Paradigm shift for ransomware: File transfer solutions in Cl0p's crosshairs
Complion Expert:innen für IT-Sicherheit betreuen seit 2018 das Cyber Security Competence Center (CSCC) von Voice e.V. und warnen dort die Mitgliedsunternehmen vor Bedrohungen durch Hackergruppen und geben Handlungsempfehlungen zur Mitigation von Sicherheitslücken in Hard- und Software. Im zweiten Quartal 2023 setzte sich ein Hacking-Trend weiter fort: der Angriff auf Unternehmen via Software-Lösungen zum Datentransfer. Während es im ersten Quartal noch die Fortra GoAnywhere MFT-Lösung traf, war es nun MOVEit Transfer von Ipswitch. Die Kampagne sollte mehr als 150 Organisationen treffen. Wer hinter dieser Angriffswelle steckte und wie die Attacken von Statten gingen, erfahren Sie im folgenden Blog-Beitrag.
The devil painted on the wall
In the CSCC's first quarter report, our IT security experts already identified a trend: attacks on file transfer solutions will continue to be a formidable gateway for ransomware groups. The attack on enterprises via a vulnerability in Fortra's GoAnywhere MFT by the Cl0p ransomware in February proved extremely efficient and lucrative for the group. Over 130 (over 1,000 according to the Cl0p gang) organizations were compromised - all by exploiting a single vulnerability. The vulnerability was a so-called zero-day vulnerability, meaning that the malicious actor knew about the vulnerability before the vendor did and, in this case, could even exploit it before a patch was released. Once exploited, attackers were able to execute malicious code on the administrator console. At the end of the attack was data exfiltration. An attack method that was so efficient that Cl0p would further develop it for further attacks on other file transfer software...
The gap in Ipswitch MOVEit Transfer
Cl0p found the next vulnerability in a solution from the developer Ipswitch. The vulnerability is now listed as CVE-2023-34362. It allows an unauthenticated attacker to view confidential information and execute arbitrary SQL statements, which includes modifying deletion of items. By exploiting the vulnerability, attackers can list and read all files in files in memory, steal credentials and also read secrets for configured Azure Blob Storage containers using the LEMURLOOT web shell. The developer Ipswitch itself did not seem to have wind of the vulnerability's existence yet, which made it all the easier for Cl0p to compromise initial enterprises and government agencies.
Cl0p celebrates Memorial Day
On 27.05.2023, Memorial Day weekend in the US, Cl0p strikes for the first time. The ransomware group had been scanning for potential victims for almost three months beforehand, so a long list of targets was already available to the hackers. Over 100 organizations were compromised in the first few days, data was stolen, and subsequent publication was threatened. In Germany, the AOK local health insurance funds of Baden-Württemberg, Bavaria, Bremen, Hesse, Lower Saxony, Rhineland-Palatinate/Saarland, Saxony-Anhalt, Saxony and Thuringia, as well as the AOK Bundesverband, were initially confirmed to have been affected. In the British Isles, the BBC, Aer Lingus and British Airways were affected. Shell Oil, the US Department of Energy, PwC, Zurich Insurance Group and Verivox were added to the list in the following weeks.
The campaign was planned from a long time. The previous wave of attacks against GoAnywhere MFT was also part of the Cl0p group's strategy. It had reportedly been experimenting with ways to compromise file transfer services since the summer of 2021. This again shows how organized crime can operate on the Internet over the long term. R&D in cybercrime spans years, then generates the highest possible ROI at "product launch."
Adversaries are patient and have the resources to pose a long-term threat through previous as well as constant operations. In the event of an emergency, it is important to execute a well-rehearsed IT security incident response plan. Consistent patch management as well as awareness trainings in the team and the reference of threat intelligence to early warning help to avoid emergencies.
Complion offers versatile services in the area of IT security. You can find an insight into our portfolio here: https://complion.de/was-machen-wir/cybersecurity
Author: Tobias Philipsen