In recent times, there have been several reports about the CL0P ransomware gang exploiting the MOVEit transfer application.
The CISA and the FBI have published a Cybersecurity Advisory, which consists of the CL0P ransomware gang’s TTPs (Tactics, Techniques, and Procedures), IoCs (Indicators of Compromises), and mitigations.
Most of these exploitations were internet-facing based MOVEit managed File Transfer (MFT) solution.
Modus Operandi of Ransomware Gang
CL0P acted as a Ransomware-as-a-Service (RaaS) and an affiliate for other RaaS-based groups.
This threat actor acted as an Initial Access Broker (IAB) for other threat actors to enter the organization. This is typically done through a phishing campaign.
Between 2020 to 2021, they exploited many zero-day targeting Accellion FTA servers and installed a web shell named DEWMODE .
Their recent exploitation was an SQL injection vulnerability in the MOVEit File transfer applications which infected dozens of computers worldwide.
The list of malware exploited by the TA includes,
A complete list of exploitation and methodologies were published by the CISA and the FBI collaboratively, including TTPs, impact, IoCs, and other important information.
Mitigations
-
Review and Monitor all Remote access execution logs.
-
Limit the use of RDP and other remote desktop services
-
Audit user accounts and their privileges
-
Implementation of time-based access
-
Disable hyperlinks in emails
-
Keep the software up-to-date
Looking For an All-in-One Multi-OS Patch Management Platform –
