The Clop ransomware group has reportedly started posting data on the Dark Web apparently stolen from law firm Jones Day, which represents many of the globe’s most powerful people, including former president Donald Trump in his efforts to overturn the 2020 election.
But the attack had nothing to do with politics, a person claiming to be from the hacker group told Vice. Asked about the motivation, they responded, “And what do you think? 😉 financial of course.”
The site DataBreached.net was first to report on the incident and published screenshots of stolen Jones Day files that the Clop group posted on the Dark Web as proof it has the goods. The group told DataBreaches.net it didn’t encrypt the files, just stole copies of information. The Clop crew also said Jones Day hasn’t responded to its requests.
“Hi, they ignore us so they will be published,” DataBreaches.net reported that the group responded.
A purported Clop ransomware hacker told the Wall Street Journal that Jones Day was notified on Feb. 3 that the data had been stolen and, as of Tuesday, Clop had not heard from the firm or discussed any ransom payment.
Jones Day hasn’t responded to Threatpost’s request for comment.
Accellion FTA Breach
The ransomware group claims it stole the information directly from Jones Day servers, but the firm denied that to the Wall Street Journal, instead pointing to a widespread compromise of the FTA file-sharing service from Accellion that emerged last December as the point of attack.
The Journal added that the law firm Goodwin Procter LLP was also compromised as a result of the Accellion breach. Several other multi-national companies which use the Accellion file transfer service have also been compromised, including Tier 1 telecom carrier Singtel and Australian telecom company Optus.
Accellion reported that it became aware of a zero-day vulnerability in its 20-year-old system on Dec. 23, but once the company came under attack, a cascade of bugs ensued. But by February, company said the system was fully patched.
“Accellion is conducting a full assessment of the FTA data security incident with an industry-leading cybersecurity forensics firm,” a statement from the company said in response to Threatpost’s inquiry about the Jones Day breach. “We will share more information once this assessment is complete. For their protection, we do not comment on specific customers. We are working with all impacted FTA clients to understand and mitigate any impact of this incident, and to migrate them to our modern kiteworks content firewall platform as soon as possible.”
The Wall Street Journal reported that it reviewed Clop’s stolen Jones Day files, which included, “Accellion configuration files and logs with references to Jones Day email and web addresses,” in addition to unrelated files ripped off from a California hospital in 2016.
The Vulnerable Software Supply Chain
But, Lamar Bailey, senior director of security research at Tripwire, told Threatpost that it’s possible the hackers have found another vulnerability.
“If Jones Day releases the results of the investigation that is still ongoing, that should point to the cause,” Bailey said. “It is possible that the attacker is current, and Jones Day has not found the root cause yet but that remains to be proven.”
Nonetheless, Bailey added, this should serve as a warning for organizations to start taking a harder look at their software supply chains.
“The old saying a chain is only as strong as its weakest link also holds true for today’s extensive supply chains,” Bailey said. If one of the products used by an organization is exploited, it opens up the organization to breaches as well.”
Bailey recommends using proactive threat intelligence services to detect and mitigate threats quickly.
“When an alert is received quickly, assess if the vulnerable versions of the hardware or software are in use and take remediation actions,” Bailey explained. “If a supplier was breached, assess what access the supplier had in the network and what data was accessible and then take actions to lock it down until remediations are in place.”
More Accellion Breach Victims Likely
Niamh Muldoon, global data protection officer at OneLogin ,said this probably won’t be the last of the fallout from the Accellion breach.
“We are likely to see more breach disclosures originating from the Accellion file-sharing data breach over the forthcoming months,” Muldoon said.
It’s critical, Muldoon explained, for companies who fall victim to the compromise to engage in transparent communications with partners and clients about potential risks.
“Business leaders can take appropriate action now to help maintain the trust with their customers, partners and employees,” Muldoon added. “They can achieve this by carrying out due-diligence with their organization to understand if Accellion data file sharing tool is in use and/or was in use in the past. Being transparent with customers, partners and employees about this tool usage and potential exposure allows for appropriate actions to be taken.”
Is your small- to medium-sized business an easy mark for attackers?
Threatpost WEBINAR: Save your spot for “15 Cybersecurity Gaffes SMBs Make,” a FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar on Wed., Feb. 24.