Rewterz Threat Update – Report on Shell Falls Victim to Clop Ransomware Attack

Severity

High

Analysis Summary

Shell, a major player in the oil and gas industry, has confirmed that it is one of the victims of a large-scale ransomware campaign conducted by the notorious Clop gang. The cybercriminals have exploited a zero-day vulnerability in the MOVEit Transfer tool from Progress to carry out their attacks. This zero-day vulnerability is tracked as CVE-2023-34362 and is being actively exploited by threat actors to steal sensitive data from organizations worldwide.

Upon discovering the security breach, Shell immediately launched an investigation into the incident. Fortunately, the company has stated that the attack had no impact on its core IT systems. However, a small number of Shell employees and customers who utilize the third-party tool MOVEit Transfer have been affected. Shell spokesperson Anna Arata confirmed that the company’s IT teams are actively investigating the situation to assess any potential risks and take appropriate actions.

The Clop ransomware gang, responsible for this campaign, claims to have successfully hacked hundreds of companies by leveraging the aforementioned zero-day vulnerability. Interestingly, researchers have found evidence indicating that the Clop gang had been searching for a zero-day exploit in the MOVEit software as early as 2021. As of now, the ransomware group has already listed 27 companies as victims on their dark web leak site, claiming to have compromised them by exploiting the CVE-2023-34362 vulnerability.

In response to media reports suggesting that government data had been compromised, the Clop gang posted a message on their leak site denying any involvement in such activities. They emphasized that their primary motivation is financial gain and they have no interest in politics or government data. They also stated that if companies place their data on unprotected and unencrypted file transfer services, they should not blame the hackers for their actions.

Worryingly, cybersecurity firm discovered approximately 2,500 publicly accessible instances of MOVEit Transfer on the internet, with a significant number located in the United States. The United Kingdom, on the other hand, had 127 installations of the tool. As a result, UK’s communications regulator Ofcom has also fallen victim to the ongoing Clop ransomware campaign. Additionally, Zellis, a payroll services provider, was targeted, leading to data breaches affecting various companies. Among the impacted firms are the BBC, British Airways, Boots (a health and beauty retailer and pharmacy chain), and Aer Lingus (an airline).

It is worth noting that Shell had previously disclosed a data breach in March 2021 resulting from the compromise of an Accellion File Transfer Appliance (FTA) utilized by the company. The recent attack underscores the persistent and evolving threat landscape faced by organizations, emphasizing the critical importance of robust cybersecurity measures to safeguard sensitive data and prevent unauthorized access by threat actors.

Impact

• File Encryption
• Information Disclosure

Indicators Of Compromise

CVE

• CVE-2023-34362

Affected Vendors

MOVEit

Affected Products

• Progress MOVEit Transfer 13.0.5
• Progress MOVEit Transfer 13.1.3
• Progress MOVEit Transfer 14.0.3
• Progress MOVEit Transfer 14.1.4
• Progress MOVEit Transfer 15.0.0

Remediation

• Refer to Progress Web site for patch, upgrade or suggested workaround information.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Emails from unknown senders should always be treated with caution. Never trust or open links and attachments received from unknown sources/senders.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets
• Conduct a thorough assessment to determine the extent of the ransomware attack. Identify the systems, files, and data that have been compromised or encrypted by the Clop ransomware. 
• If reliable and unaffected backups are available, ensure they are secure and intact. Disconnect any compromised backup systems to prevent further encryption. Restore data and systems from clean backups once the affected systems have been cleaned and secured.
• Restrict user privileges and implement the principle of least privilege. Users should only have access to the systems and files necessary for their roles, reducing the potential impact of ransomware attacks