CISA, FBI warn organizations that CL0P ransomware group exploits MOVEit Transfer vulnerability

U.S. agencies disclosed in a joint cybersecurity advisory (CSA) that the CL0P ransomware gang is reportedly exploiting a previously unknown structured query language (SQL) injection vulnerability (CVE-2023-34362) in Progress Software’s managed file transfer (MFT) solution known as MOVEit Transfer. Also known as TA505, the agencies have identified that, due to its speed and ease, the CL0P group has been able to exploit this vulnerability. Based on their past campaigns, the agencies expect to see widespread exploitation of unpatched software services in both private and public networks.

“According to open source information, beginning on May 27, 2023, CL0P Ransomware Gang, also known as TA505, began exploiting a previously unknown SQL injection vulnerability (CVE-2023-34362) in Progress Software’s managed file transfer (MFT) solution known as MOVEit Transfer,” according to the advisory published Wednesday by the Federal Bureau of Investigation (FBI) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA). 

“Internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases,” the advisory said. “In similar spates of activity, TA505 conducted zero-day-exploit-driven campaigns against Accellion File Transfer Appliance (FTA) devices in 2020 and 2021, and Fortra/Linoma GoAnywhere MFT servers in early 2023.” 

The CISA-FBI advisory said that considered to be one of the largest phishing and malspam distributors worldwide, TA505 is estimated to have compromised more than 3,000 U.S.-based organizations and 8,000 global organizations. “TA505 has operated a RaaS and has acted as an affiliate of other RaaS operations, as an initial access broker (IAB), selling access to compromised corporate networks, as a customer of other IABs, and as a large botnet operator specializing in financial fraud and phishing attacks,” it added. 

In a LinkedIn post, the FBI wrote that “we expect to see these actors continue to exploit it on a widespread scale if mitigations aren’t implemented. The joint CSA explains the vulnerability’s technical details, detection methods, and mitigations for network defense.”

The advisory said that appearing in February 2019, and evolving from the CryptoMix ransomware variant, CL0P was leveraged as a Ransomware as a Service (RaaS) in large-scale spear-phishing campaigns that used a verified and digitally signed binary to bypass system defenses. “CL0P was previously known for its use of the ‘double extortion’ tactic of stealing and encrypting victim data, refusing to restore victim access and publishing exfiltrated data on Tor via the CL0P^_-LEAKS website,” it added. 

“In 2019, TA505 actors leveraged CL0P ransomware as the final payload of a phishing campaign involving a macro-enabled document that used a Get2 malware dropper for downloading SDBot and FlawedGrace,” according to the advisory. “In recent campaigns beginning 2021, CL0P preferred to rely mostly on data exfiltration over encryption. Beyond CL0P ransomware, TA505 is known for frequently changing malware and driving global trends in criminal malware distribution.” 

According to the advisory, in a campaign from 2020 to 2021, TA505 used several zero-day exploits to install a web shell named DEWMODE on internet-facing Accellion FTA servers. “Similarly, the recent exploitation of MOVEit Transfer, a SQL injection vulnerability was used to install the web shell, which enabled TA505 to execute operating system commands on the infected server and steal data.”

“In late January 2023, the CL0P ransomware group launched a campaign using a zero-day vulnerability, now catalogued as CVE-2023-0669, to target the GoAnywhere MFT platform,” the advisory disclosed. “The group claimed to have exfiltrated data from the GoAnywhere MFT platform that impacted approximately 130 victims over the course of 10 days. Lateral movement into the victim networks from the GoAnywhere MFT was not identified, suggesting the breach was limited to the GoAnywhere platform itself.” 

It added that over the next several weeks, as the exfiltrated data was parsed by the group, ransom notes were sent to upper-level executives of the victim companies, likely identified through open-source research. The ransom notes threatened to publish the stolen files on the CL0P data leak site if victims did not pay the ransom amount.

