Cyber-security experts believe that Clop mounted the attack by exploiting a 'zero-day' vulnerability the hackers discovered in third-party software, MOVEit, which payroll provider Zellis uses. The Clop gang has issued an ultimatum to all those affected to begin ransom negotiations before 14 June or see their employees' data published online. Many cyber-security analysts believe the fallout from the incident is far from over and that its impact could be much more severe and widespread than initially thought.
Who is affected?
Tens of thousands of employees at the BBC, British Airways, Aer Lingus and Boots have fallen victim to a significant data breach following a cyber-attack on HR and payroll service provider Zellis. Like many businesses, Zellis relies on the widely used file transfer tool MOVEit to share large files over the internet. By exploiting a 'zero day' vulnerability (an undiscovered flaw in an application or operating system), the hackers were able to steal sensitive HR and payroll data by gaining unauthorised access to an affected MOVEit server's database.
The Clop gang strikes again
Clop, one of several ransomware gangs that target large organisations, has been making headlines since it first emerged in February 2019.
Characteristically, the cyber-crime gang will launch a ransomware attack that encrypts the files and servers of the target organisation. It will then demand an extortion payment to unlock the encrypted data. However, in this instance, the gang did not deploy ransomware. Instead, it identified and exploited an unknown software vulnerability to gain access to sensitive company and employee data. According to media reports, it is now threatening to publish or sell the victims' stolen data on the Dark Web unless its ransom demands are met. The Clop gang has previously stated to cyber publication BleepingComputer that while it started as a ransomware operation, it is now shifting from encryption to data-theft extortion.
Third-party software applications are a preferred target for cyber-criminals
The fact that the vulnerability that allowed Clop to steal sensitive data from these organisations was latent in third-party software and not in their own IT networks is a salutary lesson. Businesses understandably tend to focus on maintaining a solid network perimeter and robust in-house systems and trust that their third-party vendors are doing the same. Occasionally, the cyber-security practices of these third-party vendors may fall short, exposing them to attack and exploitation as an instrument of data theft and extortion. Therefore, organisations must be satisfied that the third-party vendors they use are adhering to stringent cyber-security practices if they are to avoid attacks themselves.
It's not just big corporations that cyber-crime gangs target
Manufacturers, hospitals, government agencies, legal firms, charities and schools are particularly susceptible to a ransomware attack, especially if they hold sensitive personal information that hackers can encrypt or steal to extort money. These organisations also tend to have smaller IT security teams and a varied user base (such as homeworkers, contractors, etc) where a lot of file-sharing may take place, making it easier for hackers to find and exploit vulnerabilities in the organisation’s defences. And even if you don’t fall into this category, you may still fall victim to a data breach or ransomware attack.
Mitigating the risks of ransomware attacks and compromised third-party software
There are defensive steps you can take to prevent data breaches and ransomware infection:
- Keep your operating system patched and up to date, to ensure you have fewer vulnerabilities to exploit.
- Don't install third-party software or give it administrative privileges until you’ve conducted due diligence to ensure the vendor adheres to rigorous cyber-security standards.
- Install antivirus software, which detects malicious programs like ransomware as they arrive, and whitelisting software, which prevents unauthorized applications from executing in the first place.
- Provide your employees with cyber-security training to help them recognise the signs of a cyber-attack and avoid phishing email scams.
- Get comprehensive cyber-insurance to ensure that your organisation has the means to recover from a cyber-attack.
And, of course, back up your files, frequently and automatically. That won't stop a malware attack, but it can make the damage caused by one much less significant.
How Clear can help
Our cyber-insurance specialists can work with you to design a risk management programme to provide protection for your organisation. For more information visit our cyber-liability insurance page.