What is American Airlines?

Among quite a few airlines in the US, American Airlines is a bit special. Not only is the company among the oldest airlines, being 97 years old, but it is also the biggest company of its sector (by passenger flow). Being a member of multiple airlines unions, it provides both regional and international (including trans-Atlantic) flights. Such a large company is a no joke, and for attacking it you should be either exceptionally brave and confident — or extraordinarily reckless.

American Airlines Hacked by Cl0p

Over the last month, Cl0p has gotten more attention than it has ever experienced before. All is due to its extensive – and successful – use of the MOVEit MFT vulnerabilities. The managed file transfer suite appeared vulnerable to multiple exploitation scenarios, which allowed for both initial access and lateral movement. We released a chain of articles on this topic – consider checking them out if you missed that mess.

But back to the Cl0p’s attack on American Airlines. Their hacks are no joke, as each their hack is commonly complemented not only with ransomware attacks, but also extensive data extraction. The gang takes whatever they find, and in the case of American Airlines, the list of possible data categories is humungous. What’s worse, the company holds a lot of records about their passengers – which is natural for any organisation that has to deal with such a large client flow. Another natural thing though is the hackers’ interest in putting their hands on this data.

Still, it’s too early for any worries and privacy concerns. It is unclear whether the company is planning to pay the ransom or ignore the requirements. Only in the case of the latter Cl0p will publish the data or offer it for sale, on their leak site or elsewhere. The company though claimed the attack through the third party – specifically, Pilot Credentials app. However, this attack is not likely related, as Cl0p did not list another victim of the Pilot Credentials – Southwest Airlines. Moreover, the app website itself is not present on leak site as well. All this points at the fact that we are spectating a new breach.

How dangerous can this hack be?

Well, as I said, Cl0p is not a hack group that plays child’s play. Their hack most likely touches internal company information, including info on its staff and financial situation. The latter may be exceptionally sensitive, as during the pandemic, the company had some serious financial strugglings. Uncovering them may not be very pleasant to the company, as well as showing the ways they have beaten these problems.

Another side of a problem, actually, a more sensitive one, touches the possibility of customers’ data leak. This brings not only problems for people who fly with American Airlines, but also the possibility of legal consequences to the company. It becomes even worse when we remember that hackers usually put an incredibly high price tag for keeping some really important data in secret. That number may sometimes even exceed the ransom sum for file decryption.

Though, those are just my guesses. Same as anyone interested in cybersecurity does, I will keep my eye on both newsletters, the company’s public claims and Cl0p’s Darknet site. It’s almost clear that all the details will appear in a week or two.

The post American Airlines Hacked by Cl0P Gang, MOVEit Involved appeared first on Gridinsoft Blog.

Let me remind you that it all started with a 0-day vulnerability (CVE-2023-34362) in the MOVEit Transfer file transfer management solution, which was discovered in early June 2023. All versions of MOVEit Transfer were affected by the problem, and it was reported that attacks on them began as early as May 27, 2023.

Attackers used this vulnerability to deploy custom web shells on affected servers, allowing them to list files stored on the server, download files, and steal Azure Blob Storage account credentials and secrets, including the AzureBlobStorageAccount, AzureBlobKey, and AzureBlobContainer settings.

As a result, Microsoft analysts linked the massive attacks to the Clop ransomware hack group (aka Lace Tempest, TA505, FIN11, or DEV-0950). Soon the hackers began to make demands and extort ransoms from the affected companies.

To date, hundreds of companies have been known to have been compromised during the attacks. Over the past weeks, the break-in has been confirmed by many victims. Among them: Zellis, a UK-based payroll and HR solution provider whose customers include Sky, Harrods, Jaguar, Land Rover, Dyson and Credit Suisse. Due to the Zellis hack, the data of the Irish airline Aer Lingus, British Airways, the BBC, and the British pharmacy chain Boots were compromised.

Also leaked data affected the University of Rochester, the government of Nova Scotia, the authorities of the US states of Missouri and Illinois, BORN Ontario, Ofcam, Extreme Networks and the American Therapeutic Society.

This week the list of victims continued to expand. So, representatives of the University of California at Los Angeles (UCLA) reported about the attack and data leakage. Representatives of the educational institution said that they had already notified the FBI about the incident and involved third-party security experts in the case to investigate the attack and understand what data was affected.

Also attacks on a bug in MOVEit Transfer affected Siemens Energy, a Munich-based energy company that employs 91,000 people worldwide. While no data leak has yet taken place at this time, Clop has already listed Siemens Energy as one of the victims on its dark web site, and company representatives have confirmed to the media that they were hacked in recent Clop attacks.

