US-CERT- #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability

[Netwörkheäd]

#StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability

[html]

Updated June 16, 2023

This CSA is being re-released to remove old Fortra GoAnywhere Campaign IP addresses and to add new IP addresses. See the update below.

End of Update

SUMMARY

Note: this joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known CL0P ransomware IOCs and TTPs identified through FBI investigations as recently as June 2023.

According to open source information, beginning on May 27, 2023, CL0P Ransomware Gang, also known as TA505, began exploiting a previously unknown SQL injection vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2023-34362" title="CVE-2023-34362">CVE-2023-34362) in Progress Software's managed file transfer (MFT) solution known as MOVEit Transfer. Internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases. In similar spates of activity, TA505 conducted zero-day-exploit-driven campaigns against Accellion File Transfer Appliance (FTA) devices in 2020 and 2021, and Fortra/Linoma GoAnywhere MFT servers in early 2023.

FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of CL0P ransomware and other ransomware incidents.

Download the PDF version, STIX and JSON file for this report:

   

    https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf" class="c-file__link" target="_blank">AA23-158A PDF
    (PDF,       740.97 KB
  )
 

   

    https://www.cisa.gov/sites/default/files/2023-06/16109762.stix_.xml" class="c-file__link" target="_blank">AA23-158A STIX XML
    (XML,       165.28 KB
  )
 

   

    https://www.cisa.gov/sites/default/files/2023-06/AA23-158A%20StopRansomware%20CL0P%20Ransomware%20Gang%20Exploits%20CVE-2023-34362%20MOVEit%20Vulnerability.stix_.json" class="c-file__link" target="_blank">AA23-158A JSON
    (JSON,       93.33 KB
  )
 

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 13. See https://attack.mitre.org/versions/v12/matrices/enterprise/" title="Enterprise Matrix">MITRE ATT&CK for Enterprise for all referenced tactics and techniques.

Appearing in February 2019, and evolving from the CryptoMix ransomware variant, CL0P was leveraged as a Ransomware as a Service (RaaS) in large-scale spear-phishing campaigns that used a verified and digitally signed binary to bypass system defenses. CL0P was previously known for its use of the 'double extortion' tactic of stealing and encrypting victim data, refusing to restore victim access and publishing exfiltrated data on Tor via the CL0P^_-LEAKS website. In 2019, TA505 actors leveraged CL0P ransomware as the final payload of a phishing campaign involving a macro-enabled document that used a Get2 malware dropper for downloading SDBot and FlawedGrace. In recent campaigns beginning 2021, CL0P preferred to rely mostly on data exfiltration over encryption.

Beyond CL0P ransomware, TA505 is known for frequently changing malware and driving global trends in criminal malware distribution. Considered to be one of the largest phishing and malspam distributors worldwide, TA505 is estimated to have compromised more than 3,000 U.S.-based organizations and 8,000 global organizations.

TA505 has operated:

• A RaaS and has acted as an affiliate of other RaaS operations,


• As an initial access broker (IAB), selling access to compromised corporate networks,


• As a customer of other IABs,


• And as a large botnet operator specializing in financial fraud and phishing attacks.

In a campaign from 2020 to 2021, TA505 used several zero-day exploits to install a web shell named DEWMODE on internet-facing Accellion FTA servers. Similarly, the recent exploitation of MOVEit Transfer, a SQL injection vulnerability was used to install the web shell, which enabled TA505 to execute operating system commands on the infected server and steal data.

In late January 2023, the CL0P ransomware group launched a campaign using a zero-day vulnerability, now catalogued as