The continuous threat exposure management<\/a> (CTEM) vendor tested to see if organizational controls would recognize the Indicators of Compromise (IoCs) of Clop ransomware attacks. What they found was alarming:<\/p>\n\n\n\n Mike DeNapoli, Cybersecurity Architect and Director at Cymulate, told eSecurity Planet<\/em>, “While the EDRs could possibly recognize the behavior of the attack if it was executed, which Cymulate can do in other modules, they did not recognize the known binaries used in the attacks. So … the EDR missed an indicator of compromise, and while it may have compensated for it later, the firewall should have stopped inbound\/outbound traffic but failed to do so.”<\/p>\n\n\n\n Organizations can still be protected even if their EDR technologies only identify attack patterns rather than individual files, he said.<\/p>\n\n\n\n “The MOVEit vulnerability is shining a new light on exposure management because if the organization has an EDR tool that looks for the behaviors<\/a> of these attacks but not the files themselves, then they\u2019re still protected,” DeNapoli said.<\/p>\n\n\n\n He added, “If the organization does not have any of the software platforms targeted by these attacks, like the MOVEit platform, then they are also safe even if they didn\u2019t block the indicators of compromise \u2014 the attackers don\u2019t have anything to leverage in order for the attack to work in the first place.”<\/p>\n\n\n\n The Clop ransomware gang’s exploitation of a vulnerability in Progress Software’s MOVEit managed file transfer (MFT) system has hit dozens of major organizations so far, among them.<\/p>\n\n\n\n Abbie, Aer Lingus, the BBC, British Airways, the California Public Employees\u2019 Retirement System, Johns Hopkins University, New York City public schools, Schneider Electric, Shell, Siemens, UCLA, the University of Rochester, the U.S. Department of Energy, and the U.S. Department of Health and Human Services, among others.<\/p>\n\n\n\n However, instead of the typical ransomware<\/a> tactics, Clop aka Lace Tempest has used the SQL injection<\/a> vulnerability to steal sensitive data and threaten to release it unless a ransom is paid.<\/p>\n\n\n\n The U.S. Government has offered a $10 million reward<\/a> for information on the threat actors.<\/p>\n\n\n\n Cybersecurity experts have discovered extensive use of the zero-day vulnerability in MOVEit Transfer. Multiple threat actors \u2014 many of whom overlap or are used interchangeably \u2014 have been linked to the vulnerability, including FIN11, TA505, and Lace Tempest. While FIN11 and TA505 have been used interchangeably in the past, Mandiant classifies FIN11 as a subset of activity inside the TA505 group. Additionally, Lace Tempest, which runs the Clop extortion site, is also affiliated with FIN11.<\/p>\n\n\n\n \u201cLace Tempest (Storm-0950, overlaps w\/ FIN11, TA505) authenticates as the user with the highest privileges to exfiltrate files,\u201d Microsoft notes.<\/p>\n\n\n\n The cybercriminals started exploiting the vulnerability on May 27th, during the U.S. Memorial Day holiday. Lace Tempest has a track record of exploiting different zero-day vulnerabilities to steal data and extort victims.<\/p>\n\n\n\n TA505 is well-known for its involvement in global phishing and malware dissemination. Their victims include hundreds of companies worldwide, and they engage in various illegal activities, including providing ransomware-as-a-service, acting as an initial access broker, and orchestrating large-scale phishing assaults and financial fraud. This recent exploitation expands their repertoire, highlighting their ability to hack and steal critical data through the MOVEit Transfer web applications with the LEMURLOOT web shell.<\/p>\n\n\n\n Another significant threat actor, FIN11, has been involved in a number of high-profile infiltration efforts that leverages zero-day vulnerabilities. The group has targeted pharmaceutical companies and other healthcare institutions during the COVID-19 pandemic. Their activities primarily target corporations in various industries in North America and Europe, with the goal of stealing data and deploying ransomware using Clop.<\/p>\n\n\n\n The Clop gang’s exploitation of the MOVEit vulnerability has become a critical issue, causing concerns among several organizations about their own security procedures as well as their vulnerability to similar cyber assaults.<\/p>\n\n\n\n Also read: Ransomware Protection: How to Prevent Ransomware Attacks<\/a><\/strong><\/p>\n\n\n\n In light of the Clop ransomware attacks and similar threats, the FBI and CISA published a joint advisory<\/a> recommending the following mitigation measures for organizations:<\/p>\n\n\n\n These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) established by CISA and NIST. The CPGs are based on current cybersecurity frameworks and recommendations, and they provide a set of minimum procedures and policies to defend against common and significant threats.<\/p>\n\n\n\n As cybercriminals continue to evolve their strategies, organizations must assess their security measures, minimize risks, and guarantee the efficiency of their defenses against growing ransomware and cyber attacks. Implementing a comprehensive and layered security approach will help strengthen organizations\u2019 systems, secure critical data, and stop potentially disastrous ransomware assaults.<\/p>\n\n\n\n Read next: Network Protection: How to Secure a Network<\/a><\/strong><\/p>\n\n\n\n
Clop, Others Continue MOVEit Attacks<\/h2>\n\n\n\n
![\"Microsoft](\"https:\/\/www.esecurityplanet.com\/wp-content\/uploads\/2023\/06\/figure_a-microsoft_threat_intelligence.png\")
<\/figure>\n\n\n\nKey Steps to Mitigate MOVEit Risk<\/h2>\n\n\n\n
\n