June’s high levels of activity has been driven by Clop’s exploitation of the MOVEit file transfer software vulnerability, consistently high levels of activity by groups such as Lockbit 3.0, and emergence of several new groups since May.
Threat actors
Russian-speaking threat actor Clop was responsible for 90 of the 434 attacks (21%) in June, following its exploitation of an SQL injection vulnerability in MOVEit file transfer software, CVE-2023-34362, allowing the group to use this flaw to escalate privilege and steal sensitive data. It follows a quiet period for Clop in May, when it was responsible for just 2 attacks.
LockBit 3.0, the most active threat actor of 2023 so far, was responsible for 62 of the attacks, a fall of 21% from 78 attacks in May. 8base, a new threat actor discovered in May, stepped up activity with 40 attacks (9%) in June – making it the third most active threat group in June.
Other notable activity included 17 attacks from Rhysida and 9 attacks from Darktrace, two ransomware-as-a-service (RaaS) groups that were first observed in May 2023.
Regions
North America was the most targeted region, accounting for more than half of the attacks in June with 222 victims (51%) – the exact same total as May. Europe (27%) and Asia (9%) followed with 116 and 40 victims respectively.
Sectors
Industrials was the most targeted sector in June, representing 143 of the total attacks (33%), followed by Consumer Cyclicals (12%) with 52 attacks, and Technology (11%) with 48 attacks.
Spotlight: Clop and the MOVEit vulnerability
In June, threat actor Clop’s exploitation of a vulnerability in Progress Software’s MOVEit file transfer app, which is used by thousands of organisations around the world, made international headlines. A number of organisations whose supply chains use the MOVEit app suffered a data breach as a result, with customer and/or employee data being stolen.
This vulnerability has been abused to compromise MOVEit MFT servers and exfiltrate data and is currently tracked as CVE-2023-34362. Targets included big name brands, with attacks against well-known publishers, accounting firms, consultancies, large energy companies and colleges, amongst others.
Over the last two years, Clop has abused four vulnerabilities in appliances that would either lead to the deployment of Clop ransomware or exfiltration of the victim organisation's data.
Matt Hull, Global Head of Threat Intelligence at NCC Group, said: “The considerable spike in ransomware activity so far this year is a clear indicator of the evolving nature of the threat landscape. The better known players, such as Lockbit 3.0, are showing no signs of letting up, newer groups like 8base and Rhysida are demonstrating what they’re capable of, and Clop have exploited a major vulnerability for the second time in just three months.”
“It’s imperative that organisations should remain vigilant and adapt their security measures to stay one step ahead. We strongly advise any organisation using MOVEit File transfer software to apply the recent patch, given this vulnerability is being actively exploited.”