A few days ago it became known that the MOVEit data transfer software used by the AOK had a blatant vulnerability. The BSI even registered a data leak. In the meantime, there is an ultimatum on the website of the CLOP APT group: companies affected worldwide must report by June 14 and pay a ransom for their data, otherwise everything will be published.
While some experts are still arguing about who exploited and attacked the MOVEit Transfer vulnerability worldwide, the APT group released a statement on their leak page. There it is stated that they want to have stolen masses of data from many companies. The companies should report by e-mail to specific e-mail addresses. After that, they would receive an email with a link to a chat room. There they should then negotiate the ransom demand. The group calls this a "post-penetration test" and sees payment as a service and wants the data returned. However: if a company does not pay, then all data should be published on the Darknet.
Classic ransom demand – only from companies
In a chat room, CLOP then wants to hand over 10 percent of the stolen data to a company as proof. If companies do not report by June 14, 2023, the first step is to publish the name of the company concerned on the leak page. If an affected company then reports, they are given 3 days to pay. If nothing happens, CLOP wants to publish the data after 10 days. At the same time, CLOP informs that "affected government, city or police authorities should not report, since they would not be interested in publishing this data". However, it remains to be seen whether this information from cyber gangsters can be trusted.
Ultimatum until June 14, 2023
It will be interesting to see which company names will appear on the leak page on June 14, 2023. Currently, many companies have informed their customers etc. about the problem with MOVEit Transfer, but very few have mentioned a data loss. It is to be hoped that the companies will have the courage not to pay the demands. After all, this only finances new attacks on themselves and other companies. According to Trend Micro, one paid attack funds 9 more.
The CLOP Group advertises on its leak page that it would securely delete the data as soon as a company has paid. This would even be proven by video. However, anyone can make a video deleting data that probably continues to exist as a copy. Writing on the CLOP leak page starts as follows. However, we have removed the additional instructions and email addresses;
“DEAR COMPANY.
CLOP IS ONE OF THE LEADING ORGANIZATIONS OFFERING POST-POST PENETRATION TESTING.
THIS IS AN ANNOUNCEMENT TO ADVISE COMPANIES USING PROGRESS MOVEIT PRODUCTS THAT THERE IS A RISK THAT WE WILL DOWNLOAD MUCH OF THEIR DATA AS PART OF AN EXTRAORDINARY ATTACK. WE ARE THE ONLY ONE PERFORMING SUCH AN ATTACK AND YOU CAN RELAX BECAUSE YOUR DATA IS SAFE.
WE WILL ACT AS FOLLOWS AND YOU SHOULD BE CAREFUL TO AVOID EXCEPTIONAL MEASURES AFFECTING YOUR BUSINESS…..”
Do you have a moment?
Take a few minutes for our 2023 user survey and help make B2B-CYBER-SECURITY.de better!You only have to answer 10 questions and you have an immediate chance to win prizes from Kaspersky, ESET and Bitdefender.
Here you go directly to the survey
Has the AOK now lost data or not?
The AOK writes on its website that it is still checking whether data has been lost: “At the same time, further checks are being carried out to determine whether the security gap has enabled access to the social data of insured persons. As soon as this test is completed and valid results are available, the AOK community will inform you about it." The BSI, on the other hand, has in its security information from 02.06.2023 already a data outflow: “The BSI monitors the active exploitation of the vulnerability with confirmed data leakage. There is currently no evidence of malware exploitation."
More at AOK-BV.de