Analysis: Cl0p Ransomware
Today we will look at Cl0p and its most recent endeavor of encrypting victims' data using a vulnerability in the MOVEit software.
What is Cl0p?
According to the MITRE | ATT&CK framework, “Clop is a ransomware family that was first observed in February 2019 and has been used against retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare, and high tech industries. Clop is a variant of the CryptoMix ransomware.”
Who is using Cl0p?
According to Microsoft, the active group using Cl0p against the latest zero-day found in MOVEit software used by hundreds of corporations and governments is called Lace Tempest or Storm-0950. This group overlaps with affiliates such as FIN11, TA505, and Evil Corp.
Is this the most recent attack done by the Cl0p ransomware?
The most recent one was weaponizing a bug found in PaperCut servers. Lace Tempest used a vulnerability in PaperCut servers via PowerShell commands to upload a TrueBot DLL connected to a C2 server, attempting to steal LSASS credentials.
Discussion on the vulnerability used:
SQL injections are starting to become that problem you think is taking care of itself via secure code checks and massive security in front of applications and networks that house SQL servers. But this is not the case today. CVE-2023-34362 uses SQL injection vulnerability in the popular MOVEit Transfer, allowing unauthenticated access for remote attackers to the application database and executing malicious code.
Who are the victims currently and possibly in the future?
Censys released an industry analysis on the number of active services or companies that use MOVEit software.
· 30.86% of the hosts running MOVEit are in the financial services industry, 15.96% in healthcare, 8.82% in information technology, and 7.56% in the government and military.
· 29% of the companies we observed have over 10,000 employees, indicating that this service is used in a variety of large organizations
· Companies based in the United States account for a significant majority, compromising 69%, of MOVEit hosts
“In conducting our analysis, we examined over 1,400 MOVEit servers that were openly accessible on the internet. Using various data points furnished by the host and the networks operating these hosts, we were able to associate them with specific companies or organizations.” (Censys, 2023)
What are companies doing to protect themselves?
We need some advice. Who better to ask than CISA?
CISA recommends these actions to mitigate the Cl0p ransomware:
1. Take an inventory of assets and data, identifying authorized and unauthorized devices and software.
2. Grant admin privileges and access only when necessary, establishing a software allow list that only executes legitimate applications.
3. Monitor network ports, protocols, and services, activating security configurations on network infrastructure devices such as firewalls and routers.
4. Regularly patch and update software and applications to their latest versions and conduct regular vulnerability assessments.
It seems since Covid-19, vulnerabilities have never been seen so frequently. The Internet, the world, and how we do business through various digital mediums have become increasingly complex. Make sure to take the time to find out what software or solutions your company uses to better protect against zero days by frequently updating, monitoring, and securing those services on a need-to-know or need-to-access basis.