Siemens Energy emphasizes that no important data was stolen and the company’s business operations were not affected.

Together with Siemens Energy, another industrial giant was added to the Clop website – the French Schneider Electric, which is engaged in power engineering and manufactures equipment for the energy sub-complexes of industrial enterprises, civil and residential construction facilities, data centers, and so on.

Schneider Electric said that after the news of the vulnerability in MOVEit Transfer, the company “quickly deployed available tools to protect data and infrastructure.” Currently, the company’s security specialists are investigating the consequences of the incident and Clop’s claims of data theft.

In addition to the listed technology giants, to the list of victims of hackers has recently been added:

1. the New York City Department of Education, which admitted that Clop stole documents containing confidential information from 45,000 students;
2. Oregon and Louisiana state authorities, from whom hackers stole data on millions of driver’s licenses.

The post The Number of Companies Affected by Attacks on Vulnerabilities in MOVEit Transfer Increased appeared first on Gridinsoft Blog.

What is MOVEit 0-day breach?

A 0-day vulnerability (CVE-2023-34362) in the MOVEit Transfer file transfer management solution became known in late May. All versions of MOVEit Transfer were affected by the problem, and it was reported that attacks on them began as early as May 27, 2023.

The bug itself was a SQL injection that leads to remote code execution. For example, exploitation of a vulnerability can lead to privilege escalation and give third parties unauthorized access to the MOVEit Transfer environment. Attackers used the vulnerability to deploy custom web shells on affected servers, allowing them to list files stored on the server, download files, and steal Azure Blob Storage account credentials and secrets, including the AzureBlobStorageAccount, AzureBlobKey, and AzureBlobContainer settings.

The week before, Microsoft analysts linked these attacks to the Clop ransomware hack group (aka Lace Tempest, TA505, FIN11, or DEV-0950). Among other things, this group is known for the fact that Clop ransomware operators leaked data from two universities.

Old vulnerability

As experts from the information security company Kroll now report, it seems that hackers have been looking for ways to exploit the mentioned zero-day vulnerability long before the start of mass attacks, and more precisely since 2021.

They also discovered that attackers were testing different ways to collect and steal sensitive data from compromised MOVEit Transfer servers back in April 2022.

Automated malicious activity increased markedly on May 15, 2023, right before the start of massive attacks on the 0-day vulnerability.

Victim data collection

Since similar activity was performed manually in 2021, experts believe that the attackers knew about the bug for a long time, but were preparing the necessary tools to automate mass attacks.

Victims of the attack

Hackers told reporters this past weekend that the vulnerability allowed them to break into MOVEit Transfer servers owned by “hundreds of companies.” Although after that the media urged not to take the word of the hackers, unfortunately, some victims have already confirmed the fact of compromise.

Zellis, a UK-based payroll and HR solution provider whose customers include Sky, Harrods, Jaguar, Land Rover, Dyson and Credit Suisse, was one of the first to confirm the breach and leak of customer data.

Some major Zellis customers have already made official statements about the hack. Among them: government agencies in Nova Scotia (including the Health Authority, which uses MOVEit to exchange confidential and classified information), the University of Rochester, British Airways and the BBC, which reported the theft of employees’ personal information and that there were other Zellis customers among the victims – Irish airline Aer Lingus and the British pharmacy chain Boots.

Currently, Clop has not yet begun to publish information stolen from companies. On their dark web site, the attackers gave the victims until June 12, stating that if the companies do not contact them and start negotiations on the payment of a ransom by that time, data leaks will follow.

The post Clop Attacks on MOVEit Transfer Affected British Airways, BBC and More appeared first on Gridinsoft Blog.

Who are Lace Tempest hackers?

Microsoft is attributing attacks that exploit the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to the Lace Tempest cybercriminal group known for its ransomware and running the Clop leak site. “Lace Tempest” is the new name, according to Microsoft’s updated classification, for the grouping, better known as TA505, FIN11, or DEV-0950. Attackers have used similar vulnerabilities in the past to steal data and extort victims.

What is MOVEit MFT 0-day Vulnerability?

MOVEit Transfer is a Managed File Transfer (MFT) solution that allows enterprises to securely transfer files between business partners and customers using SFTP, SCP, and HTTP based downloads. It is believed that the attack that were using this breach began on May 27, during the long Memorial Day holiday in the United States. The same day, numerous organizations reported data leaks.

