The MOVEit cyber-attack has continued to grow with more victims being affected everyday with an estimated 257 organisations and 17,750,524 individuals impacted as of July 11, 2023.
At the same time the Clop ransomware group, which is responsible for the attack has continued to exploit the vulnerability targeting large organisations both in US and UK targeting both the financial and education sector. Following this string of recent activity David Wallace, a senior threat intelligence at Sophos has recently released a digest on clop exploring their tactics, techniques and procedures.
Clop (or Cl0p) translates to “bedbug” in Russian, is a new variant of the CryptoMix ransomware family which was first found in 2019 and is tracked by MITRE as S0611. Clop has ties to various other threat groups like TA505 and FIN11 and has recently collaborated with other groups like DarkSide and FIN7 distributing their ransomware as a service toolkit for the groups to use.
Clop has been known to target larger companies (over $5m annual revenue) typically located in North and South America, Europe and Asia-Pacific however recent attacks on supply chains have impacted smaller organisations in other markets with most attacks typically commencing during holidays.
When clop was first identified, they typically used phishing attacks, brute forcing and exploiting known vulnerabilities. While not ground-breaking compared to other groups, they were one of the first groups to implement double extortion by threatening to publish stolen data to their leak site “CL0P^_- LEAKS” which was accessible using The Onion Router (Tor).
Recently however Clop and other groups have been moving away from decrypting data altogether. Clop are also known for emailing customers and partners of compromised organisations and getting them to apply pressure to the compromised organisation to pay the ransom.
Clops exploitation of CVE-2023-34362, the MOVEit transfer critical vulnerability also shows that group not only is able to sell their ransomware tools to other criminal groups but also can work on long-term technical projects that require team effort to develop and refine. The MOVEit exploit is a third attack against supply chains that Clop has developed besides there work against GoAnywhere and Papercut. MOVEit has not only affected Businesses but also government agencies and clop issue a statement regarding this: "If you are a government, city or police service do not worry, we erased all your data. You do not need to contact us. We have no interest to expose such information”. The US government has started a bounty scheme for any info that could help identify and stop Clop.
Clop’s tactics, techniques and procedures.
Initial Access: Clop will target victims usually through social engineering to gain initial access to their network via phishing and they also exploit vulnerabilities in software to gain access to systems. The best way to prevent staff from falling for social engineering attacks to provide staff training on phishing and how to identify it. Patching systems to the latest software version will also help protect computer systems from vulnerabilities being exploited. Unfortunately, Clop have been know to exploit zero-day vulnerabilities and patching may not protect yourself from this, as such the best way to protect yourself from zero days is to keep on top of the latest trends and to have contingency plans in place so that if a zero-day is identified for an application you use, you can continue to operate and not use the service until it is updated.
Persistence: Clop has been known to maintain access in infected systems in a variety of ways however Sophos X-Ops Incident response team has recently identified Clop using Cobalt Strike Beacon to persist in systems. Cobalt Strike Beacon is a powerful penetration testing tool so identifying it can be a challenge however having Intrusion Detection and Prevention software installed on your network will be able to identify suspicious behaviour and can alert you to the malware on your system.
Lateral Movement: Once inside your system, clop will attempt to pivot laterally, infecting connected systems which will allow the ransomware to deploy more quickly and maximising the impact the ransomware has and the data it can encrypt. Sophos has recently observed clop leveraging server message block (SMB) connections before transitioning to remote desktop protocol (RDP) sessions to complete their lateral movement. Some of these protocols maybe mandatory for your business to operate however if a computer system does not require one of these, then it is best to block the port both in perimeter and internal files walls.
Exfiltration: Clop will often exfiltrate data before deploying the ransomware and will target any data that can strengthen its hand when it extorts the victim. Most commonly tartegted data includes employee HR data, intellectual property, financial data and customer data. Clop have bee known to use Exfiltration Over Web Service (MITRE T1567), which covers the use of various third-party tools to help with data exfiltration. They also look at command and control-based avenues like Remote Access Software (T1219) and Ingress Tool Transfer (T1105). Data exfiltration can be identified and blocked by using intrusion detection and prevention software however if that is not an option they you can set limits on data transfers outside of business operating hours which will cause frustration for attackers and give you more time to act.
Victim notification: The final stage in their attack is the delivery of the ransomware note. Its possible you may have already identified that you are under attack by noticing hat files have been encrypted and changed to the extension (.)clop, (.)cllp or (.)C_L_O_P. Often Clop will leave a ransom demand in a README.TXT file which will give the price to decrypt along with instructions to join a chat. In general, it is recommended that you don’t pay the ransom as there is no guarantee that the attackers will keep their word and not sell the exfiltrated data and paying the ransom also doesn’t fix the initial point of compromise which could put you at risk of being attacked again either by the same threat group or a different one.
In the event that Clop or any other ransomware group has attacked your organisation or is currently attacking your organisation you should alert the police as soon as possible. If the attack is live you can contact action fraud either through there website or call them at 0300 123 2040 to access their 24hr business reporting service for live attacks. If you fear that your company has suffered some other non-urgent cyber incident you can visit the government website Where to Report a Cyber Incident - GOV.UK (www.gov.uk) for information on who you have to notify.