At a glance.
- North Korean threat actor launches supply chain attack.
- Mallox ransomware.
- A look at Cl0p.
- IBM on the cost of a data breach.
North Korean threat actor launches supply chain attack.
Mandiant describes a supply chain attack that began with a spearphishing campaign against identity and access management provider JumpCloud. The researchers believe the attack was launched by a North Korean threat actor: "Mandiant attributed these intrusions to UNC4899, a Democratic People's Republic of Korea (DPRK)-nexus actor, with a history of targeting companies within the cryptocurrency vertical. Mandiant assesses with high confidence that UNC4899 is a cryptocurrency-focused element within the DPRK's Reconnaissance General Bureau (RGB). Based on reporting from trusted partners, UNC4899 likely corresponds to TraderTraitor, a financially motivated DPRK threat group that primarily targets blockchain-related companies." JumpCloud and its incident response partner CrowdStrike have also attributed the attack to North Korea.
JumpCloud says the attack affected fewer than ten devices belonging to five different customers, including a US-based software solutions provider. According to Decipher, the attackers targeted "MacOS keychains and reconnaissance data associated with executives and internal security teams at the unnamed software customer."
Palo Alto Networks' Unit 42 is tracking an increase in the activities of the Mallox ransomware gang. Mallox ransomware attacks have increased by 174% in 2023 compared to the second half of 2022. The researchers note that the gang "is notable for exploiting unsecured MS-SQL servers as a penetration vector to compromise victims' networks." Unit 42 states, "Since its emergence in 2021, the Mallox group has kept the same approach to gaining initial access: The group targets unsecured MS-SQL servers to infiltrate a network. These attacks start with a dictionary brute force attack, trying a list of known or commonly used passwords against the MS-SQL servers. After gaining access, the attackers use a command line and PowerShell to download the Mallox ransomware payload from a remote server."
Mallox conducts double extortion attacks, and, in an interview with SuspectFile, claimed to have compromised thousands of victims. The group is now recruiting affiliates on underground forums in order to expand its operations.
A look at Cl0p.
Fortinet’s FortiGuard Labs has published a report on the Cl0p ransomware gang. The Cl0p ransomware is associated with the FIN11 cybercrime group, and appears to be a descendent of the CryptoMix ransomware. The gang has been conducting a widespread data theft extortion campaign leveraging a recently disclosed MOVEit Transfer vulnerability (CVE-2023-34362).
The gang recently shifted its monetization strategy, and now focuses on stealing data for extortion rather than executing ransomware: “At some stage in its operations, the FIN11 group revised its strategy of deploying ransomware and shifted to purely exfiltrating information from victims for extortion. In fact, there is no evidence that the Cl0p ransomware was deployed when the MOVEit Transfer vulnerability was recently exploited.”
Cl0p currently has over 400 victims listed on its data leak site, most of which are located in the US and Europe: “According to data collected through Fortinet's FortiRecon service, the Cl0p ransomware group preyed on several industry sectors between January and June 2023, with business services leading the way, followed by software and finance. When victim organizations are classified by country, the United States is in first place by a significant margin.”
IBM on the cost of a data breach.
IBM has published its Cost of a Data Breach report for 2023, finding that the average cost of a breach in 2023 is US$4.5 million. The researchers state, “This represents a 2.3% increase from the 2022 cost of USD 4.35 million. Taking a long-term view, the average cost has increased 15.3% from USD 3.86 million in the 2020 report.”
The healthcare industry, however, has seen a 53.3% increase in data breach costs since 2020: “The highly regulated healthcare industry has seen a considerable rise in data breach costs since 2020. For the 13th year in a row, the healthcare industry reported the most expensive data breaches, at an average cost of USD 10.93 million.”
The report also found that victims of ransomware attacks often saved significant sums of money if they involved law enforcement in the response: “Ransomware victims in the study that involved law enforcement saved $470,000 in average costs of a breach compared to those that chose not to involve law enforcement. Despite these potential savings, 37% of ransomware victims studied did not involve law enforcement in a ransomware attack.”