Tag Archive for: clop

Clop ransomware dominates ransomware space after MOVEit exploit campaign


The number of ransomware attacks in July rose over 150% compared to last year and the actors behind the Clop ransomware were responsible for over a third of them. The gang took the lead from LockBit as the top ransomware threat after exploiting a zero-day vulnerability in a managed file transfer (MFT) application called MOVEit in June. While the MOVEit attacks were used for data theft and subsequent extortion, they were not used to deploy the actual Clop ransomware program, even though the actors behind the attacks are associated with this ransomware program and took credit for the campaign.

“This campaign is particularly significant given that Clop has been able to extort hundreds of organizations by compromising one environment,” Matt Hull, global head of threat intelligence at NCC Group, said in a report. “Not only do you need to be vigilant in protecting your own environment, but you must also pay close attention to the security protocols of the organizations you work with as part of your supply chain.”

Clop takes the ransomware lead

NCC Group has recorded 502 ransomware-related attacks in July, a 16% increase from the 434 seen in June, but a 154% rise from the 198 attacks seen in July 2022. The Clop gang was responsible for 171 (34%) of the 502 attacks while LockBit came in second with 50 attacks (10%).

LockBit has dominated the ransomware space since the middle of last year after the notorious Conti gang disbanded and the LockBit authors revamped their affiliate program to fill the void and attract former Conti partners. Ransomware-as-a-service (RaaS) operations such as LockBit rely on collaborators called affiliates to break into enterprise networks and deploy the ransomware program in exchange for a hefty percentage of the ransoms.

Clop is also a RaaS operation that has existed since 2019 and before that it acted as an initial access broker (IAB) selling access to compromised corporate networks to other groups. It also operated a large botnet specialized in financial fraud and phishing. According to a CISA advisory, the Clop gang and its affiliates compromised over 3,000 organizations in the US and over 8,000 globally to date.

The Clop…

Source…

Clop Hacking Rampage Hits US Agencies and Exposes Data of Millions


United States cybersecurity officials said yesterday that a “small number” of government agencies have suffered data breaches as part of a broad hacking campaign that is likely being carried out by the Russia-based ransomware gang Clop. The cybercriminal group has been on a tear in exploiting a vulnerability in the file transfer service MOVEit to grab valuable data from victims including Shell, British Airways, and the BBC. But hitting US government targets will only increase global law enforcement’s scrutiny of the cybercriminals in the already high-profile hacking spree.

Progress Software, which owns MOVEit, patched the vulnerability at the end of May, and the US Cybersecurity and Infrastructure Security Agency released an advisory with the Federal Bureau of Investigation on June 7 warning about Clop’s exploitation and the urgent need for all organizations, both public and private, to patch the flaw. A senior CISA official told reporters yesterday that all US government MOVEit instances have now been updated. 

CISA officials declined to say which US agencies are victims of the spree, but they confirmed that the Department of Energy notified CISA that it is among them. CNN, which first reported the attacks on US government agencies, further reported today that the hacking spree impacted Louisiana and Oregon state driver’s license and identification data for millions of residents. Clop has previously also claimed credit for attacks on the state governments of Minnesota and Illinois.

“We are currently providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications,” CISA director Jen Easterly told reporters on Thursday. “Based on discussions we have had with industry partners in the Joint Cyber Defense Collaborative, these intrusions are not being leveraged to gain broader access, to gain persistence into targeted systems, or to steal specific high-value information—in sum, as we understand it, this attack is largely an opportunistic one.”

Easterly added that CISA has not seen Clop threaten to release any data stolen from the US government. And the senior CISA official, who spoke to reporters on the condition that they…

Source…

Lessons From Clop: Combating Ransomware and Cyber Extortion Events


Lessons from Clop

It’s been one month since the Clop ransomware group began exploiting the MOVEit vulnerability (CVE-2023-34362 (VulnDB ID: 322555) to claim nearly 100 victims across the globe, many of which have come public. This attack comes on the heels of Clop leveraging the GoAnywhere MFT vulnerability (CVE-2023-0669), which led them to claim they’d illegally obtained information for more than 100 companies.

When a ransomware or cyber extortion event occurs, security teams are racing against the clock:

  • What do we know about the cybercriminal group that’s claiming responsibility for an attack or double extortion?
  • Is our organization affected? If so, what is the extent of the breach and its impact on our systems, networks, people, and data?
  • How do we respond to and mitigate the situation?
Flashpoint Ignite’s finished intelligence is readily available to all teams to help mitigate risk across the entire organization.

These questions are of vital importance to organizations across the public and private sectors. And the recent Clop attacks—which affected organizations across the globe in nearly every vertical—are yet another example of why it’s vital to have proactive defense measures in place.

Targeting upstream data providers

First, it’s vital to have a deep understanding of the adversary, such as a RaaS (ransomware-as-a-service) group like Clop. Here are five ways that ransomware groups like Clop attack targets, as well as the threat vectors they seen to exploit:

  1. Supply chain attacks. As illustrated through MOVEit, Clop often targets upstream software vendors or service providers so that it can cast a wide net. A number of the known Clop victims are companies who were attacked via a third-party vendor. Attackers like Clop may exploit vulnerabilities in the communication or data exchange between these companies, or compromise the software or hardware components supplied by third-party providers to inject malicious code or backdoors.
  2. Cloud Service Providers (CSP). If a cloud service provider experiences a security breach, it can potentially impact third parties that utilize their cloud services in several ways. Clop successfully breached a cloud service…

Source…

US puts up $10M reward to disrupt Clop ransomware gang



Rewards of up to $10 million are being offered by the U.S. State Department’s Rewards for Justice program to individuals with any information that would establish a connection between the Clop …

Source…