Recently, the headlines have focused on the CL0p hacker gang due to a large increase in ransomware attacks. This cybercriminal outfit has been attacking several banks, federal agencies, and enterprises by exploiting a specific vulnerability in MOVEit software known as CVE-2023-34362. This weakness has allowed them illegal access to sensitive data, leading to major data breaches across numerous sectors.
Their method of attack involves taking advantage of an Internet-facing MOVEit transfer web application weakness. Once they acquire access, the threat actors implant malware into these applications, which lets them to take data from the underlying MOVEit databases without authorization.
The FBI and CISA have released a combined cybersecurity advisory in response to this illicit activity. This advice exposes CL0p's techniques, emphasizing their agility and infamous notoriety. The gang has a history of financial fraud, phishing attacks, and zero-day exploits.
CL0p has recently been especially active in attacking the GoAnywhere MFT platform, exploiting zero-day vulnerabilities to steal data and extort ransoms. Their sophisticated toolbox includes malware such as the FlawedAmmyy/FlawedGrace RAT, the SDBot RAT, and the Truebot downloader module, which allows them to acquire sensitive information and widely distribute their software.
Their impact has been considerable, encompassing over 3,000 organizations in the United States and 8,000 organizations worldwide. Once inside the Active Directory server, they use Truebot to download FlawedGrace or Cobalt Strike beacons to acquire additional network access. They also used the SQL injection zero-day vulnerability CVE-2023-34362 to install the LEMURLOOT web shell on MOVEit Transfer web apps.
The FBI and CISA have proposed many remedies to combat this danger, including normal software patching and updating, regular vulnerability assessments, and adherence to known cybersecurity best practices. They've also released IP address and domain lists related with TA505, MITRE ATT&CK methods, and mitigating options.
Organizations are strongly advised to check their security procedures and report ransomware events to the FBI or CISA as soon as possible. Stopransomware.gov and the CISA/MS-ISAC Joint Ransomware Guide provide further resources for managing ransomware attacks. Given the surge in opportunistic assaults, reading their essay on understanding and controlling software vulnerabilities is also advised.
With Bitdefender's MDR service, customers can rely on comprehensive protection against evolving cyber threats, allowing them to focus on their core operations with peace of mind.