Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 6, 2023
Severity High Analysis Summary Stealc is a new malware that was first marketed by an actor named Plymouth on the XSS and BHF Russian-speaking underground forums […]September 6, 2023
Severity High Analysis Summary CVE-2023-40743 Apache Axis could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation by the […]September 6, 2023
Severity High Analysis Summary CVE-2023-4763 CVSS:8.8 Google Chrome could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in Networks. […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 6, 2023
Severity High Analysis Summary Stealc is a new malware that was first marketed by an actor named Plymouth on the XSS and BHF Russian-speaking underground forums […]September 6, 2023
Severity High Analysis Summary CVE-2023-40743 Apache Axis could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation by the […]September 6, 2023
Severity High Analysis Summary CVE-2023-4763 CVSS:8.8 Google Chrome could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in Networks. […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – North Korean APT Kimsuky Aka Black Banshee – Active IOCs
June 19, 2023
Rewterz Threat Advisory – Multiple Fortinet FortiOS and FortiProxy Vulnerabilities
June 19, 2023
Severity
High
Analysis Summary
Shell, a major player in the oil and gas industry, has confirmed that it is one of the victims of a large-scale ransomware campaign conducted by the notorious Clop gang. The cybercriminals have exploited a zero-day vulnerability in the MOVEit Transfer tool from Progress to carry out their attacks. This zero-day vulnerability is tracked as CVE-2023-34362 and is being actively exploited by threat actors to steal sensitive data from organizations worldwide.
Upon discovering the security breach, Shell immediately launched an investigation into the incident. Fortunately, the company has stated that the attack had no impact on its core IT systems. However, a small number of Shell employees and customers who utilize the third-party tool MOVEit Transfer have been affected. Shell spokesperson Anna Arata confirmed that the company’s IT teams are actively investigating the situation to assess any potential risks and take appropriate actions.
The Clop ransomware gang, responsible for this campaign, claims to have successfully hacked hundreds of companies by leveraging the aforementioned zero-day vulnerability. Interestingly, researchers have found evidence indicating that the Clop gang had been searching for a zero-day exploit in the MOVEit software as early as 2021. As of now, the ransomware group has already listed 27 companies as victims on their dark web leak site, claiming to have compromised them by exploiting the CVE-2023-34362 vulnerability.
In response to media reports suggesting that government data had been compromised, the Clop gang posted a message on their leak site denying any involvement in such activities. They emphasized that their primary motivation is financial gain and they have no interest in politics or government data. They also stated that if companies place their data on unprotected and unencrypted file transfer services, they should not blame the hackers for their actions.
Worryingly, cybersecurity firm discovered approximately 2,500 publicly accessible instances of MOVEit Transfer on the internet, with a significant number located in the United States. The United Kingdom, on the other hand, had 127 installations of the tool. As a result, UK’s communications regulator Ofcom has also fallen victim to the ongoing Clop ransomware campaign. Additionally, Zellis, a payroll services provider, was targeted, leading to data breaches affecting various companies. Among the impacted firms are the BBC, British Airways, Boots (a health and beauty retailer and pharmacy chain), and Aer Lingus (an airline).
It is worth noting that Shell had previously disclosed a data breach in March 2021 resulting from the compromise of an Accellion File Transfer Appliance (FTA) utilized by the company. The recent attack underscores the persistent and evolving threat landscape faced by organizations, emphasizing the critical importance of robust cybersecurity measures to safeguard sensitive data and prevent unauthorized access by threat actors.
Impact
- File Encryption
- Information Disclosure
Indicators Of Compromise
CVE
- CVE-2023-34362
Affected Vendors
MOVEit
Affected Products
- Progress MOVEit Transfer 13.0.5
- Progress MOVEit Transfer 13.1.3
- Progress MOVEit Transfer 14.0.3
- Progress MOVEit Transfer 14.1.4
- Progress MOVEit Transfer 15.0.0
Remediation
- Refer to Progress Web site for patch, upgrade or suggested workaround information.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
- Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Emails from unknown senders should always be treated with caution. Never trust or open links and attachments received from unknown sources/senders.
- Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets
- Conduct a thorough assessment to determine the extent of the ransomware attack. Identify the systems, files, and data that have been compromised or encrypted by the Clop ransomware.
- If reliable and unaffected backups are available, ensure they are secure and intact. Disconnect any compromised backup systems to prevent further encryption. Restore data and systems from clean backups once the affected systems have been cleaned and secured.
- Restrict user privileges and implement the principle of least privilege. Users should only have access to the systems and files necessary for their roles, reducing the potential impact of ransomware attacks