Most often, ransomware attacks target a single organization, attempting to breach its network, steal its data, encrypt all files, and initiate the extortion process.
However, there’s a growing trend of supply chain breaches on service or software providers, with ransomware actors finding a single point of compromise that opens up numerous infection opportunities in multiple companies using the breached entity’s products.
This has two main advantages for ransomware actors, namely the amplification of the attack’s impact, which has the potential to reach a large number of organizations, and secondly, the evasion of security measures present in the targets’ networks.
2023 has started with some notable examples on that front, resulting in large-scale security incidents, the exact ramifications of which are still being appreciated as they unfold.
Clop ransomware enters through GoAnywhere
In February 2023, Clop ransomware announced that it exploited a zero-day vulnerability (CVE-2023-0669) in the GoAnywhere secure MFT file transfer tool by Fortra. The threat actors claimed that by leveraging the flaw, they managed to breach 130 organizations, stealing sensitive data from their systems.
Since that announcement, several organizations targeted by Clop admitted that they were being extorted and threatened to have their confidential data publicly exposed. Organizations that have disclosed impact so far include CHS, Hatch Bank, Rubrik, the City of Toronto, Hitachi Energy, Procter & Gamble, Saks Fifth Avenue, and Crown Resorts.
It is worth noting that Clop used a similar zero-day flaw in the Accellion FTA back in December 2020, managing to breach into 100 companies, including Shell, Kroger, Qualys, and various universities.
3CX VoIP hacked by North Koreans
At the end of March 2023, 3CX customers fell victim to a supply chain attack that involved a trojanized version of the vendor’s desktop VoIP client. 3CX serves over 12 million users in high-profile companies like Coca-Cola, McDonald’s, NHS, Mercedes-Benz, AirFrance, American Express, Toyota, Wilson, and BMW.
The malware dropped via the trojanized installer is an info-stealer that attempts to siphon account information from web browsers, which can be used for account takeovers and deeper network infiltration. This is a standard step in the TTPs (techniques, tactics, and procedures) of most ransomware gangs prior to deploying the file locker; however, the threat actors behind this attack are unknown.
CrowdStrike analysts suspect North Korean state-backed cyberspies, whereas Sophos claims there’s not enough evidence to attribute the attack to any known threat groups.
Managed Service Providers in the crosshairs
Managed Service Providers (MSPs) are very attractive targets for supply chain ransomware attacks, as they provide IT services to multiple clients and hence can act as entrance points to multiple organizations.
Past examples of such attacks include the SolarWinds and Kaseya breaches, which had a wide-range impact on companies and government agencies worldwide.
Cyber-intelligence firm KELA has recently published a report highlighting a rising cybercrime trend on the dark web where initial access brokers increasingly target, compromise, and sell access to MSP networks.
The analysts spotted offers on cybercriminal markets on the dark web, ranging between $1,000 and $15,000, depending on the compromised MSP and their clientele. This is significantly higher than the median price of $300 for accessing a single organization.
Targeted organizations can minimize the risk by improving their logging system, enforcing multifactor authentication, following the least privilege user access principle, ordering risk assessments from independent experts, and having a solid incident response plan in place.
MonsterCloud, an expert in ransomware removal and data restoration, possesses the capacity to handle wide-impact attacks and mitigate the effects of supply chain breaches. We can help at both ends of the security incident, from the compromised vendor to the impacted clients, aiding in speedy system cleanup and restoration.
Sources:
- https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/
- https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/
- https://ke-la.com/attacks-on-msps-how-threat-actors-kill-two-birds-and-more-with-one-stone/
- https://www.3cx.com/blog/news/desktopapp-security-alert/
- https://www.bleepingcomputer.com/news/security/clop-ransomware-gang-begins-extorting-goanywhere-zero-day-victims/
