Robin’s Newsletter #260

11 June 2023. Volume 6, Issue 24
Clop ransomware beaches MOVEit file transfer systems. Barracuda urges rip-and-replace of their email security gateways. Snowden leaks, ten years on.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Clop ransomware breach multiple MOVEit file transfer customers

  • British Airways, the BCC and pharmacy Boots have all announced that employee personal data has been stolen by cybercriminals who gained access to a file transfer system used to exchange files by large companies. ‘Tens of thousands’ of employees are said to be affected.
  • Rather than encrypting systems and demanding a ransom to release systems, the cybercriminals have stolen the data and are demanding payment to not release it in a tactic known as ‘hack and leak’.
  • Microsoft says the Clop ransomware gang is behind the attacks and, while the big-name brands have captured headlines in the UK, the compromise was at a supplier to these businesses: payroll provider Zellis, who counts nearly half of the FTSE100 as customers. Zellis is a customer of Progress Software’s MOVEit file transfer software, and this system has been exploited to gain access to the data. Clop (aka Cl0p) has given the victims until 14th June to meet their demands or face the data being released. In practice, it’s difficult to have confidence that, even if a victim pays, the data would be deleted and not surface online or sold to another party at some point.
  • Progress Software notified customers of a weakness in their MOVEit software on 31st May and has provided a software patch. The SQL injection vulnerability, tracked as CVE-2023-34362, allows an unauthenticated attacker to gain access to the internal MOVEit database. An investigation for one affected customer by Kroll found evidence of compromise that may date back as early as July 2021
  • When approached by the Financial Times, Progress Software declined to comment on how many of its customers were affected. Over 2,500 MOVEit Transfer Servers were Internet-accessible and discoverable in the search engine Shodan. Expect the list of affected organisations to grow in the coming weeks.
  • A saving grace appears to be that, rather than managing to gain access to the underlying IT environment of victims, the Clop cybercriminals only seem to have gained unauthorised access to the contents of data stored in customers’ MOVEit instances. This is good news for victims and speeds up the response process, though the consequences of the data theft remain the same.
  • The scale of the incident is by virtue of the volume of information that naturally resides in large file transfer systems like MOVEit, compounded when a large outsourcer, like Zellis, is compromised and causes a cascade effect through the supply chain.
  • These characteristics make file transfer systems an attractive target for cybercriminals, with notable previous examples including Accellion (vol. 4, iss. 9) in 2021, and Fortra (vol. 6, iss. 14) earlier this year. New victims of the Fortra breach are still coming to light, with medical payments business Intellihartx filing a notice with authorities this week that confirms criminals stole another 500,000 people personal and health information in February.

Barracuda Networks warns customers to rip-and-replace email hardware

  • Barracuda Networks is urging customers to replace, rather than patch, its email security gateways. A vulnerability was patched recently (vol. 6, iss. 23) after unusual traffic was detected originating from some Barracuda appliances. The attack was determined to have begun as early as October 2022. Now the firm is saying that patching is insufficient and that “[impacted] ESG appliances must be immediately replaced regardless of patch version level”, with the cost of replacement hardware being covered.
  • Barracuda’s statement says it believes only 5% of its customer base is affected, with Rapid7 estimating 11,000 Email Security Gateway (ESG) devices being accessible to the Internet.
  • It’s a remarkable change, suggesting a much more severe level of compromise and lack of confidence in the fix’s ability to remediate the issue. The attackers likely managed to achieve persistence in a really low level of the ESG device, potentially at the UEFI/BIOS level.

Snowden leaks, ten years on

”The NSA got incredibly lucky; this could have ended with a massive public dump like Chelsea Manning’s State Department cables. I suppose it still could. Despite that, I can imagine how this feels to the NSA. It’s used to keeping this stuff behind multiple levels of security: gates with alarms, armed guards, safe doors, and military-grade cryptography. It’s not supposed to be on a bunch of thumb drives in Brazil, Germany, the UK, the US, and who knows where else, protected largely by some random people’s opinions about what should or should not remain secret.” — Bruce Schneier, from an essay he wrote in 2013, along with reflections on the Snowden leaks a decade on.

Incident response: Lessons lost?

  • A new study into Incident Response in the Age of Cyber Insurance and Breach Attorneys (PDF) is damning of the models favoured by the US cyber insurance market. The study found that many lawyers insist on fronting investigations under the guise of claiming ‘legal privilege’ on the results and, increasingly (see Interesting Stats, below) do not request or complete reports when conducting investigations so that findings cannot be exposed during any subsequent litigation. Collectively the model prevents insurers and victims from being able to improve:

”…the advice of breach attorneys leads to lessons lost rather than lessons learned.” — Woods et al.

Interesting stats

~75% — ~95% of security incidents investigated by breach attorneys and forensics firms engaged through US cyber insurers no longer produce formal reports. (See Lessons Lost above).

Other newsy bits / in brief

  • The US Securities and Exchange Commission (SEC) has dropped 42 cases]( because it didn’t maintain appropriate separation between adjudication and enforcement staff. Poor access control meant that information intended for ‘judges’ eyes only’ was accessible by enforcement teams bringing the cases to be heard by the SEC’s in-house court.

  • People are selling pirated access to OpenAI’s GPT-4 large language model having found API keys exposed to the Internet, with the original OpenAI customer footing the bill. The explosion of hype around artificial intelligence has led to many company projects exploring how large language models may benefit their businesses. Presumably, many of these prototypes are being stood up quickly by innovation teams, with source code accessible or systems not adequately hardened, exposing their organisation to fraud.

  • A Florida man has pleaded guilty to selling counterfeit networking equipment. ‘Pro Network Entities’ had Chinese vendors modify old, used or low-grade network devices to appear as if they were brand new Cisco kit, with pirated firmware used to avoid Cisco license and hardware checks. The man, Onur Aksoy, appears to have been financially motivated rather than engaged in espionage, however the equipment ended up in government, military, healthcare and other organisations, with many reporting poor quality and performance from the dodgy kit.

  • Lazarus Group, the North Korean cyber unit, was behind the theft of $35 million in cryptocurrency from Atomic Wallet last week, according to Elliptic. North Korea relies heavily on illegitimate and criminal activities to fund its country’s programmes, including the development of nuclear weapons.

  • Cool: Red Balloon Security has developed a robot to automate cold boot attacks, where encryption keys can be read from RAM after being chilled to very low temperatures.

  • VMware has released security patches to fix three critical and high-severity vulnerabilities in the VMware Aria Operations for Networks solution, formerly known as vRealize Network Insight. The most serious, CVE-2023-20887, allows an unauthenticated user on the same network to perform a command injection attack, leading to remote code execution.

  • ‘Dozens’ of mods for the popular game Minecraft have been infected with Windows and Linux malware called Fracturiser.

  • Google Workspace customers can opt-in to a beta allowing their users to authenticate with passkeys instead of passwords.

And finally

Trump’s data dump

Boxes of documents stacked around a toilet and in a shower at Donald Trump’s Mar-a-Lago resort (source: DOJ)

  • Donald Trump has been indicted on 37 felony counts for violating the espionage act, obstruction of justice and false statements. Amongst the 49-page document laying out the charges against the former president were photographs showing boxes containing classified information on the stage and in a bathroom at his Mar-a-Lago resort. H/t to @shashj for the pun.

  Robin's Newsletter - Volume 6

  Clop Ransomware MOVEit File Transfer Barracuda Networks Edward Snowden Incident Response Continual Improvement