Halcyon reports that the ransomware operators are “actively extorting” victims via the local login pages (AppsLocalLogin.jsp) of internet-exposed EBS portals. After compromising user email, attackers abuse the default password-reset function to gain valid credentials; the local accounts bypass enterprise single sign on (SSO) controls, and often lack multi-factor authentication (MFA), leaving “thousands” of organizations exposed.
Targeted organizations have received samples, including screenshots of EBS portals and file tree listings from compromised environments, that seem to validate the extortion claims, Kaiser said. The tactics and extortion approach align with prior Cl0p campaigns, she noted, and data leak aggregators have “reinforced the claims.” She emphasized that the group appears to be abusing configurations, not exploiting vulnerabilities.
Malicious emails sent by the group contain contact information for the hackers, and two specific addresses are publicly listed on the Cl0p data leak site. At least one of the listed accounts has been associated with financially-motivated threat group FIN11, known for its ransomware and extortion tactics.
