British Airways, the BBC and Boots have been given ultimatums after being hit by a supply chain attack by the Clop ransomware group. In a post on their dark web portal, the cybercriminal group warned affected organizations to get in touch by June 14 or risk having their stolen data released. The data is believed to contain personal information, including names, bank details, addresses and social security numbers.
The security breach also affects UK payroll service provider Zellis, Dublin-based Aer Lingus, the University of Rochester and the Nova Scotia government.
Confirming the attack, Zellis, whose clients include Jaguar Land Rover, Harrods and Dyson, reassured customers that the breach did not affect other critical components of their IT ecosystem.
“We can confirm that some of our customers have been affected by this global issue and we are actively working to support them. All Zellis-owned software is unaffected and there are no related incidents or compromises to other parts of our IT assets,” Zellis noted. statement.
“We have been informed that we are one of the companies affected by the Zellis cyber security incident that occurred through their third party supplier MOVEit” British Airways told Sky News.
How did this supply chain attack happen?
Clop exploited an SQL injection vulnerability (CVE-2023-34362) in popular business software MOVEit and gained access to its servers. MOVEit software is designed to securely move sensitive files and is popular worldwide, with most of its customers in the US and Europe.
The US Cybersecurity and Infrastructure Security Agency warned about this last week hackers found a vulnerability in the MOVEit Transfer tool and urged users around the world to look for ways to protect their sensitive information from a potential supply chain attack.
Who is the Clop ransomware group and what do they want?
Clop is a Russian-based ransomware team that has been hit with numerous data breaches targeting leading business organizations around the world. in February 2023 Clop claimed responsibility for the attack on the supply chain which affected more than 130 organizations, including CHS Healthcare patient data. The group also had a role in that Accellion file transfer device In 2020, there was a data breach that affected around 100 organisations, including Shell, Kroger and the Australian Securities and Investments Commission. He reported another major attack The Daily Mailthe group was responsible for putting sensitive medical records of NHS patients on the dark web after the NHS refused to give in to their £3m ransom demand.
Following this recent attack, the group took to its dark web portal to call out companies using MOVEit for business file transfers: “Dear MOVEit companies! The statement continues by asking users of the MOVEit software to contact the group at the email addresses provided. When contacted, users receive a chat URL that they can use to initiate negotiations on an anonymous browser network. Clop stresses that this must be done by June 14; otherwise, the ransomware group will publish the names of those who do not comply.
A growing wave of supply chain attacks
In recent years, supply chain attacks have become a growing concern in the field of cybersecurity. Attacks against SolarWinds, Log4j and Codecov are noteworthy. Supply chain attacks are particularly attractive to cybercriminals because they offer multiple rewards for a single breach.
A recent one software supply chain attack reportStatista noted that the global incidence of software packages affected by supply chain attacks jumped significantly between 2019 and 2022, rising from 702 to 185,572.Figure A). Additionally, between January and March 2023, supply chain cyberattacks affected approximately 17,150 software packages.
What organizations can do to mitigate cyber attacks
Given the increasing rate of supply chain attacks, organizations are advised to adopt best practices to maintain their security. Below are some best practices that your organization can use.
Implement a zero trust architecture
A zero-trust architecture is designed to operate on the assumption that all network activity is potentially malicious. It takes a strict approach in which all connection requests must meet a set of strict policies before being granted access to organizational resources.
Essentially, ZTA relies on three key components – Policy Engine, Policy Administrator and Policy Enforcement Point – that work together as a decision-making system and evaluate network traffic based on rules defined by the Trust Algorithm. By implementing ZTA, organizations can create a robust security framework that does not assume internal trust and verifies all network activity against pre-defined policies before granting access to valuable resources.
Installation of honey markers
Honeytokens serve as a detection mechanism that notifies organizations of suspicious activity within their network. These decoys mimic valuable data and trick attackers into believing they have access to valuable assets. Honeytokens can be in the form of fake database data, email addresses, and executable files. Once attackers interact with these decoy resources, an alert is triggered to notify the targeted organization of the attempted incident.
By using the honeytoken, organizations receive early warnings of potential data breaches and gain insight into the specific methods used by attackers. With this valuable information, organizations can identify targeted resources and implement customized incident response strategies to effectively combat each cyber attack technique.
SEE: Download this security incident response policy from TechRepublic Premium
Conduct third-party risk assessments regularly
Sometimes third-party software vendors don’t take cybersecurity as seriously as the organizations they serve. This can be counterproductive for organizations that put security first. Therefore, organizations must ensure that their third-party software vendors clean themselves of any exploitable security holes. They should also evaluate vendor risk assessment reports prepared by a reputable governance, risk and compliance organization. This helps uncover the security posture of each vendor and provides additional information about vulnerabilities that need to be patched.
SEE: Download this security risk assessment checklist from TechRepublic Premium
Automate third-party attack surface monitoring
An organization’s attack surface includes vulnerabilities, paths, and methods that hackers can exploit to gain unauthorized network access, compromise sensitive data, or conduct cyberattacks. This attack surface adds complexity to the third-party threat landscape. But with an automated attack surface monitoring solution, these complexities can be reduced, making it easier to detect hidden vulnerabilities. Risk management solutions that automate the monitoring of third-party attack interfaces OneTrust, Venminder, BitSight and UpGuard.
Exercise due diligence and strong contractual agreements when selecting third-party vendors
Conduct a robust due diligence process when selecting external vendors or partners. This includes evaluating the vendor’s security controls, policies and practices. Depending on the industry, organizations must verify that the vendor meets certain security requirements, such as ISO 27001, NIST SP 800-171, and PCI DSS. This reveals their commitment to information security standards.
In addition to due diligence when selecting a software vendor, organizations should have solid contractual agreements with their third-party vendors or partners. It clearly outlines security requirements, data protection obligations and the consequences of non-compliance. Include provisions for regular audits and assessments to ensure ongoing compliance.