they have begun publicly naming and shaming affected companies.

  
In this activity, the Clop ransomware group exploited CVE-2023-34362 to install a previously unknown web shell now dubbed “LemurLoot”.

Written in C#, LemurLoot is designed to exfiltrate data and execute on systems running MOVEit Transfer. The web shell is deployed with a hardcoded, 36-character GUID-formatted value used to authenticate incoming connection requests from the threat actor. The authentication code value must be present in the “X-siLock-Comment” header field without which an HTTP 404 error code will be returned to the operator. If the value is correct, the web shell confirms it can accept taskings and connects to an attacker-controlled SQL server.

LemurLoot uses the header field “X-siLock-Step1’ to receive the commands from the operator. There are two well-defined commands: -1 and -2. The fields “X-siLock-Step2’ and  “X-siLock-Step3” are used to hold parameters to be used when no command has been defined.

**_Command “-1”:_** _LemurLoot retrieves Azure system settings from MOVEit Transfer and performs SQL queries to retrieve files._

**_Command “-2”:_** _LemureLoot deletes a user account with the LoginName and RealName set to "Health Check Service"._

For any other values of “X-siLock-Step1,” the web shell will open a file specified by the folder and file name in “X-siLock-Step2”, and “X-siLock-Step3” respectively and retrieve it for the operator.

If no values of “X-siLock-Step2” and “X-siLock-Step3” are specified, then the web shell creates the “Health Check Service” admin user and creates an active session.

**Recommendations  
**

Progress Software Corporation offers several mitigations for safeguarding against potential exploitation of this vulnerability and best practices for network security:

*   Please refer to the advisories for CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708 to apply corresponding patches.
*   Modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 until the patch can be applied.
*   Delete unauthorized files and user accounts and reset service account credentials.
*   Continuously monitor networks for early detection in the event of a compromise.
*   Update network firewall rules to only allow connections to the MOVEit Transfer infrastructure from known trusted IP addresses.
*   Update remote access policies to only allow inbound connections from known and trusted IP addresses, and use certificate-based access control.
*   Enable multi-factor authentication. Multi-factor authentication (MFA) protects MOVEit Transfer accounts from unverified users when a user's account password is lost, stolen, or compromised.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Cisco Talos is releasing the following Snort SIDs to protect against this threat:

*   61876 - 61879
*   61936
*   300582, 300583

The following ClamAV signatures have been released to detect malware artifacts related to this threat:

*   Win.Ransomware.Clop-6881304-0
*   Win.Ransomware.Clop-6887770-0

**IOCs  
****Webshell (LemurLoot)**

702421bcee1785d93271d311f0203da34cc936317e299575b06503945a6ea1e0  
9d1723777de67bc7e11678db800d2a32de3bcd6c40a629cd165e3f7bbace8ead  
9e89d9f045664996067a05610ea2b0ad4f7f502f73d84321fb07861348fdc24a  
d49cf23d83b2743c573ba383bf6f3c28da41ac5f745cde41ef8cd1344528c195  
b1c299a9fe6076f370178de7b808f36135df16c4e438ef6453a39565ff2ec272  
6015fed13c5510bbb89b0a5302c8b95a5b811982ff6de9930725c4630ec4011d  
48367d94ccb4411f15d7ef9c455c92125f3ad812f2363c4d2e949ce1b615429a  
2413b5d0750c23b07999ec33a5b4930be224b661aaf290a0118db803f31acbc5  
e8012a15b6f6b404a33f293205b602ece486d01337b8b3ec331cd99ccadb562e

Active exploitation of the MOVEit Transfer vulnerability — CVE-2023-34362 — by Clop ransomware group

MOVEit has created a patch to fix the issue and urges customers to take action to protect their environments, as Cl0p attacks continue to mount, including on government targets.

Yet another MOVEit Transfer vulnerability, CVE-2023-35708, was discovered this week by Progress Software, the third that the company has disclosed, alongside CVE-2023-34362 and CVE-2023-35036.

The issue itself, detailed in an advisory released June 15 by the company, is another SQL injection vulnerability that could potentially allow unauthenticated attackers to gain access into MOVEit's database. Should attackers present a payload into the MOVEit Transfer application endpoint, they could ultimately modify the database content. Progress Software is encouraging MOVEit Transfer customers to take immediate action to help harden their MOVEit Transfer environments, noting that it is "extremely important" that users act as quickly as possible. 

