Clop Ransomware Group Likely Aware of MOVEit Transfer Vulnerability Since 2021

Jun 08, 2023
Ransomware / Zero-Day

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a joint advisory about the ongoing exploitation of a newly identified critical flaw in Progress Software’s MOVEit Transfer application, which is being used to deploy ransomware. “The Cl0p Ransomware Group, also known as TA505, reportedly began taking advantage of an undisclosed SQL injection vulnerability in the MOVEit Transfer managed file transfer (MFT) solution,” the agencies noted. “Internet-facing MOVEit Transfer web applications were compromised with a web shell called LEMURLOOT, which was then utilized to extract data from the underlying databases.” This notorious cybercrime group has also issued a deadline to several affected organizations, demanding contact by June 14, 2023, or they risk having their stolen information disclosed. Microsoft is monitoring this activity under the name Lace Tempest (also known as Storm).

Clop Ransomware Group Likely Aware of MOVEit Transfer Vulnerability Since 2021

In a concerning development for organizations utilizing Progress Software’s MOVEit Transfer application, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint advisory highlighting the active exploitation of a newly revealed critical vulnerability. This security flaw poses a significant risk as it has allowed the notorious Clop Ransomware Gang, also referred to as TA505, to execute malicious attacks involving the application.

The advisory indicates that the gang has capitalized on a previously unclassified SQL injection vulnerability within the MOVEit Transfer managed file transfer (MFT) solution. This breach has permitted the installation of a web shell named LEMURLOOT on internet-facing MOVEit Transfer web applications. Once in place, this web shell has facilitated unauthorized access to and theft of sensitive data from the underlying MOVEit Transfer databases.

Clop’s operations have escalated since the discovery of this vulnerability, as the gang has proactively reached out to numerous affected entities, warning them to respond by June 14, 2023. Failing to engage may result in the public dissemination of all stolen data, threatening to expose sensitive information and significantly damaging the reputations of companies grappling with the consequences.

This incident highlights the cybercriminal landscape’s dynamic nature, particularly the Clop Ransomware Gang’s continued evolution in employing sophisticated cyber tactics. Observational insights suggest that groups like Clop are becoming adept at leveraging vulnerabilities in widely used applications, which emphasizes the need for robust cybersecurity protocols and routine assessments of software security.

From a technical perspective, this attack aligns with several tactics outlined in the MITRE ATT&CK Framework. Initial access was gained through the exploitation of known software vulnerabilities, fitting into tactics such as “External Remote Services.” The persistence of this threat is exemplified by the deployment of the web shell, which allows attackers to maintain access to the affected systems. Furthermore, privilege escalation may have been employed to gain elevated permissions necessary to extract sensitive data from the databases.

As organizations increasingly rely on managed file transfer solutions for their data handling needs, the imperative for comprehensive security measures cannot be overstated. Regularly updating software, implementing multifactor authentication, and conducting thorough security audits are essential steps in safeguarding data against evolving threats. Business owners must remain vigilant and proactive in addressing cybersecurity risks, particularly in light of the alarming tactics demonstrated by groups such as Clop.

Source link

Related Posts

Mustang Panda Hackers from China Target TP-Link Routers for Ongoing Attacks

May 16, 2023
Network Security / Threat Intelligence

The Chinese state-sponsored group known as Mustang Panda has been connected to a series of sophisticated, targeted attacks aimed at European foreign affairs entities since January 2023. According to researchers Itay Cohen and Radoslaw Madej from Check Point, these intrusions involve a custom firmware implant specifically designed for TP-Link routers. This implant includes several malicious components, featuring a custom backdoor dubbed “Horse Shell” that allows attackers to maintain persistent access, establish anonymous infrastructure, and facilitate lateral movement within compromised networks. Furthermore, the implant’s firmware-agnostic design enables its components to be integrated into various firmware from different vendors. The Israeli cybersecurity firm is monitoring this threat group, also known as Camaro Dragon, along with other aliases such as BASIN, Bronze President, Earth Preta, HoneyMyte, RedDelta, and Red Lich.

Rising China-Taiwan Tensions Ignite Sharp Increase in Cyber Attacks

May 18, 2023
Cyber Warfare / Threat Intelligence

Recent geopolitical strains between China and Taiwan have led to a significant rise in cyber attacks targeting the island nation. According to a report from the Trellix Advanced Research Center, “The conflict stemming from China’s claim over Taiwan, combined with Taiwan’s push for independence, has resulted in a troubling escalation of cyber threats.” These attacks, aimed at various sectors, primarily focus on deploying malware and stealing sensitive data. The cybersecurity firm noted a staggering four-fold increase in malicious emails between April 7 and April 10, 2023, with sectors such as networking, manufacturing, and logistics being particularly affected. Following this surge, the region saw a 15x spike in PlugX detections between April 10 and April 12, 2023.

Beware the ZIP File: Phishers Exploit .ZIP Domains to Deceive Victims

May 29, 2023
Cyber Threat / Online Security

A new phishing technique dubbed “file archiver in the browser” is being used to imitate file archiver software, such as WinRAR, within web browsers when victims visit a .ZIP domain. Security researcher mr.d0x revealed that this phishing attack involves creating a realistic landing page using HTML and CSS to mimic genuine file archive software, hosted on a .ZIP domain to enhance its legitimacy.

In a typical attack, cybercriminals can redirect users to a credential theft page when they click on a file that appears to be included within the fake ZIP archive. Another alarming tactic involves listing a harmless non-executable file, only for the actual download to be an executable file instead, as noted by mr.d0x…

Dark Pink APT Group Utilizes TelePowerBot and KamiKakaBot in Complex Campaigns

On May 31, 2023, it was reported that the Advanced Persistent Threat (APT) group known as Dark Pink has launched five new attacks targeting various organizations in Belgium, Brunei, Indonesia, Thailand, and Vietnam between February 2022 and April 2023. The targets include educational institutions, government agencies, military organizations, and non-profit entities, highlighting the group’s ongoing focus on high-value assets. Also referred to as the Saaiwc Group, Dark Pink is believed to originate from the Asia-Pacific region, primarily directing its attacks towards East Asia, with some activity observed in Europe. The group employs a variety of custom malware tools, including TelePowerBot and KamiKakaBot, to facilitate the exfiltration of sensitive data from compromised systems. “The group uses a range of sophisticated custom tools and deploys multiple kill chains, often leveraging spear-phishing emails,” noted Andrey Polovinkin, a security researcher at Group-IB, in a technical report.