At the end of last week, Progress Software developers warned about the discovery of a critical vulnerability in MOVEit Transfer. According to them, exploitation of this vulnerability could lead to privilege escalation and give third parties unauthorized access to the MOVEit Transfer environment. Attackers used the MOVEit zero-day vulnerability to remove specially crafted web shells on servers, allowing them to extract a list of files stored on the server, upload files, and steal credentials/secrets for configured Azure blob storage containers.

While it was unclear at the time who was behind the attacks, it was widely believed that the Clop ransomware was responsible for the attack due to similarities to previous attacks carried out by the group. After all, this group carried out two of the largest cyberattacks in the history of MFT platforms.

The first occurred in 2020, when Clop exploited the Accellion FTA zero-day vulnerability. The second happened in January of this year, also due to a zero-day vulnerability, but already in the Fortra GoAnywhere MFT. As a result of both attacks, Clop hackers took over the data of hundreds of organizations. We also wrote that FIN7 Hack Group Resumed Activity, Linked to Clop Ransomware and other media indicated that Clop ransomware operators leaked data from two universities.

What then?

At present, the extortion stage has not yet begun, and the victims have not yet received ransom demands. However, it is known that the Clop gang, if Microsoft has not mistaken in their judgments, waits several weeks after the theft. Perhaps hackers structure the stolen data and determine its value. And only when they are ready, they will send their demands to the heads of the affected companies by e-mail. fter the attack on GoAnywhere, it took a little over a month before the hackers published a list of victims on their leak site. This time, it is likely that you also need to wait a bit.

As a workaround, all clients are advised to block external traffic on ports 80 and 443 on the MOVEit Transfer server as soon as possible. At the same time, the developers warned that blocking these ports would prohibit external access to the web interface, interfere with some aspects of automation, block the API, and prevent the Outlook MOVEit Transfer plugin from working.

The post Microsoft Researchers Link Clop Gang to MOVEit Transfer Attack appeared first on Gridinsoft Blog.

FIN7 Cybercrime Group Goes On

Let me remind you that we also wrote that Clop ransomware continues to work even after a series of arrests, and also that Clop Operators Claim to Hack 130 Organizations Using GoAnywhere MFT Bug.

Information security specialists reported that Clop ransomware operators leaked data from two universities. The new attacks reportedly used the PowerShell-based POWERTRASH in-memory dropper to deploy the Lizar post-exploitation tool on compromised devices. Thus, the attackers gain a foothold in the target network and start lateral movement, so that later, with the help of OpenSSH and Impacket, they can deploy companies that become victims of the Clop encryptor on the network.

Cl0p ransomware and FIN7 relationship

According to Microsoft, Clop is just another new malware used by FIN7. So, the group was previously associated with REvil and Maze, and then with the now defunct BlackMatter and DarkSide RaaS. In addition, the media cites a private Microsoft analytical report and reports that FIN7 is associated with attacks on PaperCut print control servers that eventually become part of the attacks of malware such as Clop, Bl00dy and LockBit.

In a closed report, Microsoft analysts write that the financially motivated group FIN11, which the company tracks under the code name Lace Tempest, used new tools, including the PowerShell script inv.ps1, which the researchers associate with FIN7. This script was used to deploy the Lizar toolkit mentioned above, which likely indicates that the operators of the two factions have joined forces or started exchanging attack tools.

The post FIN7 Hack Group Resumed Activity, Linked to Clop Ransomware appeared first on Gridinsoft Blog.

Microsoft has linked recent attacks on PaperCut servers to ransomware operations by Clop and LockBit, which used vulnerabilities to steal corporate data.

In March 2023, print management solutions provider PaperCut fixed vulnerabilities CVE-2023-27350 (9.8 out of 10 on the CVSS scale, equalling the recently-discovered MSMQ vulnerability) and CVE-2023-27351 (8.2 out of 10). on the CVSS scale).

They allowed to bypass authentication and execute arbitrary code on compromised PaperCut servers with SYSTEM privileges, as well as extract usernames, full names, email addresses, and other sensitive data. It was emphasized that such attacks do not require user interaction.

In mid-April, it became known that hackers were already exploiting vulnerabilities, and a PoC exploit for the most dangerous of them appeared in the public domain.

Clop and LockBit ransomware is behind these attacks on PaperCut servers, Microsoft analysts now report, using bugs to steal corporate data from vulnerable servers.

According to the researchers, hackers have been using vulnerabilities in PaperCut since April 13, 2023, and with their help they gain access to corporate networks. After gaining access to the server, the attackers deploy the TrueBot malware in the system, which is associated with Clop extortionate operations, as well as the Cobalt Strike “beacon”, which is used to traverse the victim’s network sideways and steal data using the MegaSync file-sharing application.

