The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have released a joint cybersecurity advisory to disseminate known CL0P ransomware Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) identified through FBI investigations as recently as June 2023.
The advisory, which is published as part of the #StopRansomware programme is entitled #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability and is available here.
Cl0p & MOVEit
According to open source information, beginning on May 27th 2023, the CL0P Ransomware Gang (A.K.A. TA505), began exploiting a previously unknown SQL injection vulnerability (CVE-2023-34362) in Progress Software’s managed file transfer (MFT) solution known as MOVEit Transfer.
Internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases.
Not new activity
The attack against MOVEit has been highly successful for Cl0P, but is not a new target for the gang.
Having surfaced sometime in early 2019, as an evolution from the CryptoMix ransomware variant, CL0P was leveraged as a Ransomware as a Service (RaaS) in large-scale spear-phishing campaigns that used a verified and digitally signed binary to bypass system defenses.
TA505 conducted zero-day-exploit-driven campaigns against Accellion File Transfer Appliance (FTA) devices in 2020 and 2021, and Fortra/Linoma GoAnywhere MFT servers in early 2023.
CL0P is known for its use of the “double extortion” tactic of stealing and encrypting victim data, refusing to restore victim access and then publishing the stolen data via the CL0P^_-LEAKS website.
Beyond the CL0P ransomware, TA505 is known for frequently changing malware and driving global trends in criminal malware distribution. Considered to be one of the largest phishing and malspam distributors worldwide, TA505 is estimated to have compromised more than 3,000 U.S.-based organizations and 8,000 global organizations.