Saltar a la navegación Saltar al contenido principal Ir al pie de página

NCC Group Monthly Threat Pulse - June 2023

20 julio 2023

  • Threat actor Clop claims 90 victims in June, following exploitation of MOVEit vulnerability
  • Industrials (33%), Consumer Cyclicals (12%) and Technology (9%) most targeted sectors
  • North America (51%) most targeted region, followed by Europe (27%) and Asia (9%)

Ransomware attacks continue to hit record levels with 434 attacks in June 2023, a 221% increase on the same period last year (135 attacks – June 2022), according to the latest analysis from NCC Group’s Global Threat Intelligence team. June’s high levels of activity has been driven by Clop’s exploitation of the MOVEit file transfer software vulnerability, consistently high levels of activity by groups such as Lockbit 3.0, and emergence of several new groups since May.

Threat actors

Russian-speaking threat actor Clop was responsible for 90 of the 434 attacks (21%) in June, following its exploitation of an SQL injection vulnerability in MOVEit file transfer software, CVE-2023-34362, allowing the group to use this flaw to escalate privilege and steal sensitive data. It follows a quiet period for Clop in May, when it was responsible for just 2 attacks.LockBit 3.0, the most active threat actor of 2023 so far, was responsible for 62 of the attacks, a fall of 21% from 78 attacks in May. 8base, a new threat actor discovered in May, stepped up activity with 40 attacks (9%) in June – making it the third most active threat group in June.Other notable activity included 17 attacks from Rhysida and 9 attacks from Darkrace, two ransomware-as-a-service (RaaS) groups that were first observed in May 2023.

Regions

North America was the most targeted region, accounting for more than half of the attacks in June with 222 victims (51%) – the exact same total as May. Europe (27%) and Asia (9%) followed with 116 and 40 victims respectively.

Sectors

Industrials was the most targeted sector in June, representing 143 of the total attacks (33%), followed by Consumer Cyclicals (12%) with 52 attacks, and Technology (11%) with 48 attacks.

Spotlight: Clop and the MOVEit vulnerability

In June, threat actor Clop’s exploitation of a vulnerability in Progress Software’s MOVEit file transfer app, which is used by thousands of organisations around the world, made international headlines. A number of organisations whose supply chains use the MOVEit app suffered a data breach as a result, with customer and/or employee data being stolen.This vulnerability, has been abused to compromise MOVEit MFT servers and exfiltrate data and is currently tracked as CVE-2023-34362. Targets included big name brands, with attacks against well-known publishers, accounting firms, consultancies, large energy companies and colleges, amongst others.Over the last two years, Clop has abused four vulnerabilities in appliances that would either lead to the deployment of Clop ransomware or exfiltration of the victim organisation's data.

Matt Hull, Global Head of Threat Intelligence at NCC Group, said:

“The considerable spike in ransomware activity so far this year is a clear indicator of the evolving nature of the threat landscape. The better known players, such as Lockbit 3.0, are showing no signs of letting up, newer groups like 8base and Rhysida are demonstrating what they’re capable of, and Clop have exploited a major vulnerability for the second time in just three months.”“It’s imperative that organisations should remain vigilant and adapt their security measures to stay one step ahead. We strongly advise any organisation using MOVEit File transfer software to apply the recent patch, given this vulnerability is being actively exploited.”

Want exclusive insights into NCC Group's and Fox-IT's latest Threat Intelligence?

Sign up to receive free access to our premium threat intelligence service*

Our premium package gives organisations a high-level understanding of the threat landscape to support decision making.

Click here to sign up! https://campaign.cybersecurity...

*The trial will run from 1 July 2023 to 30 September 2023. During this period, you will receive enhanced intelligence from our dedicated team.