Microsoft says some of the incidents ended with LockBit ransomware attacks, but it’s not clear if these attacks started before or after the exploits were published.

By the way, the media wrote that Canadian Polices Arrests Russian Man Involved in LockBit Ransomware Attacks.

Experts urge all administrators to install the available patches as soon as possible, since other attackers are likely to soon take on fresh bugs as well. For example, PaperCut MF and NG are strongly recommended to upgrade to versions 20.1.7, 21.2.11 and 22.0.9.

The post Clop and LockBit Ransomware Exploit Fresh Vulnerabilities in PaperCut appeared first on Gridinsoft Blog.

Clop ransomware operators claim to be behind recent attacks on a 0-day vulnerability in the GoAnywhere MFT secure file transfer tool.

Hackers claim that thanks to this bug they stole the data of 130 organizations.

We also reported that Exploits for Vulnerabilities in Three Popular WordPress Plugins Appeared on the Network.

As a reminder, GoAnywhere MFT is a file transfer tool designed to help organizations securely share files with partners and maintain audit trails of whose who has accessed shared files. Behind its creation is Fortra (formerly known as HelpSystems), which also develops the well-known and widely used Cobalt Strike tool, aimed at pentesters and the red team, and focused on operation and post-operation.

In early February, it became known that Fortra developers discovered an RCE exploit and attacks on the GoAnywhere MFT, after which they were forced to temporarily disable their SaaS service.

At the same time, it was emphasized that the exploitation of the vulnerability requires access to the administrative console, which under normal conditions should not be accessible via the Internet at all. However, Shodan detects about 1000 available GoAnywhere instances on the Internet (although only about 140 installations were seen on ports 8000 and 8001, which are the defaults used by the affected admin console).

On February 7, 2023, Fortra released an emergency patch for this 0-day vulnerability (7.1.2) and urged all customers to install it as soon as possible.

As reported now, the vulnerability eventually received the identifier CVE-2023-0669 and indeed allows attackers to remotely execute arbitrary code in the GoAnywhere MFT if the administrative console is open for access via the Internet.

Bleeping Computer journalists write that Clop ransomware operators told them that they successfully exploited this bug to hack many different companies.

The hackers also stated that they could use the vulnerability to move through the networks of their victims and deploy extortionate payloads, but decided not to do this and limited themselves to stealing documents stored on compromised GoAnywhere MFT servers.

The publication was unable to confirm or deny the claims of the hackers, and Fortra representatives did not respond to letters asking for additional information about the attacks on CVE-2023-0669.

However, it is noted that Huntress Threat Intelligence expert Joe Slowik was able to link the attacks on the GoAnywhere MFT with the TA505 group, which was previously known for deploying the Clop ransomware in the networks of its victims.

The media also wrote that PoC Exploit for PlayStation 5 Appeared, but It Works Only in 30% of Cases.

The post Clop Operators Claim to Hack 130 Organizations Using GoAnywhere MFT Bug appeared first on Gridinsoft Blog.

Let me remind you that the first Raspberry Robin malware was found by analysts from Red Canary. In the spring of this year, it became known that the malware has the capabilities of a worm, spreads using USB drives, and has been active since at least September 2021. The cybersecurity company Sekoia even observed that back in November last year, malware used Qnap NAS devices as control servers.

It’s also worth noting that during the summer, Microsoft researchers discovered the presence of Raspberry Robin on the networks of hundreds of organizations from various industries, some of which were in the technology and manufacturing sectors. At that time, the targets of the attackers remained unknown, since at that time they did not yet have access to the networks of the victims.

And also, as we already reported, Microsoft Links Raspberry Robin Worm to Russian Grouping Evil Corp.

Over the past months, the worm has reportedly spread to networks that now belong to nearly 1,000 organizations. In the past 30 days alone, Microsoft analysts have seen Raspberry Robin payloads on 3,000 devices in nearly 1,000 organizations.

Moreover, according to experts, Raspberry Robin operators have now become access brokers, that is, they sell access to networks of hacked companies to other criminals. For example, the malicious activity of the aforementioned DEV-0950 group intersects with the activity of the financially motivated hack groups FIN11 and TA505, which are deploying the Clop ransomware in their target networks.

Raspberry Robin and Clop Attack Scheme

Moreover, due to Raspberry Robin, other threats also penetrated victims’ devices, including payloads of malware such as IcedID, Bumblebee and TrueBot.

