The Russia-linked Cl0p ransomware cartel claims it has the data of numerous companies, with the UK's health system NHS, Mazda, Mazda USA, and Canon recently added to the gang’s ever-growing victim list.
The companies were posted on Cl0p’s dark web leak site, which it uses to pressure victims into paying ransom. Automotive giant Mazda, the company’s US subsidiary, Mazda USA, and optics industry giant Canon all appeared on the leak site simultaneously.
The National Health Service (NHS), the United Kingdom’s publicly funded healthcare system, also appeared on Cl0p’s leak site. We have reached out to potentially affected organizations for comment and will update the article once we receive a reply.
NHS representative replies saying the organization is aware of the claims and is currently investigating the issue.
“We are aware that the NHS has been listed on the CL0P cyber-crime website as being affected by a cyber-attack. We are working closely with the National Cyber Security Centre and a local NHS organisation to investigate, including assessing and validating data published by the group,” NHS said.
After article was published, Canon also replied to our queries. While the company confirmed there was a data security incident, Canon claims it was limited to a subsidiary of a regional branch.
“As a result of our investigation, we have confirmed an incident that appears to be isolated to a subsidiary of Canon U.S.A., Inc. We have confirmed that the incident only affected the web server, and we have already taken security measures and resumed service,” the company explained.
Canon also added, that it will continue an investigation to ensure there is no other impact.
What's inside the data sample?
Meanwhile, the Cybernews research team has investigated data samples that the attackers added to support their claims. While the dataset allegedly taken from the NHS contains hundreds of gigabytes of data, the team only investigated a small fraction of the information.
Researchers noted that at least some of the files included patient lists with their personal identifiable information (PII), ranging from names to diagnoses and insurance information. At least in theory, attackers could exploit the data for identity theft, social engineering, and medical fraud.
“It would be difficult to estimate the full impact of this breach, simply because of its size. However, it could create a high risk of identity exposure, fraud, and targeted scams for the patients mentioned, especially because insurance eligibility categories, combined with residency information, can reveal people’s socioeconomic status,” our team explained.
Healthcare information is extremely valuable to cybercriminals, as it opens up numerous new avenues for attacks. Moreover, medical information is extremely sensitive and, unlike credit cards or passwords, cannot be changed over time.
Meanwhile, Cl0p did not include any data samples for Canon, Mazda, or Mazda USA. Most likely, that’s because the three companies are still being extorted. Ransomware gangs often publicize victim names as a warning shot, threatening to leak stolen data if their ransom demands are not met.
While it’s unclear how Cl0p breached its victims, there’s a high probability that the attackers got their hands on the data by exploiting a critical zero-day vulnerability in Oracle E-Business Suite (EBS).
EBS zero-day bug
Cl0p has been on a hacking spree for months, constantly uploading new victims that were breached using the EBS bug. Oracle itself was listed on the gang’s dark web forum. Many organizations only discovered they had been breached in August, some after receiving a ransom note from the gang via email.
The initial Cl0p exploit, first reported by Oracle on October 2nd, had been tracked by Google researchers as far back as July. Moreover, Oracle's first emergency patch, released just days after the initial announcement, had failed, prompting a second critical patch on October 11th, leaving clients vulnerable for days.
Big-name victims of the widespread Oracle hacking campaign, some whose data has already been published on the Cl0p site, include Harvard University, American Airlines' largest regional carrier, Envoy Air, and Chicago Public Schools, the fourth-largest district in the US.
Cl0p's past campaigns – exploiting the MOVEit, Fortra GoAnywhere, and Cleo file transfer programs – have compromised thousands of major organizations over the years, often taunting its victims and raking in hundreds of millions of dollars.
The MOVEIT exploit, which occurred in 2023, was one of the most extensive hacking campaigns, affecting thousands of organizations and nearly 90 million individuals, with an estimated impact in the billions of dollars.
Updated on November 21st [02:35 p.m. GMT] with a statement from NHS.
Updated on November 25th [09:40 a.m. GMT] with a statement from Canon.
Unlock more exclusive Cybernews content on YouTube
Your email address will not be published. Required fields are markedmarked