Analysis
Attacks and Vulnerabilities
Critical infrastructure
Malware, Phishing & Ransomware
Medical
News
Reports
Vulnerabilities

HC3 alert detects Clop group allegedly targeting healthcare sector using GoAnywhere MFT vulnerability 

February 24, 2023
HC3 alert detects Clop group allegedly targeting healthcare sector using GoAnywhere MFT vulnerability 

The U.S. Department of Health & Human Services Health Sector Cybersecurity Coordination Center (HC3) said that Russia-linked ransomware group Clop reportedly took responsibility for a mass attack on more than 130 organizations, including those in the healthcare industry, using a zero-day vulnerability in secure file transfer software GoAnywhere MFT. The latest HC3 sector alert follows earlier guidance on the threat group.

The CISA (Cybersecurity and Infrastructure Security Agency) has added the GoAnywhere flaw (CVE-2023-0669) to its public catalog of Known Exploited Vulnerabilities. “The zero-day vulnerability in GoAnywhere MFT contains a pre-authentication remote code execution vulnerability in the License Response Servlet due to deserializing an attacker-controlled object,” the HC3 alert added. 

An emergency patch (Version 7.1.2) to the affected software was finally released on Feb. 7. The GoAnywhere flaw was added to CISA’s Known Exploited Vulnerabilities Catalog on Feb. 10. As of Feb. 15, the CISA has ordered all federal civilian executive branch agencies to patch their systems before Mar. 3. 

“Clop claimed attribution to the early February attack when it informed the technology and computer tutorial website Bleeping Computer that it allegedly stole personal information and protected health information data over the course of 10 days,” the HC3 alert disclosed. “It also stated that it has the ability to encrypt affected healthcare systems by deploying ransomware payloads. The threat actor refused to provide any validation of its claims, and Bleeping Computer additionally could not independently confirm them.” 

For now, while these claims are uncorroborated, Clop continues to exhibit a history of employing trend-setting TTPs across multiple operations. 

HC3’s previous Clop Analyst Note observed that Clop was written to target Windows systems. Subsequently, on Dec. 26, threat research website SentinelLabs observed the first Linux variant of Clop ransomware. “While similar to the Windows variant, the threat actor constructed the bespoke Linux version using the same encryption method and similar process logic. The nascent Linux variant, however, has several flaws, which make it possible to decrypt locked files without paying a ransom. Regardless, the prevalent use of Linux in servers and cloud workloads makes it easy to suggest that Clop could employ this new ransomware campaign to target additional industries, including healthcare,” the HC3 alert added. 

Clop (sometimes styled as ‘Cl0p’) has been active since February 2019, with its first observed attack campaign run by the threat group, TA505. Its characteristic ransomware as a service (RaaS) TTP makes it one of the most successful ransomware groups in the past few years. Unlike other RaaS groups, Clop unabashedly and almost exclusively targets the healthcare sector. 

The HC3 alert said that in 2021 alone, 77 percent (959) of its attack attempts were on this critical infrastructure industry. “Clop appeared to suffer a major setback in June 2021 when law enforcement arrested six individuals in Ukraine linked to the group. Continued and successful attacks, however, demonstrate that this prolific group is still a viable threat to the healthcare sector,” it added. 

Evidently, the incident is by no means an isolated one to this industry. “Healthcare is particularly vulnerable to cyberattacks, owing to their high propensity to pay a ransom, the value of patient records, and often inadequate security,” according to the HC3 alert.

In 2022, 24 hospitals and multi-hospital healthcare systems were attacked, and more than 289 hospitals were potentially impacted by ransomware attacks, the HC3 said. “Clop’s alleged attack this year only further exacerbates an ever-growing trend to target the healthcare industry, and highlights its vulnerabilities to future cyberattacks.” 

The HC3 alert pointed to the fact that the developers of the software initially warned clients of the remote code execution vulnerability in early February. However, before the delivery of an emergency patch, to view the initial security advisory, users had to create a (free) account to access the vulnerability report. “The use of a customer portal to view the advisory was heavily criticized by cybersecurity experts. Ben Krebs, who first detected details of the zero-day vulnerability on 02 February, publicized its details and the full text of the security advisory on the social media sharing platform Mastodon,” it added. 

In addition to existing recommendations, the HC3 alert advised that the healthcare industry acknowledge the ubiquitous threat of cyberwar against them, and recommend that their cybersecurity teams certain steps. These include educating and training staff to reduce the risk of social engineering attacks via email and network access, assessing enterprise risk against all potential vulnerabilities and prioritizing implementing the security plan with the necessary budget, staff, and tools, and developing a cybersecurity roadmap that everyone in the healthcare organization understands. 

Furthermore, the HHS’ Office for Civil Rights (OCR) provides links to online government resources, including general information, frequently asked questions, tips, and a ransomware readiness self-assessment, to proactively and reactively aid healthcare organizations. The probability of cyber threat actors like Clop targeting the healthcare industry remains high. 

The HC3 alert said that prioritizing security by maintaining awareness of the threat landscape, assessing their situation, and providing staff with tools and resources necessary to prevent a cyber attack remains the best way forward for healthcare organizations.

Last month, the HC3 reported that several cyber threats targeting the healthcare and public health sector continued well into the fourth quarter of last year. The HC3 bulletin also highlights some of the alerts, briefs, and other guidance on vulnerabilities, threat groups, and technical data of interest to the health sector and public health community during the reporting period.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation