The Clop ransomware group gained significant notoriety in 2023 as one of the most prolific cybercriminal organizations. They have exploited various vulnerabilities to their advantage, targeting businesses, enterprises, government institutions, municipal governments, and even schools.
To respond to this cyber threat, the US government placed a staggering $10 million bounty on the group, encouraging cyber defenders to bring them to justice. It's a remarkable step for the government to actively incentivize the pursuit of such criminal organizations.
To provide you with accurate information, I rely on advisories released by reputable sources like the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). In this case, I refer to a joint advisory released by CISA, which is part of the Department of Homeland Security, and the Department of Justice. The advisory, updated on June 16, 2023, provides insights into the Clop ransomware group and the ongoing threats it poses.
Clop, also known as TA505, operates as a ransomware-as-a-service (RaaS) and acts as an affiliate for other ransomware operations. They specialize in initial access brokerage, selling compromised network access, and operating large botnets for financial fraud and phishing attacks. In 2021, they used zero-day exploits against Accellion File Transfer Appliance (FTA) devices, and in early 2023, they targeted Fortra GoAnywhere MFT servers.
Their modus operandi revolves around exploiting zero-day vulnerabilities in internet-facing applications and servers. Although these tools can be used securely, many organizations fail to implement adequate security measures, prioritizing business processes over protection. The FBI urges organizations to implement mitigation recommendations outlined in the advisory to reduce the risk of ransomware incidents.
TA505 uses various malware types to collect information and execute their attacks. One of them is the FlawedAmmyy remote access Trojan, which enables the download of additional malware components. Another is the SDBot remote access Trojan, which propagates infections by exploiting vulnerabilities and spreading through removable drives and network shares.
Now, let's focus on the MoveIT transfer vulnerability, which Clop has recently exploited. MoveIT is a file transfer management software used by organizations to streamline their operations. In May 2023, Clop leveraged a SQL injection zero-day vulnerability to install a web shell called LEMURLOOT on MoveIT's web application. The web shell masqueraded as a legitimate file to avoid suspicion. Once installed, the web shell established communication with its operators, allowing them to execute commands, retrieve data from Azure systems, and extract files from the MoveIT system.
Progress Software, the maker of MoveIT, discovered the vulnerability and issued guidance on software upgrades and patching. The vulnerability affects versions of the software released before 2023. Here’s a list of all impacted versions of this software:
- MOVEit Transfer 2023.0.0
- MOVEit Transfer 2022.1.x
- MOVEit Transfer 2022.0.x
- MOVEit Transfer 2021.1.x
- MOVEit Transfer 2021.0.x
- MOVEit Transfer 2020.1.x
- MOVEit Transfer 2020.0.x
To proactively respond to this threat, organizations can block communication with known malicious IP addresses associated with Clop's infrastructure. Implementing strict firewall rules and regularly updating software can help reduce the risk of an attack.
Clop employs various attack techniques, including phishing emails, PowerShell commands, and scripting interpreters to establish a foothold in compromised networks. They also utilize modules like TrueBot to download additional malware, execute commands, and exploit SMB vulnerabilities in Active Directory servers. Additionally, they exploit the Remote Desktop Protocol (RDP) for interacting with compromised systems.
The Clop ransomware group poses a severe threat to cybersecurity in 2023. Exploiting vulnerabilities in File Transfer Tools and employing sophisticated attack techniques, have wreaked havoc on organizations worldwide. With the US government offering a substantial bounty for their capture, it's clear that the authorities are taking this threat seriously.
To protect themselves, organizations must remain vigilant, implement robust security measures, and regularly update their software to stay one step ahead of these malicious actors. By doing so, we can collectively work towards a safer digital landscape.