The notorious Cl0P ransomware group has claimed responsibility for a cyber attack on the University of California, Los Angeles (UCLA).
Threat analyst Dominic Alvieri posted details about the UCLA cyber attack, revealing the information through a tweet along with an image allegedly posted by the hackers.
The Cyber Express reached out to the University of California, Los Angeles, seeking further information regarding the alleged UCLA cyber attack. However, as of now, no official response has been received from the university regarding the claims made by the threat actor.
UCLA cyber attack: Not the first data breach!
Interestingly, this is not the first time that UCLA has fallen victim to a cyber attack by a high-profile threat actor.
On March 31, 2021, David Shaw, the Chief Information Security Officer at UCLA, released an official statement addressing a previous cyber attack targeting the university.
Shaw stated in the press release, “Beginning this past Monday, many UCLA email accounts started receiving messages stating that their personal data had been stolen and would be released. These emails contained a link to a public website where a sample of personal information from UC employees was posted.”
It was later revealed by the University of California Office of the President (UCOP) that the personal data of UC employees had indeed been compromised as a result of a cyber attack on a UCOP system, which was believed to be the source of the leaked information.
On April 2, 2021, the Los Angeles Times reported that the UCLA cyber attack was a result of hackers exploiting a vulnerability in Accellion, a third-party vendor used by the university for secure file transfers.
The university released a statement acknowledging the incident and expressed its understanding that the attackers had shared screenshots of personal information online. Coincidentally, Cl0p ransomware gang was behind that attack too.
They further assured the UC community that they would be notified if their data had been leaked due to this breach.
UCLA cyber attack claim remains unverified
While the claims made by the hackers regarding the UCLA cyber attack are still awaiting verification, it is worth noting that the Cl0P ransomware group has been responsible for breaching numerous prominent organizations in recent months.
Many of these attacks have been linked to exploiting the MOVEit Transfer vulnerability, which has affected multiple websites and businesses, including renowned entities such as the BBC and British Airways.
The Cl0P ransomware group is known for launching targeted threat campaigns similar to the one we saw in this UCLA cyber attack.
According to a report by the Cybersecurity and Infrastructure Security Agency (CISA), Cl0P is a ransomware variant associated with the FIN11 threat actor group, known for utilizing the double extortion tactic.
This particular group has previously targeted several U.S. healthcare and public health (HPH) organizations.
Researchers have also identified that the Cl0P operators employ a combination of both a “spray and pray” approach and a more targeted approach when selecting victims, indicating a level of discretion in their operations.
The Cl0p ransomware group has demonstrated a particular interest in leveraging Managed File Transfer (MFT) software vulnerabilities to target unsuspecting victims. The most recent instance involved exploiting a SQL injection vulnerability in MOVEit Transfer, an enterprise MFT software.
Prior to this, the group had engaged in similar exploits in the following incidents:
- In February 2023, Cl0p claimed responsibility for more than 130 attacks by exploiting a zero-day vulnerability in Fortra GoAnywhere MFT (CVE-2023-0669).
- In December 2020, the Clop group targeted over 100 companies by exploiting zero-day vulnerabilities in Accellion’s outdated file-transfer application software, resulting in data theft.
Interestingly, in all three campaigns, Cl0p deviated from their usual approach of deploying their eponymous ransomware. Instead, they opted for data extortion tactics.
Rather than encrypting the systems of their victims, Cl0p chose to threaten the public disclosure of sensitive data stolen from the compromised MFT software. This shift in victim notification has proved to be ruthlessly efficient, enabling Cl0p to target multiple victims simultaneously.
Despite this change in tactics, it is anticipated that Cl0p will persist in its standard practices going forward.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.