"As we continue to investigate the issue related to MOVEit Cloud and MOVEit Transfer that we previously reported, an independent source has disclosed a new vulnerability that could be exploited by a bad actor," according to a press statement.  

**Government Agencies Under Cl0P Attack**

The release of the advisory detailing the latest vulnerability comes on the heels of CISA disclosing that federal agencies were impacted by the transfer tool at the hands of the Cl0p ransomware gang — part of the ongoing glut of attacks using what was once a zero-day bug in the platform (the first issue patched). In a statement to CNN, Eric Goldstein, CISA’s executive assistant director for cybersecurity, said that CISA “is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications.”

Two Department of Energy victims have been named: 1) Oak Ridge Associated Universities, a not-for-profit research center, and 2) Waste Isolation Pilot Plant - a contractor which disposes atomic energy waste.

Cyberattacks involving the use of the MOVEit Transfer program have now affected several US government agencies, alongside many other companies and organizations, who are now dealing with the loss of stolen information, disrupted systems, and sometimes even the demands of ransom payments. The victim count could reach into the hundreds. 

Though there haven't been any indications that threat actors have yet exploited the new vulnerability, MOVEit has asserted that it is communicating with customers to protect and create safer environments. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Third MOVEit Transfer Vulnerability Disclosed by Progress Software

Categories: Exploits and vulnerabilities
Categories: News
Categories: Ransomware
Tags: Progress

Tags:  Moveit

Tags:  CVE-2023-34362

Tags:  CVE-2023-35036

Tags:  Cl0p

Progress has released an advisory about yet another MOVEit Transfer vulnerability while new victims of the first one keep emerging.



(Read more...)




The post MOVEit discloses THIRD critical vulnerability appeared first on Malwarebytes Labs.

In chess, the threefold repetition rule states that a player may claim a draw if the same position occurs three times during the game. Whether this means that customers of the popular file transfer utility MOVEit Transfer can ask for their money back remains to be seen, but we do hope it signals the end of the game.

Let’s do a small recap first, because it’s easy to lose track here. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. We will use these CVE numbers where available.

Timeline:

*   On May 31, 2023 Progress released a security bulletin about CVE-2023-34362, a vulnerability in MOVEIt Transfer that was being actively exploited. At the time we had a few details about how it was being exploited, but not by who.
*   Over the next few days it became clear that the Cl0p ransomware group had been testing the vulnerability since July 2021 and decided to deploy it over the Memorial Day weekend. The first victims became known.
*   A second vulnerability was found while new victims were still coming forward. After the first vulnerability was discovered, MOVEit's owner Progress Software partnered with third-party cybersecurity experts to conduct further detailed code reviews of the software and found CVE-2023-35036. Progress posted a new bulletin about it on June 9, 2023.
*   On June 15, 2023, Progress published information about a third critical vulnerability which got listed as CVE-2023-35708 on June 16.

This latest vulnerability could lead to escalated privileges and potential unauthorized access to the environment.

Please note that it is very important to follow the instructions outlined in the latest advisory regarding the order in which the patches need to be applied and based on how many patches have already been applied.

The best advice provided by Progress is probably to disable all HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 to safeguard the environments while a patch is being prepared to address the vulnerabilities and in case even more of them come to the surface.

Meanwhile the Cybersecurity and Infrastructure Security Agency (CISA)  says it’s providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications. Among the probably hundreds of victims are Payroll provider Zellis who serves British Airways and the BBC, oil giant Shell, several financial services organizations, insurance companies, and many others. Reportedly, two US Department of Energy (DOE) entities were also compromised.

Victims have been identified in the UK, US, Germany, Austria, Switzerland, Luxembourg, France, and the Netherlands. Organizations in the US make for most of the victims, but no ransom demands have been made of federal agencies according to a CISA spokesperson.

Cl0p re-emphasized that it was not going to use data stolen from government organizations with a message on its dark web site:

> “We got a lot of emails about government data, we don't have it. We have completely deleted this information. We are only interested in business, everything related to the government has been deleted.”

We shouldn’t mistake this for altruism. It could be they are simply afraid of the consequences and because they are fully aware that governmental organizations are not allowed to pay the ransom anyway, so there is no profit to be made there.

