What is American Airlines?

Among quite a few airlines in the US, American Airlines is a bit special. Not only is the company among the oldest airlines, being 97 years old, but it is also the biggest company of its sector (by passenger flow). Being a member of multiple airlines unions, it provides both regional and international (including trans-Atlantic) flights. Such a large company is a no joke, and for attacking it you should be either exceptionally brave and confident — or extraordinarily reckless.

American Airlines Hacked by Cl0p

Over the last month, Cl0p has gotten more attention than it has ever experienced before. All is due to its extensive – and successful – use of the MOVEit MFT vulnerabilities. The managed file transfer suite appeared vulnerable to multiple exploitation scenarios, which allowed for both initial access and lateral movement. We released a chain of articles on this topic – consider checking them out if you missed that mess.

But back to the Cl0p’s attack on American Airlines. Their hacks are no joke, as each their hack is commonly complemented not only with ransomware attacks, but also extensive data extraction. The gang takes whatever they find, and in the case of American Airlines, the list of possible data categories is humungous. What’s worse, the company holds a lot of records about their passengers – which is natural for any organisation that has to deal with such a large client flow. Another natural thing though is the hackers’ interest in putting their hands on this data.

Still, it’s too early for any worries and privacy concerns. It is unclear whether the company is planning to pay the ransom or ignore the requirements. Only in the case of the latter Cl0p will publish the data or offer it for sale, on their leak site or elsewhere. The company though claimed the attack through the third party – specifically, Pilot Credentials app. However, this attack is not likely related, as Cl0p did not list another victim of the Pilot Credentials – Southwest Airlines. Moreover, the app website itself is not present on leak site as well. All this points at the fact that we are spectating a new breach.

How dangerous can this hack be?

Well, as I said, Cl0p is not a hack group that plays child’s play. Their hack most likely touches internal company information, including info on its staff and financial situation. The latter may be exceptionally sensitive, as during the pandemic, the company had some serious financial strugglings. Uncovering them may not be very pleasant to the company, as well as showing the ways they have beaten these problems.

Another side of a problem, actually, a more sensitive one, touches the possibility of customers’ data leak. This brings not only problems for people who fly with American Airlines, but also the possibility of legal consequences to the company. It becomes even worse when we remember that hackers usually put an incredibly high price tag for keeping some really important data in secret. That number may sometimes even exceed the ransom sum for file decryption.

Though, those are just my guesses. Same as anyone interested in cybersecurity does, I will keep my eye on both newsletters, the company’s public claims and Cl0p’s Darknet site. It’s almost clear that all the details will appear in a week or two.

The post American Airlines Hacked by Cl0P Gang, MOVEit Involved appeared first on Gridinsoft Blog.

NortonLifeLock Hacked via MOVEit Vulnerability

The vulnerability in Progress’ MOVEit MFT solution set the whole cybersecurity community abuzz. It allowed hackers to send external login requests to the cloud SQL database. After a successful brute force in such a manner, the crooks were receiving full access to the web repository – meaning they could upload their files and manage existing ones. Despite the patch being released pretty soon after the vulnerability discovery, it was too late. Threat actors, particularly ones who stand behind Cl0p ransomware, successfully abused the vulnerability to breach into the companys’ networks.

NortonLifeLock company, the developer of a famous Norton Antivirus, appears to be hacked via this breach as well. Along with 80+ other companies, it was listed on the Cl0p’s Darknet leak site since the beginning of summer 2023. It is not clear though whether exactly MOVEit vulnerability was used, and if it was – which one of several uncovered ones was used.

What is Cl0p Ransomware?

Cl0p ransomware gang is a Russian ransomware project backed by the threat actor known under the FIN7/Sangria Tempest name. A lot of facts point at FIN7 being related to Russian external reconnaissance service (a.k.a. SVR). The gang is famous for its cheeky pick of targets, particular passion at hacking into educational institutions and heavy use of novice software vulnerabilities. Earlier this year, Cl0p ransomware was spread after the use of vulnerability in PaperCut – another MFT solution. Though, the list of all security breaches it uses is obviously far bigger.

Getting back to the Norton hack, in the note on the Darknet site, Cl0p said nothing about the negotiations. If the company refuses to pay, hackers disclose this fact and publish the leaked data. This is not the case of Norton – their record says only about the fact of the hack. The negotiation commonly takes up to several weeks – especially if the company is ready to pay, but wishes to discuss the ransom sum.

How to protect against MOVEit vulnerability?

For any cybersecurity company, being hacked is a big reputational loss. Even though Norton is not guilty of MOVEit vulnerabilities, they were hacked and potentially let the user information leak – and that is already image-busing. Though until the detailed info regarding how exactly it was hacked, and how much data is lost, it is hard to say whether the users suffer or not. And despite Norton being not entirely guilty in this situation, they could use several preventive measures that minimise the chances of zero-day vulnerability exploitation.

