By Maine Basan
Nearly half of EDR tools and organizations are vulnerable to Clop ransomware gang tactics, according to tests by a cybersecurity company.
Cymulate ran 3,107 assessments across 340 organizations recently to see if security controls were adequate against the Clop (sometimes called “Cl0p” with a zero) ransomware group’s exploitation of a MOVEit software vulnerability (CVE-2023-34362).
The continuous threat exposure management (CTEM) vendor tested to see if organizational controls would recognize the Indicators of Compromise (IoCs) of Clop ransomware attacks. What they found was alarming:
- Out of 14,438 payloads sent, 43% of organizations in the U.S. were penetrated by Cymulate’s Clop ransomware assessments
- Half of the endpoint detection and response (EDR) tools tested — 8 out of 16 tools — had a penetration rate of over 46%
Mike DeNapoli, Cybersecurity Architect and Director at Cymulate, told eSecurity Planet, “While the EDRs could possibly recognize the behavior of the attack if it was executed, which Cymulate can do in other modules, they did not recognize the known binaries used in the attacks. So … the EDR missed an indicator of compromise, and while it may have compensated for it later, the firewall should have stopped inbound/outbound traffic but failed to do so.”
Organizations can still be protected even if their EDR technologies only identify attack patterns rather than individual files, he said.
“The MOVEit vulnerability is shining a new light on exposure management because if the organization has an EDR tool that looks for the behaviors of these attacks but not the files themselves, then they’re still protected,” DeNapoli said.
He added, “If the organization does not have any of the software platforms targeted by these attacks, like the MOVEit platform, then they are also safe even if they didn’t block the indicators of compromise — the attackers don’t have anything to leverage in order for the attack to work in the first place.”
Clop, Others Continue MOVEit Attacks
The Clop ransomware gang’s exploitation of a vulnerability in Progress Software’s MOVEit managed file transfer (MFT) system has hit dozens of major organizations so far, among them.
Abbie, Aer Lingus, the BBC, British Airways, the California Public Employees’ Retirement System, Johns Hopkins University, New York City public schools, Schneider Electric, Shell, Siemens, UCLA, the University of Rochester, the U.S. Department of Energy, and the U.S. Department of Health and Human Services, among others.
However, instead of the typical ransomware tactics, Clop aka Lace Tempest has used the SQL injection vulnerability to steal sensitive data and threaten to release it unless a ransom is paid.
The U.S. Government has offered a $10 million reward for information on the threat actors.
Cybersecurity experts have discovered extensive use of the zero-day vulnerability in MOVEit Transfer. Multiple threat actors — many of whom overlap or are used interchangeably — have been linked to the vulnerability, including FIN11, TA505, and Lace Tempest. While FIN11 and TA505 have been used interchangeably in the past, Mandiant classifies FIN11 as a subset of activity inside the TA505 group. Additionally, Lace Tempest, which runs the Clop extortion site, is also affiliated with FIN11.
“Lace Tempest (Storm-0950, overlaps w/ FIN11, TA505) authenticates as the user with the highest privileges to exfiltrate files,” Microsoft notes.
The cybercriminals started exploiting the vulnerability on May 27th, during the U.S. Memorial Day holiday. Lace Tempest has a track record of exploiting different zero-day vulnerabilities to steal data and extort victims.
TA505 is well-known for its involvement in global phishing and malware dissemination. Their victims include hundreds of companies worldwide, and they engage in various illegal activities, including providing ransomware-as-a-service, acting as an initial access broker, and orchestrating large-scale phishing assaults and financial fraud. This recent exploitation expands their repertoire, highlighting their ability to hack and steal critical data through the MOVEit Transfer web applications with the LEMURLOOT web shell.
Another significant threat actor, FIN11, has been involved in a number of high-profile infiltration efforts that leverages zero-day vulnerabilities. The group has targeted pharmaceutical companies and other healthcare institutions during the COVID-19 pandemic. Their activities primarily target corporations in various industries in North America and Europe, with the goal of stealing data and deploying ransomware using Clop.
The Clop gang’s exploitation of the MOVEit vulnerability has become a critical issue, causing concerns among several organizations about their own security procedures as well as their vulnerability to similar cyber assaults.
Key Steps to Mitigate MOVEit Risk
In light of the Clop ransomware attacks and similar threats, the FBI and CISA published a joint advisory recommending the following mitigation measures for organizations:
- Inventory and Asset Management: Conduct an asset and data inventory, differentiating between authorized and unauthorized equipment and software.
- Credential Protection: Prevent credential compromise by putting domain admin accounts in groups for protected users, avoiding plaintext credentials in scripts, and providing time-based access.
- Administrative Privileges and Software Control: Restrict administrative rights and access to just those that are absolutely necessary, and create a list of authorized software that only allows the execution of genuine programs.
- Backup and Restoration: Keep offline backups of data and execute backup and restore on a regular basis. Encrypt backup data to ensure the data infrastructure’s immutability and coverage.
- Endpoint Security: Install and update antivirus software on all hosts.
- Network Security: Monitor network ports, protocols, and services by activating security settings on network infrastructure devices such as firewalls and routers. Segment networks to regulate traffic flows and prevent ransomware outbreaks. To identify suspicious activity and malware traversal, use network monitoring tools. Unused ports should be disabled, email banners should be considered, and hyperlinks in received emails should be disabled.
- Password Policies: Enforce NIST password policy requirements, such as lengthier passwords and the use of password managers. Password suggestions should be disabled, and frequent password changes should be avoided.
- PowerShell Security: Restrict PowerShell usage and update to the latest version.
- Remote Access Security: Limit remote access from within the network to approved solutions (e.g., VPNs, VDIs). To detect instances of remote access software loaded in memory, use security software. Inbound and outbound connections to typical remote access software ports are blocked. Implement remote access program application controls and allowlisting. Limit your usage of RDP and adhere to recommended practices (for example, auditing, terminating unused ports, and MFA).
- Software and Patch Management: Consistently update and patch software and apps to the most latest versions, while performing vulnerability assessments on a regular basis. Patch operating systems, software, and firmware on a regular basis.
These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) established by CISA and NIST. The CPGs are based on current cybersecurity frameworks and recommendations, and they provide a set of minimum procedures and policies to defend against common and significant threats.
As cybercriminals continue to evolve their strategies, organizations must assess their security measures, minimize risks, and guarantee the efficiency of their defenses against growing ransomware and cyber attacks. Implementing a comprehensive and layered security approach will help strengthen organizations’ systems, secure critical data, and stop potentially disastrous ransomware assaults.