At a glance.
- Hitachi Energy says zero-day bug allowed for ransomware attack.
- Could ransomware attackers’ extreme tactics be good news?
- Google Pixel flaw reveals edited image data.
- Cl0p's approach to its targets.
Hitachi Energy says zero-day bug allowed for ransomware attack.
On Friday Hitachi Energy disclosed it suffered a ransomware attack at the hands of the Cl0p hacking gang that potentially exposed employee data. The company says the attackers exploited a recently disclosed zero-day vulnerability in Fortra’s GoAnywhere managed file transfer software. SecurityWeek notes that the disclosure came after Cl0p listed Hitachi Energy as one of its victims on its Tor-based leak website. “Upon learning of this event, we took immediate action and initiated our own investigation, disconnected the third-party system, and engaged forensic IT experts to help us analyze the nature and scope of the attack,” Hitachi Energy stated. It does not appear that customer data or network operations were impacted. The ransomware gang claims to have used the zero-day bug to breach over one hundred thirty organizations, and so far, digital financial firm Hatch Bank, healthcare provider Community Health Systems, and cybersecurity firm Rubrik have also come forward as victims of Cl0p attacks, though Community Health Systems has not yet been listed on the gang’s leak site.
Could ransomware attackers’ extreme tactics be good news?
As we previously discussed, the Black Cat ransomware group recently published naked photos of patients undergoing cancer treatment stolen in the recent attack on US medical provider Lehigh Valley Health Network, and the Medusa ransomware gang recently leaked sensitive student data stolen from Minneapolis Public Schools. Experts say that events like these illustrate just how far attackers are now willing to go to pressure their victims into meeting ransom demands. Brett Callow, a threat analyst for antivirus company Emsisoft, stated, “We really haven’t seen things like this before. Groups have done unpleasant things, but it was adults that were targeted, it wasn’t sick cancer patients or school kids.” However, Campus Safety Magazine notes that these desperate measures could also be a sign that declining to pay is actually the right strategy for victims of ransomware attacks. The US Federal Bureau of Investigation’s Internet Crime Complaint Center reported ransomware attacks have decreased from 3,729 in 2021 to 2,385 in 2022, and total financial losses fell from $49 million to $34.3 million. While the researchers at ransomware recovery company Coveware say there are many reasons the costs of ransomware attacks have fallen, refusal to pay up could be a contributing factor.
Google Pixel flaw reveals edited image data.
A UK cybersecurity researcher has discovered a bug in the image editing tool on Google’s Pixel phones. The tool, known as Markup, allows users to crop or edit photos or screenshots taken on the phone before publishing them or sending them to contacts. Markup writes the new, edited image over the old one, preventing the unedited image from being viewed. However, researcher David Buchanan has found that the bug could allow a user to view the old image by opening the old file and adding a single byte at the start before closing it. By using a specially-written PNG file decompressing program, someone could reconstruct blocks of the previous image, allowing them to extract and view the image data that was edited out. Depending on the reason for the editing, this data could be sensitive, like the face of someone who has asked not to be included, or personal data like a username or account ID. The good news is, Google has already released a patch for the flaw in the March 2023 security update of Android. In addition to patching, Naked Security advises users to re-edit old images edited with the old version of Markup, and to consider using another device to edit especially sensitive images in the future. And of course, the simplest solution is to avoid taking pictures that include sensitive content.
Cl0p's methods.
The Cl0p ransomware gang claims to have attacked Saks Fifth Avenue, BleepingComputer reports, but Saks says that only dummy data, not actual customer information, were compromised.
Terry Olaes, Product Marketing Manager at Skybox Security, comments on some recent attacks Cl0p has made against organizations, particularly retailers. "Retailers comprise up to 24.5% of material breaches, making them the largest number across any industry. This cyber-attack against Saks Fifth Avenue underscores the significance of taking a proactive stance in validating network exposure, prioritizing vulnerability remediation based on this exposure, and having flexibility in mitigating the risk (application patch vs firewall block)," Olaes writes. "It is essential to prioritize network accessibility, exposure, exploitability, and commercial impact in order to guarantee that the full threat environment is assessed. By aiding in the prioritization of the urgency of vulnerability mitigation, the development of exposure-based risk scores can considerably improve the efficacy and durability of vulnerability management programs. Retailers who take a proactive approach to cybersecurity will be better equipped to safeguard one of their most important assets: customer data. With the help of these techniques, retail companies can create advanced cybersecurity programs that protect them from the evolving risks this sector is now facing, including the rising number of ransomware attacks that can lead to data breaches."
(Added, 9:00 PM ET, March 22nd, 2023. Randy Watkins, Critical Start’s CTO, notes the way Cl0p has grown increasingly interested in third-party breaches. "Third-party breaches have gained traction as attackers leverage these vendors to access targeted organizations, whether it be through supply chain manufacturers or third-party business entities," Watkins said. "While the victims of these attacks have little to no control over how protected these vendors are, they can develop secure communication plans and technical vetting to evaluate the risks each third party brings. Having visibility into all third-party software and monitoring accounts with any level of privilege will also allow organizations to mitigate these types of attacks.")