Probably, the best method for 0-day counteraction is using a zero-trust security solution. They have their disadvantages – particularly high resource consumption and higher access delays – but their effectiveness is exceptionally good. When set up properly, they will not allow any program to perform an action without the diligent checkup, and that is what could have stopped the Cl0p at the moment of MOVEit breach exploitation.

The post NortonLifeLock Hacked by Cl0P Gang, Using MOVEit Vulnerability appeared first on Gridinsoft Blog.

Who are Lace Tempest hackers?

Microsoft is attributing attacks that exploit the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to the Lace Tempest cybercriminal group known for its ransomware and running the Clop leak site. “Lace Tempest” is the new name, according to Microsoft’s updated classification, for the grouping, better known as TA505, FIN11, or DEV-0950. Attackers have used similar vulnerabilities in the past to steal data and extort victims.

What is MOVEit MFT 0-day Vulnerability?

MOVEit Transfer is a Managed File Transfer (MFT) solution that allows enterprises to securely transfer files between business partners and customers using SFTP, SCP, and HTTP based downloads. It is believed that the attack that were using this breach began on May 27, during the long Memorial Day holiday in the United States. The same day, numerous organizations reported data leaks.

At the end of last week, Progress Software developers warned about the discovery of a critical vulnerability in MOVEit Transfer. According to them, exploitation of this vulnerability could lead to privilege escalation and give third parties unauthorized access to the MOVEit Transfer environment. Attackers used the MOVEit zero-day vulnerability to remove specially crafted web shells on servers, allowing them to extract a list of files stored on the server, upload files, and steal credentials/secrets for configured Azure blob storage containers.

While it was unclear at the time who was behind the attacks, it was widely believed that the Clop ransomware was responsible for the attack due to similarities to previous attacks carried out by the group. After all, this group carried out two of the largest cyberattacks in the history of MFT platforms.

The first occurred in 2020, when Clop exploited the Accellion FTA zero-day vulnerability. The second happened in January of this year, also due to a zero-day vulnerability, but already in the Fortra GoAnywhere MFT. As a result of both attacks, Clop hackers took over the data of hundreds of organizations. We also wrote that FIN7 Hack Group Resumed Activity, Linked to Clop Ransomware and other media indicated that Clop ransomware operators leaked data from two universities.

What then?

At present, the extortion stage has not yet begun, and the victims have not yet received ransom demands. However, it is known that the Clop gang, if Microsoft has not mistaken in their judgments, waits several weeks after the theft. Perhaps hackers structure the stolen data and determine its value. And only when they are ready, they will send their demands to the heads of the affected companies by e-mail. fter the attack on GoAnywhere, it took a little over a month before the hackers published a list of victims on their leak site. This time, it is likely that you also need to wait a bit.

As a workaround, all clients are advised to block external traffic on ports 80 and 443 on the MOVEit Transfer server as soon as possible. At the same time, the developers warned that blocking these ports would prohibit external access to the web interface, interfere with some aspects of automation, block the API, and prevent the Outlook MOVEit Transfer plugin from working.

The post Microsoft Researchers Link Clop Gang to MOVEit Transfer Attack appeared first on Gridinsoft Blog.

What is MOVEit MFT?

MOVEit is a software solution that allows convenient and secure data transfer inside the organisation. The product under this brand name has a long story that begins in 2002, and on its path got the cloud storage feature and support of mobile platforms. Solutions of such kind gained significant popularity since the companies started bearing on electronic document management. Retaining diligent security level for that process is tremendously important, as such apps are used to transfer any kind of corporate documents.

MOVEit MFT 0-day Allows to Steal Data

According to the advisory published by the Progress, the vulnerability in MOVEit MFT allows for unauthorised access that ends up with remote code execution. The vulnerability also relies on two HTTP ports – 80 and 443. Known cases of this vulnerability usage were bearing on an SQL injection that grants hackers access to the MOVEit MySQL server. Researchers detected a sample of the webshell code uploaded to VirusTotal – it is completely undetected. The consequent requests to the database tries to pick the password, and once the input is correct, the door is open. After the successful penetration, hackers get access to the list of the files, and possess the ability to add new and download what is already present.

The list of the vulnerable and secure MOVEit versions is as follows:

Security Advisory for Vulnerable Versions

Aside from the update request, developers released a list of recommended actions. The only solution is banning the connections via the aforementioned 80 and 443 ports in the firewall rules. Though, it is not lossless – without the access through these ports, users will not be able to log into the web interface; built-in automation tasks as well as some of the APIs and add-ons will not work either. After this manipulation, Progress still recommends checking the logs for potential attempts of malignant access and updating the software.

The post MOVEit MFT 0-day Vulnerability is Used to Steal Corporate Data appeared first on Gridinsoft Blog.