Recent research has unveiled that a vulnerability in the MOVEit file transfer app has affected 2,620 organisations and 77.2 million individuals since May. The Russian-linked ransomware group Clop exploited this flaw, stealing data and extorting organisations. This week, millions more have been notified of potential access, leaks, or both to their information.
The United States has the most victims, with 78.1% of the impacted organisations located there. Canada follows with 14%, Germany with 1.4%, and the UK with 0.8%. The education sector is most heavily affected, constituting 40.6% of these organisations. Health sector organisations make up 19.2%, and finance and professional services account for 12.1%. These findings are based on public disclosures, SEC filings, state breach notifications, and Clop's website data.
Even Gen Digital, the parent company of Norton and Avast, fell victim to this attack. Avast acknowledged a breach involving "low-risk personal information" of three million customers.
Notably, the attack impacted not just private entities but also government organisations. Among them are the BBC, Boots Retail, Alogent, Colorado Department of Health Care Policy and Financing, Welltok, US Department of Energy, Shell Oil, British Airways, Aer Lingus, Genworth, and Estee Lauder.
Progress Software Corporation, responsible for MOVEit, is now under investigation by the US Securities and Exchange Commission (SEC). Additionally, a class action lawsuit has been initiated by Hagens Berman, a consumer rights law firm. Many affected organisations and individuals are seeking damages.
A critical patch has been released to address this vulnerability. It is imperative for organisations to implement this patch immediately to mitigate further risks.
A significant cyberattack on Signature-IT, an Israeli website hosting company, disrupted the online operations of 40 companies, primarily in e-commerce.
The National Cyber Directorate confirmed that the attack targeted Signature-IT's servers, affecting clients like Home Center, Kravitz, and notable firms such as IKEA Israel.
Over the weekend, the online stores of Home Center and Kravitz ceased functioning, with Home Center announcing a "cyber-terrorist attack" and Kravitz simply stating its website was "temporarily inactive". The Cyber Directorate clarified that the websites' shutdowns were due to the attack on Signature-IT, not the companies themselves.
The attackers also accessed mailing lists on Signature-IT's servers, using them to send hostile messages to thousands of Israelis. While no credit card information was stored on the servers, customer data such as names, phone numbers, email addresses, and purchase histories were potentially compromised, raising concerns about future phishing attacks.
The full extent of the cyber attack’s impact is yet to be disclosed, with the Israeli Cyber Directorate considering emergency regulations to address such incidents more effectively. Signature-IT's official response to the incident is still pending.
The British Library’s significant IT outage in October was confirmed to have been a result of a cyberattack by the Rhysida ransomware gang. Currently, the group is auctioning data allegedly stolen from the national library, with bidding open for the next week. Rhysida has also released a low-resolution screenshot purportedly showing ID scans from the library's compromised system.
The FBI and CISA last week issued warnings about Rhysida's opportunistic attacks targeting various sectors, including education, healthcare, manufacturing, information technology, and government. Rhysida operates on a ransomware-as-a-service model, sharing ransom payments between the group and its affiliates.
The British Library's press office confirmed a leak of internal HR documents and advised users to reset their passwords as a precaution. However, the library has not yet discovered evidence of the attackers accessing other sensitive information.
The library acknowledged the ransomware attack, stating, "We have now confirmed that this was a ransomware attack by a group known for such criminal activity. We are aware that some data has been leaked, which appears to be from files relating to our internal HR information." The full extent of the cyber attack's impact is still being assessed.
The Idaho National Laboratory (INL), a U.S. Department of Energy nuclear research centre, has confirmed a cyberattack following the online leak of human resources data by 'SiegedSec' hacktivists. INL, employing over 5,700 specialists, is known for its expansive research in various fields, including nuclear energy, cybersecurity for control systems, advanced vehicle testing, bioenergy, and robotics.
On Monday, SiegedSec declared they had accessed INL's data, leaking details of "hundreds of thousands" of employees and system users. This leak, which includes names, birth dates, email addresses, phone numbers, Social Security Numbers, physical addresses, and employment information, was posted on hacker forums and a Telegram channel without any ransom demands or negotiations.
SiegedSec also shared screenshots as alleged proof of their breach, showing internal INL tools and the creation of a custom announcement about the breach within INL's system.
INL has not yet issued a formal statement but confirmed the breach through a spokesperson, who stated that it affected servers supporting the Oracle HCM system used for HR applications. Immediate actions were taken to protect employee data, and the incident is under federal investigation.
Although no nuclear research data was reportedly accessed or disclosed, the breach at INL, a critical part of U.S. infrastructure, is expected to draw increased law enforcement attention to the activities of SiegedSec.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.
The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.
If you are worried about any of the threats outlined in this roundup or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager or fill in the form for a complimentary no-commitment consultation.
If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.
We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.
Integrity360's flagship conference Security First comes to Stockholm in 2023!
Join leading cybersecurity experts from across the community as we explore the latest threats and industry trends, and learn practical strategies to safeguard your organisation.