Clop Crime Group Adds 62 Ernst & Young Clients to Leak Sites – Source: www.govinfosecurity.com

3rd Party Risk Management
,
Fraud Management & Cybercrime
,
Governance & Risk Management

Victims Include Airline, Banks, Hospitals, Retailers in Canada

Prajeet Nair (@prajeetspeaks) •
July 11, 2023    

The growing list of MOVEit cyberattack victims has grown. Sixty-two 62 clients of Big Four accounting firm Ernst & Young now appear on the Clop ransomware group’s data leak sites.

See Also: Live Webinar | Reclaim Control over Your Secrets – The Secret Sauce to Secrets Security

The Clop ransomware group’s supply chain attack on the popular MOVEit file transfer software leaked 3 terabytes of critical information about Ernst & Young clients including financial reports and accounting documents in client folders, passport scans, Visa scans, risk and asset management documents, contracts and agreements, credit agreements, audit reports and account balances.

Most of the recently named victims are from Canada and include Air Canada, Altus, Amdocs, Constellation Software, EY-Continental Transition, Laurentian Bank of Canada, LendLease, Sierra Wireless, SSC Fraud Risk Assessment, St. Mary’s General Hospital Surgical Services Review, Staples Canada, Sun Life Assurance of Canada, United Parcel Service Canada Ltd. and more.

The hacking campaign came to light after the Russian-speaking cybercrime group Clop began targeting a previously unknown vulnerability in MOVEit around May 27 and May 28.

A spokesperson for Ernst & Young confirmed that a “limited” attack on the accounting firm’s systems had occurred. “We have verified that the vast majority of systems which use this transfer service across our global organization were not compromised,” the spokesperson said. “We are manually and thoroughly investigating systems where data may have been accessed. Our priority is to communicate to those impacted, as well as the relevant authorities, and our investigation is ongoing.”

Security experts count a total of 150 organizations affected by the attacks, which compromised the personal data of over 16 million individuals.

Ian Thornton-Trump, chief information security officer at Cyjax, told Information Security Media Group it appears that Clop has been very successful in gaining unauthorized access to the organization’s data – not entirely by just exploiting Progress Software’s MoveIT service/appliance, which is now on its third patch due to persistent injection vulnerabilities.

“There is no doubt in my mind that sensitive data exists within this data set, and companies need to be actively monitoring the data breach/ransomware ecosystem to determine the organization’s potential exposure directly or indirectly through a supply chain partner compromise,” Thornton-Trump said.

The old pieces of software that have been used for decades by firms and are part of firmly established business processes are not up to the rapid exploit development capabilities of threat actors such as Clop and others, he said.

Thornton-Trump said the external-facing services are old and contain weak and insecure code and protocols that are extremely vulnerable without mitigating controls in place, such as web application firewalls, whitelisting access controls with multifactor account protections and SIEM/SOAR capabilities to constantly monitor and look for anomalous behavior.

“If that vulnerable service has been part of your infrastructure for ages, there is a good chance the cybercriminals will know about it and target it as a top priority,” the researchers said.

Critical SQL Injection Flaw

The discovery of the MOVEit Transfer application zero-day vulnerability has exposed other vulnerabilities. In addition to revealing a third critical SQL injection vulnerability affecting its managed file transfer web application, researchers at Progress Software also recently reported two high-severity bugs (see: Latest MOVEit Bug Is Another Critical SQL Injection Flaw).

The critically rated bug, tracked as CVE-2023-36934, with a CVSS score of 9.8, allows remote attackers to bypass authentication on affected systems and execute arbitrary code, said Progress Software in a security advisory.

The latest vulnerability shares commonalities with the first flaw, CVE-2023-34362, which has been actively exploited over the past month by the Clop ransomware group to exfiltrate data from hundreds of victim organizations for extortion (see: Extortion Group Clop’s MOVEit Attacks Hit Over 130 Victims).