The advisory outlined that CL0P’s toolkit contains several malware types to collect information, including FlawedAmmyy/FlawedGrace remote access trojan (RAT) which collects information and attempts to communicate with the Command and Control (C2) server to enable the download of additional malware components. It also covered SDBot RAT which propagates the infection, exploiting vulnerabilities and dropping copies of itself in removable drives and network shares; and Truebotis, a first-stage downloader module that can collect system information and take screenshots. 

CL0P’s toolkit also contained Cobalt Strike which is used to expand network access after gaining access to the Active Directory (AD) server; DEWMODE, a web shell written in PHP designed to target Accellion FTA devices and interact with the underlying MySQL database, and used to steal data from the compromised device; and LEMURLOOT, a web shell written in C# designed to target the MOVEit Transfer platform. The web shell authenticates incoming ‘http’ requests using a hard-coded password and can run commands that will download files from the MOVEit Transfer system, extract its Azure system settings, retrieve detailed record information, and create, insert, or delete a particular user. When responding to the request, the web shell returns data in a gzip compressed format. 

MOVEit is used to manage an organization’s file transfer operations and has a web application that supports MySQL, Microsoft SQL Server, and Azure SQL database engines, the advisory outlined. “In May 2023, the CL0P ransomware group exploited a SQL injection zero-day vulnerability CVE-2023-34362 to install a web shell named LEMURLOOT on MOVEit Transfer web applications. The web shell was initially observed with the name human2[dot]aspx in an effort to masquerade as the legitimate human[dot]aspx file present as part of MOVEit Transfer software.” 

It added that upon installation, “the web shell creates a random 36-character password to be used for authentication. The web shell interacts with its operators by awaiting HTTP requests containing a header field named X-siLock-Comment, which must have a value assigned equal to the password established upon the installation of the web shell.”

The CISA and FBI recommend organizations implement the mitigations below to improve their organization’s security posture in response to threat actors’ activity. These mitigations align with the cross-sector cybersecurity performance goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement.

Organizations have been called upon to reduce the threat of malicious hackers using remote access tools by auditing these tools on the network to identify currently used and/or authorized software, reviewing logs for the execution of remote access software, using security software to detect instances of remote access software only being loaded in memory, Requiring authorized remote access solutions, and blocking both inbound and outbound connections. 

The advisory also suggests implementing application controls to manage and control execution of software, including allowlisting remote access programs; limiting the use of RDP and other remote desktop services; disabling command-line and scripting activities and permissions; restricting the use of PowerShell; reviewing domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts; and auditing user accounts with administrative privileges and configure access controls according to the principle of least privilege. 

Commenting on these developments, Amit Yoran, chairman and CEO at Tenable, wrote in an emailed statement that Russian cyber gang Clop’s move to demand victims negotiate the ransom for their data isn’t new or surprising. “Many organisations end up paying the ransom. Organisations that use MOVEit software should assume risk and engage in incident response to determine the potential impact, if any. Russia’s cyberwar is changing the way criminals launch their attacks, and now we’re seeing the widespread effect this is having on critical national infrastructure, as hungry cyber criminals exploit vulnerabilities.”

“This is just the start of organisations revealing they’ve been impacted and we can expect to see many more businesses and governments impacted, especially those not aggressively addressing known vulnerabilities,” according to Yoran. “Vulnerabilities are disclosed every day, with threat actors just waiting to see if they can be weaponised and monetised. Instead of waiting to be attacked and then responding, it’s vital that security teams take a proactive approach by improving their cyber hygiene. The need to proactively manage risk to the business has never been more critical nor more obvious.” 

Last month, the Health Sector Cybersecurity Coordination Center (HC3) in the U.S. Department of Health & Human Services (HHS) issued a fresh sector alert, warning companies about two ransomware-as-a-service (RaaS) groups, Cl0p and Lockbit. These hackers have recently conducted several distinct attacks, exploiting three known vulnerabilities ( CVE-2023-27351, CVE-2023-27350, and CVE-2023-0669). In February, the HC3 said that Russia-linked ransomware group Clop reportedly took responsibility for a mass attack on more than 130 organizations, including those in the healthcare industry, using a zero-day vulnerability in secure file transfer software GoAnywhere MFT. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.