Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 18, 2023
Severity Medium Analysis Summary Lumma is an information stealer that is sold as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums and Telegram. Lumma is an information […]September 18, 2023Severity Medium Analysis Summary CVE-2023-4948 CVSS:4.3 WooCommerce CVR Payment Gateway Plugin for WordPress could allow a remote attacker to bypass security restrictions, caused by missing capability […]September 18, 2023Severity High Analysis Summary Microsoft has stated that a ransomware group working with an initial access broker has recently started using Microsoft Teams for their phishing […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 18, 2023Severity Medium Analysis Summary Lumma is an information stealer that is sold as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums and Telegram. Lumma is an information […]September 18, 2023Severity Medium Analysis Summary CVE-2023-4948 CVSS:4.3 WooCommerce CVR Payment Gateway Plugin for WordPress could allow a remote attacker to bypass security restrictions, caused by missing capability […]September 18, 2023Severity High Analysis Summary Microsoft has stated that a ransomware group working with an initial access broker has recently started using Microsoft Teams for their phishing […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – APT28 Exploits Roundcube Email Servers in Cyberattack on Ukrainian Entities – Active IOCs
June 23, 2023Rewterz Threat Intel – CVE-2023-35719 – Zoho ManageEngine ADSelfService Plus Vulnerability
June 23, 2023
Severity
High
Analysis Summary
Gen Digital Inc., the parent company of Norton, has fallen victim to a ransomware attack that targeted the recently disclosed MOVEit zero-day vulnerability. Gen Digital is a multinational software company specializing in cybersecurity software and services, owning brands such as Norton, Avast, LifeLock, Avira, AVG, ReputationDefender, and CCleaner.
The attack leveraged the MOVEit Transfer vulnerability (CVE-2023-34362) which is a SQL injection vulnerability in the managed file transfer system used by enterprises for secure file transfers via SFTP, SCP, and HTTP-based uploads. The Clop ransomware group, also known as Lace Tempest, has claimed responsibility for the attack and has been credited by Microsoft for exploiting the zero-day vulnerability.
The Clop ransomware gang targeted hundreds of companies globally through the MOVEit Transfer vulnerability and published an extortion note on the dark web, stating that they possess sensitive information from these organizations.
During the attack, the threat actors gained access to the personal information of Gen Digital’s employees, including names, addresses, birth dates, and business email addresses. However, the company clarified that its core IT systems and services remained unaffected, and no customer or partner data was exposed.
“We use MOVEit for file transfers and have remediated all of the known vulnerabilities in the system. When we learned of this matter, we acted immediately to protect our environment and investigate the potential impact. We have confirmed that there was no impact to our core IT systems and our services and that no customer or partner data has been exposed”, told company
Gen Digital promptly took action to protect its environment, investigate the incident, and notify the relevant data protection regulators and affected individuals. Other notable victims of ransomware attacks exploiting the MOVEit Transfer zero-day vulnerability include the U.S. Department of Energy, British Airways, Boots, the BBC, Aer Lingus, Ofcom, Shell, and the University of Rochester.
Impact
- File Encryption
- Information Disclosure
Indicators Of Compromise
CVE
- CVE-2023-32439
- CVE-2023-32435
- CVE-2023-32434
Affected Vendors
MOVEit
Affected Products
- Progress MOVEit Transfer 13.0.5
- Progress MOVEit Transfer 13.1.3
- Progress MOVEit Transfer 14.0.3
- Progress MOVEit Transfer 14.1.4
- Progress MOVEit Transfer 15.0.0
Remediation
- Refer to Progress Web site for patch, upgrade or suggested workaround information.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
- Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Emails from unknown senders should always be treated with caution. Never trust or open links and attachments received from unknown sources/senders.
- Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets
- Conduct a thorough assessment to determine the extent of the ransomware attack. Identify the systems, files, and data that have been compromised or encrypted by the Clop ransomware.
- If reliable and unaffected backups are available, ensure they are secure and intact. Disconnect any compromised backup systems to prevent further encryption. Restore data and systems from clean backups once the affected systems have been cleaned and secured.
- Restrict user privileges and implement the principle of least privilege. Users should only have access to the systems and files necessary for their roles, reducing the potential impact of ransomware attacks