Hacker attacks on organizations and companies around the world will grow “like a snowball”

A group of “hackers” based in Russia has managed in recent weeks to infiltrate more than sixty organizations and companies, including various agencies of the Government of USAthe BBC, British Airways and the Shell company, finding and exploiting a vulnerability in widely used software and, according to one expert, this is just the tip of the iceberg.

The official Cybersecurity and Infrastructure Security Agency (CISA) has acknowledged that it has no evidence that they act in coordination with the Kremlin, and they have also declared that they have no political motivations.

The attackers exploited a vulnerability in software called “MOVEit”which is widely used by organizations of all kinds to encrypt files and transfer data securely.

“The software itself is used by different organizations ranging from financial services to healthcare, government and the military. So naturally, if the group found this vulnerability and had time to exploit it, it would have a very wide variety of victims.”he explained in an interview to Satnam Narang, a senior research engineer at cybersecurity firm Tenable.

Narang stressed that there is a “snowball effect”: “As time goes by, the snowball gets bigger. We’re going to find out more and more who these victims are, because naturally some of the victims will come out and admit it, but not all of them will make it public.”

In the last 24 hours, the number of affected victims announced by the pirates went from 26 to 63, according to what Brett Callow, an Emsisoft threat analyst, shared on the networks.

The pirates behind the attack

Behind the cyberattack is the CL0p group, which has its base of operations in Russia, a senior US government official said in statements to the press on Thursday.

According to Narang, CL0p started around 2019 and is a variant of another malware or ransomware known as CryptoMix.

The group had given the victims until Wednesday to contact them about paying a ransom.

In a statement written in red capital letters and published on a page of the dark web – a hidden set of internet sites that can only be accessed through a specialized web browser – CL0p stressed today that they “don’t care about politics” and are only “financially motivated”.

“We want to remind all companies that if they put data on the internet where there is no protection, don’t blame us”reads the CL0p text that was shared by Callow.

CL0p erased government data

Yesterday, in another message, the pirates warned the hacked organizations of an official nature (they cited “a government, city or police service”) that they did not need to contact them, as they had already “deleted all your data” and they did not have “No interest in exposing such information.”

The reason for this message, according to Narang, is that if they openly attack these organisms “They are basically playing with fire.”

“When you start targeting entities like governments, cities, police, hospitals, you get the attention of government agencies around the world, and so they can imagine the United States, the United Kingdom, Australia, New Zealand with their eyes on CL0p and if they see that they’ve had this impact on some of their organizations, they’re going to further mobilize their efforts to try to go after these ransomware groups.”emphasizes the expert.

Million dollar rewards

Regarding the money that the group is asking for from the victims, Narang points out that unlike other hackers, CL0p does not usually make this information public.

“They invite their victims to contact them via email or a link dedicated exclusively to the victim. The affected organization then goes to a chat where it negotiates with CL0p representatives. The amount of money, depending on the size of the business, can vary from 50,000 dollars, to 300,000 or several million”.

“Check the software”

Ipswitch, the company that developed that hacked software, gave details on June 5 in a statement of the vulnerability that had been discovered in “MOVEit” and announced that it had opened an investigation, in addition to working with its clients to avoid any harm.

Narang suggests companies using this type of technology to “take a break and check your software.”

“Correctly, do some sort of security audit to determine whether or not there are vulnerabilities. If CL0p has managed to successfully exploit vulnerabilities in three types of file transfer, it can be guaranteed that they will target another (vulnerability) in the next six months.”

Source: EFE