Analysts summarize that from a widespread worm that did not show any activity after infection, Raspberry Robin has become one of the largest malware distribution platforms.

So, earlier researchers have already noticed that with the help of Raspberry Robin, the FakeUpdates (aka SocGholish) backdoor, which experts associate with the Evil Corp hacker group, was delivered to victims’ devices. Now there are much more malware that penetrates the systems of victims because of this worm.

The post Raspberry Robin Worm Operators Now Trade Access appeared first on Gridinsoft Blog.

Imagine a firm gets attacked by ransomware. It is not a novelty that, besides encrypting the data belonging to the company (to demand ransom for giving the data back,) the crooks also steal the data before its encryption. They can sell the data afterward. It is called a double-extortion scheme.

LockBit Weaponizes Its Victim’s Clients

However, if the enterprise administration doesn’t negotiate with the racketeers, they have thought up a way to make them do so. They contact the clients, partners, and employees of the victimized company and notify them about the company’s total neglect of the safety of data that has to do with people who trust the company and deserve its responsible care. Ransomware group thus encourages affected individuals to push the companies to do something about the leak.

Callow calls it ‘weaponizing’ clients (not only clients, though.) Ransomware gangs share links to specially created web pages where alleged victims can check whether their data ended up in the possession of the malefactors. Sometimes crooks allow paying for excluding an individual’s information from the total pile of the stolen data, while sometimes, it is impossible. However, there is no guarantee that such a procedure is technically possible since ransomware must have the relevant architecture to allow partial decryption of specified data alongside full decoding.

In the LockBit case, clients of victimized companies are warned about auctions that are going to take place before the personal data (including names, addresses, social security numbers, phone numbers, emails, etc.) is published.

Brett Callow notes that LockBit is not the first ransomware gang to practice such ‘client weaponizing.’ ALPHV and Cl0p operators did the same thing earlier this year and last year, respectively.

How do Auctions Look?

Even more interesting is that the LockBit victim companies, while being possibly pushed by their employees and customers, have a chance to play a game of patience on the auction: they are allowed to destroy all the malefactors-controlled data at once by paying a certain amount of money. At the same time, anyone can pay the same amount to download all the information. Both options get cheaper and cheaper simultaneously. On the one hand, nobody forces company administrators to pay the initial amount. On the other hand, as soon as the price gets low enough, someone might want to buy the data to download it. And that’s it!

The post LockBit Weaponizes Its Victims’ Clients – Brett Callow appeared first on Gridinsoft Blog.

Most of them start off by exploiting the CVE-2021-35211 bug in Serv-U Managed File Transfer and Serv-U Secure FTP. This issue allows a remote attacker to execute commands with elevated privileges on the affected server.

SolarWinds fixed this bug back in July 2021, after discovering the “only attacker” who used this vulnerability in attacks. Then the company warned that the vulnerability affects only clients who have enabled the SSH function, and disabling SSH prevents the exploitation of the bug.

As the NCC Group now reports, Clop operators have also begun to exploit the vulnerability in their attacks, although they typically relied on explanting 0-day issues in Accellion and phishing emails with malicious attachments. Now attackers use Serv-U to launch a subprocess under their control, which allows them to run commands on the target system. This paves the way for malware deployment, network reconnaissance, and lateral movement, creating a solid platform for ransomware attacks.

Certain errors in the Serv-U logs are a characteristic sign of exploitation of this vulnerability. So, the error should look like the following line:

‘EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive();’

Another sign of exploitation of the bug are traces of the PowerShell command used to deploy Cobalt Strike beacons on the affected system.

The NCC Group has published a system administrator checklist that can check systems for signs of compromise:

• check if your Serv-U version is vulnerable;
• find the DebugSocketlog.txt file for Serv-U;
• Look for entries such as ‘EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive();’;
• check event ID 4104 in the Windows event logs for the date and time of the exception error, and look for suspicious PowerShell commands.
• check for the captured scheduled RegIdleBackup task;
• CLSID in COM should not be set to {CA767AA8-9157-4604-B64B-40747123D5F2};
• If the task contains a different CLSID: check the contents of the CLSID objects in the registry, the returned Base64 strings could be an indicator of compromise.

The researchers note that most of the vulnerable Serv-U FTP systems are in China and the United States.

Let me remind you that I wrote that the Cyber police of Ukraine arrested persons linked with the Clop ransomware, but also that Clop ransomware continues to work even after a series of arrests.

The post Clop ransomware exploits vulnerability in SolarWinds Serv-U appeared first on Gridinsoft Blog.