Our own Cybersecurity Evangelist, Mark Stockley, has his doubts about Cl0p's methods:

> "Cl0p's approach supposes that the US government would react more strongly to sensitive data being leaked than it would to multiple simultaneous breaches by the same criminal organisation. This ignores the fact that by using zero-days to attack hundreds of targets simultaneously, including parts of the federal government, Cl0p has already made itself ransomware's squeakiest wheel."

Stay tuned for future developments.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

MOVEit discloses THIRD critical vulnerability

Threat groups created a fake security company, "High Sierra," with faux exploits and fake profiles for security researchers on GitHub and elsewhere, aiming to get targets to install their malware.

During the month of May, an unknown threat group created a malicious GitHub repository that claimed to contain a zero-day exploit for a vulnerability in the Signal messaging app. The attackers supported the credibility of the exploit by creating a fake security company — High Sierra Cyber Security — linked to a number of made-up profiles of security researchers.

That's according to research conducted by threat intelligence firm VulnCheck, which found that the level of effort that the attacker put into create a social presence around the fake security company and the fake exploits is on a whole other level compared to what researchers have seen in the past.

"They put in a decent amount of effort into building personas, if you will, for each of these characters — these actors that who would advertise the GitHub repositories with the actual malware," VulnCheck security researcher William Vu tells Dark Reading. "So they put a lot of time and effort into building, really, a fake security company, and that, to me, is kind of new."

Targeting security researchers is rare, but has a long history. In 2021, for example, Google's Threat Analysis Group (TAG) warned that North Korea-backed hackers had created a faux research blog and multiple fake Twitter profiles. Researchers would then be asked to collaborate on vulnerability research, and those who agreed would be sent a Visual Studio project file that would run custom malware to infect the target's system, according to Google TAG's analysis. Three months later, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert about the campaign.

A similar attack — also by North Korea — targeted security researchers by using LinkedIn accounts and acting as recruiters, according to research released in March by Mandiant.

The latest attack also uses social engineering to target the supply chain, says Mike Parkin, a senior technical engineer at Vulcan Cyber, a provider of enterprise cyber-risk remediation services.

"One of the core defenses against malicious packages is for developers to actually vet the package before they download and use it, and part of that vetting process is determining if the package was created by a trustworthy source, whether commercial or otherwise," he says. "If threat actors can do a good job of faking that, they have a better chance of getting a victim to download their package and then not give it as close of an inspection as they should."

**GitHub, WhatsApp, What's Next?**

VulnCheck contacted GitHub about the project hosting the fake exploit, and the page was taken down. A day later, however, the same group created a similar page advertising a WhatsApp zero-day exploit, VulnCheck's researchers stated in the advisory. That pattern continued, and each time the company notified GitHub of a new page, it was removed but a new project page would appear. Pages offering a purported Microsoft Exchange remote code execution (RCE) bug, a Discord zero-day RCE, and others continued the cat-and-mouse game, the company stated.

In each case, instead of an exploit, a Python file in the repository would — if run by the target — download an operating-system-specific binary. While most antivirus programs detected the Windows malware that the Python script loaded, only three of the 62 Linux host-based scanners detected that binary, VulnCheck stated.

The threat actor used a variety of social media profiles to push out links to the pages. While the technique has been used as a way to convince software developers to download vulnerable or malicious components as a way of infecting the supply chain, this attack seems more likely to gain access to security professionals' own research, Vu says.

"Security researchers and testers usually have their own research, and if I were going after security researchers this way, I would be looking to obtain their cache of real zero-day exploits, and any kind of corporate IP that they might have access to," he says.

**Not the Sharpest Tool in the Toolbox**

While companies should always educate their developers about the risks that come with online code and how to best vet projects and unknown developers to determine if they are legitimate, researchers need to learn to be wary too, says Erich Kron, security awareness advocate at KnowBe4.

"Running code that others have written, especially when available in free and open websites such as GitHub, always carries some risk," he said. "In this case, researchers looking at the code may even assume that the malicious parts are simply a piece of these zero days being disclosed, when in fact it's designed to infect their own systems."

For most security researchers, a little due diligence will go a long way. A little research would likely discover that the company behind the "security research" has no track record, and that the researchers have no history in the industry, says Vulcan Cyber's Parkin.

"If a package just appeared out of nowhere, and the developers all seem to be new on the scene? Red flags," he says. "The sad thing is that this will have some negative impact on newly active researchers who may not have any history yet, but it's also easy to tell the difference between someone who doesn't have a history because they're just getting started and someone who has no history because they don't exist."

Tag

#zero_day