Imperva Cyber Community

 View Only

Anonymous Sudan, MOVEit, and Cl0p - Update from Kunal Anand, CTO

By Laura Beaulieu posted 06-16-2023 05:45


Hi Community,

I wanted to bring to your attention this update posted by Imperva's Chief Technology officer, Kunal Anand. Note that each of these have been covered in our weekly Threat Intel Report, which you can find here.  Please see details below...

Kunal AnandChief Technology Officer  (2 min read)

There are three concurrent events of significant concern:

    1. An Anonymous Sudan group chat on Telegram has revealed imminent threats from Russia to the US financial system, specifically targeting the SWIFT network. The motive behind this attack is disruption. By attacking SWIFT and inducing potential downtime, the attackers could feasibly destabilize the financial transactions processed through this network. We’ve observed similar assaults aimed at applications, APIs, and compute services/instances in the past, primarily executed to generate disturbance and service complications. Undoubtedly, attackers are typically interested in valuable data, especially financial information. Regarding these specific threats, Imperva offers robust solutions to deter such automated attacks, ensuring that both data at rest and in transit remain secure.
    2. The second matter pertains to emerging vulnerabilities within the MOVEit system. Recently, attackers discovered a way to compromise MOVEit and perform malicious activities, including exfiltrating sensitive data. Although this loophole has been addressed, a new vulnerability has surfaced. The exploited flaw remains unclear, yet there are increasing reports from corporations and government agencies concerning ransomware and other security issues due to insecure MOVEit instances. Imperva offers significant assistance to organizations in countering these exploits with our Cloud Web Application Firewall (WAF). This solution is designed to thwart such attacks from the network side. Additionally, Imperva is adapting its Runtime Application Self-Protection (RASP) solution with MOVEit to fortify customer deployments directly and from within.
    3. The third issue pertains to the activities of a Russian hacking group, Cl0p, which recently published a preliminary list of companies they claim to have compromised. Three aspects of this development remain uncertain at this stage:
      • The legitimacy of the hacking group’s claims,
      • The specific MOVEit vulnerability that was exploited, if any, and
      • The potential link between this activity and the broader threats discussed in the anonymous Telegram chat.

We are vigilantly monitoring these situations and will keep everyone apprised of new developments, including unique data from our global network. As always, we stand ready to assist you. Please do not hesitate to contact us for further assistance.