(The following transcript is an edited version of the start of this edition’s discussion. To hear the full conversation play the podcast.)
Jim Love: Welcome to Cyber Security Today on the weekend. I’m Jim Love CIO of of IT World Canada and the host of our daily news podcast, Hashtag Trending. Howard is off today and asked me to fill in for him. As a bonus, I get to share the microphone with David Shipley from Beauceron Security.
Howard usually does a summary of the week’s stories, but we’re going to do it things a little bit differently. We’re going to cover the main stories of the week, but get that mixed in with the discussion part of the show. The number one story out there is the Clop ransomware group has somehow infiltrated MOVEit file transfer software.
David Shipley: This is a hat trick for the Russian-speaking gang. They, of course, are previously famous for hits such as the GoAnywhere and the Accellion [file transfer applications] breaches. GoAnywhere was January, 2023, Accellion was 2020. So they’ve clearly found a software niche that makes sense to hit and. And boy did they hit it. There are some estimates that could put the total number of victims between 2,500 and 3,000. Clop itself came out a little bit sheepishly with their note after Microsoft outed them [last weekend] with a new naming convention, calling them Lace Tempest. [Editor’s note: Under Microsoft’s new threat actor naming convention groups are named after weather events. “Tempest” indicates a financially-motivated group. Clop had been tied to a group Microsoft dubbed FIN11.]
So Clop came forward, and interestingly enough usually they take about a month to send nasty little extortion notes to executives of companies. But in this case, they’re so overwhelmed with the loot that they managed to score that they’re now telling affected folks to reach out to them and that they’ll respond back.
Jim: How many places have they actually hit? Howard’s done a story on data of an estimated 100,000 Nova Scotia health and government employees being stolen. Is that the same gang?
David: Yes. What’s important to note is it could be 2,500 to 3,000 organizations impacted and total number of individuals is likely in the hundreds of thousands if not millions. We know the BBC, British Airways, Air Lingus and some payroll providers were hit. We’re going to have months of companies coming forward saying, ‘Yeah, we were impacted.’
Jim: Well, Zellis is the biggest payroll provider in the U.K. Was this a ransomware attack, or data exfiltration?
David: This is classic extortion. This is hack and steal. It just goes to show you once these gangs develop a multilayered ‘sales’ approach they can win on either or sometimes both [ransomware and data theft]. What’s fascinating about Clop is in their [extortion] note they say, ‘If you’re a government agency or a government we’re just going to delete your stuff. Don’t worry. Don’t get too anxious. We shouldn’t hate you.’ Which I think is hilarious, because you’re going to have to trust thieves.
Jim: In going after payroll and health, this is the Holy Grail of hackers. You don’t get more personal than that data.
David: And in the case of Nova Scotia, it affects multiple employees — civil servants, the health department, a hospital others. This wasn’t patient information; this was payroll information, like SIN (Social Insurance) numbers, banking all that stuff. You know the stress that this can cause? And the average losses for folks [studies show from data breaches] is about $4,000. This is a lot of hurt. So $4,000 times 100,000 people, you’re talking some real money in terms of the negative potential financial impact — let alone the emotional impact.
Jim: What is it with files transfer software? This isn’t the first time [hackers have found vulnerabilities]. Nobody seems to learn the lessons from this. Using a commercial file transfer software to transfer sensitive of information, does that seem like a good idea to you?
David: Compared to what’s likely previous decisions to send stuff by email, probably. The reality is … we want to have more efficient governments able to offer better services to its employees and to others. We want to be digital. We want to be digitally transformed. We want to be efficient. Well, in order to do that we need online services. So they’ve got two choices: Build [applications], which means they’ve got to maintain all the software, stand top of all the vulnerabilities, keep a crew of trained, top-edge cybersecurity folks who are coding; or you buy applications from global vendors who are supposed to have this stuff figured out. No software is perfect. What’s interesting about this particular vulnerability in MOVEit is like the old hits — it’s SQL injection. This is input sanitization. Software is complex, and what’s really vicious is Clop who found a vertical and a specific part of the supply chain that has repeatedly borne fruit and so they’ve decided to specialize. There’s no greater example we can give of how a gang just keeps working and repeating what’s been successful. I don’t know who the fourth most popular file transfer software maker is, but I would be battening the hatches down — along with anybody else in the [file transfer] space, because Clop’s coming to reap the rewards [if it can find a vulnerability]. You got to feel bad, because how many people moved from Accellion to GoAnywhere and then to MOVEit?