HC3 issues fresh sector alert warning of data breaches from Cl0p, Lockbit ransomware groups
The Health Sector Cybersecurity Coordination Center (HC3) at the U.S. Department of Health & Human Services (HHS) once again issued a fresh sector alert on Friday, warning companies about two ransomware-as-a-service (RaaS) groups, Cl0p and Lockbit. These hackers have recently conducted several distinct attacks, exploiting three known vulnerabilities ( CVE-2023-27351, CVE-2023-27350, and CVE-2023-0669).
The Cybersecurity and Infrastructure Security Agency (CISA) added the latter two vulnerabilities to its Known Exploited Vulnerabilities Catalog but has not yet added the first, the alert disclosed. “This Sector Alert follows previous HC3 products on Cl0p (Cl0p Allegedly Targeting Healthcare Industry and Cl0p Ransomware) and Lockbit (Lockbit ransomware, LockBit 3.0, and LockBit 2.0 IOCs) and provides an update on the recent attacks, and recommendations to detect and protect against future ransomware attacks,” it added.
Since CISA added the CVE-2023-0669 flaw to its Known Exploited Vulnerabilities catalog, a separate company recently completed its investigation into the previous 10-day exploitation of the vulnerability in the GoAnywhere MFT software, the HC3 alert identified. “Cl0p utilized the vulnerability to create unauthorized user accounts in some MFTaaS customer environments, using some of the accounts to download files.”
It further added that the hacker then deployed two additional tools (‘Netcat’ and ‘Errors[dot]jsp’), with only some of the installation attempts recorded as being successful. “Netcat, a legitimate program for managing reading and writing data over a network, can be used to establish back doors, conduct port scanning, or transfer files between a compromised system and its server. The JavaServer Pages (JSP) file is used for creating dynamic web pages. However, it is still unknown how the file was used in the attacks,” according to the HC3 alert.
Industry experts also noted that the recent increase in ransomware attacks this past March was attributed to the exploitation of the GoAnywhere MTF vulnerability. “There was a 91% increase in attacks since February 2023, with 459 attacks recorded in March alone. Of those attacks, Cl0p targeted 129 victims.”
Furthermore, unlike other RaaS groups, Cl0p unabashedly and almost exclusively targets the healthcare sector, according to the HC3. “In the calendar year 2021 alone, 77% (959) of its attack attempts were on this critical infrastructure industry. The attacks in March of this year mark the second time that the threat group known as LockBit has been knocked off the top spot since September 2021,” it added.
HC3 pointed out that as early as Apr. 13, 2023, Microsoft attributed exploitations on a software company’s servers to the RaaS group known as Cl0p. “On April 19, the printing management software company revealed the vulnerabilities in the widely used PaperCut MF/NG print management software and urged administrators to upgrade their servers to the latest versions (20.1.7, 21.2.11, and 22.0.9 and later). The software developer claims that its software is used by more than 100 million users from over 70,000 companies worldwide,” it added.
On April 21, CISA added the CVE-2023-27350 flaw to its Known Exploited Vulnerabilities catalog, ordering federal agencies to secure their systems against ongoing exploitation within three weeks by May 12, 2023, HC3 added.
HC3 flagged that on April 26, Microsoft revealed that both RaaS groups, Cl0p and LockBit, were behind the attacks and used them to steal corporate data from vulnerable servers. “They disclosed that the Cl0p ransomware used was traced to the threat actor known as Lace Tempest, and overlapped with FIN11 and TA505, both linked to the ransomware operation. In its exploits, the threat actor deployed TrueBot malware, which has also been previously linked to Cl0p,” it added.
Additionally, Microsoft said that some of the intrusions have led to LockBit ransomware attacks, the HC3 alert identified. “However, industry experts report that it is unclear whether or not the attacks began after the exploits were publicly released.”
These recent attacks follow a pattern of Cl0p of stealing data to extort companies into paying a ransom, HC3 said. “This trend was first identified in 2020 when the RaaS group stole data from approximately 100 companies by exploiting an Accellion FTA zero-day vulnerability. As noted in a recent HC3 Sector Alert, in early February, Cl0p also claimed attribution for a mass attack on more than 130 organizations, including those in the healthcare sector, using a zero-day vulnerability in secure file transfer software, GoAnywhere MFT,” the current alert added.
Last month, the Health Information Sharing and Analysis Center (Health-ISAC) and Microsoft’s Digital Crimes Unit (DCU), cybersecurity software company Fortra announced that they were taking technical and legal action to disrupt cracked, legacy copies of Cobalt Strike and abused Microsoft software, which was used by cybercriminals to distribute malware, including ransomware. Assessing that while the scope is greater and the operation is more complex, it is a change in how DCU has worked in the past. Instead of disrupting the command and control of a malware family, this time, action is being taken to remove illegal, legacy copies of Cobalt Strike so they can no longer be used by cybercriminals.
Security researchers advise administrators unable to promptly patch their servers to take measures to prevent remote exploitation for the CVE-2023-27351 and CVE-2023-27350 vulnerabilities, the HC3 alert said. “This includes blocking all traffic to the web management port (default port 9191) from external IP addresses on an edge device, as well as blocking all traffic to the same port on the server’s firewall to restrict management access solely to the server and prevent potential network breaches. For the CVE-2023-0669 vulnerability, the company recommends that users rotate the Master Encryption Key, reset all credentials, review audit logs, and delete any suspicious administrator or user accounts,” it added.
Last week, the HHS’ Food and Drug Administration (FDA) and the CISA published separate advisories regarding a remotely exploitable, low-complexity attack vulnerability in Illumina Universal Copy Service (UCS) equipment, which is deployed globally by the healthcare and public health sector.
The two security vulnerabilities can lead to binding to an unrestricted IP address and execution with unnecessary privileges. The FDA disclosed that software in the Illumina MiSeqDx, NextSeq 550Dx, iScan, iSeq 100, MiniSeq, MiSeq, NextSeq 500, NextSeq 550, NextSeq 1000/2000, and NovaSeq 6000 sequencing instruments had been affected.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
