Paul C Dwyer

What is all this Cyber Clop?

What is all this Cyber Clop?

Paul C Dwyer
"Clop," a notorious group of cybercriminals, has recently claimed responsibility for the MOVEit data-theft attacks, highlighting their persistent threat to organisations worldwide. Known to industry experts to have affiliates such as 'Lace Tempest,' 'TA505,' and 'FIN11,' this group employs sophisticated “ransomware” - malicious software that locks a user out of their system until a ransom is paid - to conduct their illicit activities.

Their recent attack, exploiting a previously unidentified weakness (known as a 'zero-day vulnerability') in MOVEit Transfer servers, resulted in extensive data theft from hundreds of companies worldwide. This isn't the first time Clop has capitalised on holiday periods to launch their attacks, taking advantage of reduced staff numbers to slip under the radar.

The victims of these attacks, if refusing to pay a ransom, will find their confidential information displayed on Clop's data leak site. However, it seems Clop's criminals are taking a breather, delaying the extortion process to sift through the stolen data for valuable pieces that might encourage a hefty ransom.

It's worth noting that, while Clop has its roots in ransomware operations, their recent actions suggest a shift towards data-theft extortion. This strategy involves stealing sensitive data and threatening to publicise it unless a ransom is paid.

Several victims of the MOVEit data theft have already come forward. UK payroll and HR solutions provider, Zellis, confirmed their own data breach due to Clop's attacks, affecting a number of their customers. Other companies impacted include Aer Lingus and British Airways, both confirming that they were also affected by the Zellis breach.

While Clop has been investigating ways to exploit vulnerabilities in MOVEit Transfer managed file transfer (MFT) solutions since 2021, this latest attack using the zero-day vulnerability has been their most potent yet.

The Clop group has grown to infamy over the last three years, renowned for high-profile attacks on global organisations in various industries. By employing multi-level extortion techniques, the group has amassed an estimated total of US$500 million in illegal payouts by November 2021.

Despite successful efforts by a global coalition to arrest six members of the group in Ukraine in June 2021, the criminal activities of Clop have continued undeterred. Therefore, businesses worldwide must adopt a proactive cybersecurity approach to counter these ongoing threats.

How Can Businesses Protect Themselves from this Threat?

Here are some key steps:

Inventory: Understand what assets and data your company has, identifying both authorised and unauthorised devices and software.

Monitor: Monitor network ports, protocols, and services and ensure your network infrastructure devices have proper security configurations.

Configure and Manage: Carefully manage hardware and software configurations, and restrict admin privileges to only necessary personnel.

Vulnerability Management: Regularly perform vulnerability assessments and keep your systems updated with the latest patches and updates.

Protect for Recovery: Implement data protection measures, including robust backup and recovery procedures. Enable multifactor authentication to add an extra layer of security.

Secure with Automation: Employ advanced technologies such as AI and machine learning to detect early signs of an attack, and sandbox analysis to block malicious emails. Keep all security solutions up-to-date.

Be Prepared: Regularly train your employees on security protocols, and conduct red-team exercises and penetration tests to identify potential weaknesses.
In summary, the threat posed by the Clop group and similar cybercriminals is real and ongoing. However, by staying vigilant, keeping up-to-date with the latest cybersecurity strategies, and maintaining robust security measures, businesses can minimise the risk of falling victim to these cyber-attacks.