In recent times, there have been several reports about the CL0P ransomware gang exploiting the MOVEit transfer application.
The CISA and the FBI have published a Cybersecurity Advisory, which consists of the CL0P ransomware gang’s TTPs (Tactics, Techniques, and Procedures), IoCs (Indicators of Compromises), and mitigations.
Based on the known information, the CL0P ransomware group has been targeting and exploiting an SQL injection vulnerability in the MOVEit File Transfer application (CVE-2023-3436).
Most of these exploitations were internet-facing based MOVEit managed File Transfer (MFT) solution.
Modus Operandi of Ransomware Gang
CL0P acted as a Ransomware-as-a-Service (RaaS) and an affiliate for other RaaS-based groups.
This threat actor acted as an Initial Access Broker (IAB) for other threat actors to enter the organization. This is typically done through a phishing campaign.
Between 2020 to 2021, they exploited many zero-day targeting Accellion FTA servers and installed a web shell named DEWMODE.
At the start of this year, the TA was exploiting a zero-day vulnerability in the GoAnyWhere MFT platform that affected 130 victims in 10 days which was a great impact in a short period.
Their recent exploitation was an SQL injection vulnerability in the MOVEit File transfer applications which infected dozens of computers worldwide.
The list of malware exploited by the TA includes,
A complete list of exploitation and methodologies were published by the CISA and the FBI collaboratively, including TTPs, impact, IoCs, and other important information.
Mitigations
- Review and Monitor all Remote access execution logs.
- Limit the use of RDP and other remote desktop services
- Audit user accounts and their privileges
- Implementation of time-based access
- Disable hyperlinks in emails
- Keep the software up-to-date
Looking For an All-in-One Multi-OS Patch Management Platform – Try Patch Manager Plus