On April 28, the Health Sector Cybersecurity Coordination Center (HC3) published a sector alert on Ransomware-as-a-service (RaaS) groups Cl0p and Lockbit. The groups recently conducted several attacks exploiting three known vulnerabilities—CVE-2023-27351, CVE-2023-27350, and CVE-2023-0669.
The Cybersecurity and Infrastructure Security Agency (CISA), according to the alert, added the last two vulnerabilities to its Known Exploited Vulnerabilities Catalog. It has not yet added the first. This alert is not the first from HC3 on Cl0p and LockBit and intends to update readers on recent attacks and recommendations to identify and protect against future ransomware attacks.
The alert says that “As early as April 13, 2023, Microsoft attributed exploitations on a software company’s servers to the RaaS group known as Cl0p. On April 19, the printing management software company revealed the vulnerabilities in the widely used PaperCut MF/NG print management software and urged administrators to upgrade their servers to the latest versions (20.1.7, 21.2.11, and 22.0.9 and later). The software developer claims that its software is used by more than 100 million users from over 70,000 companies worldwide. On April 21, CISA added the CVE-2023-27350 flaw to its Known Exploited Vulnerabilities catalog, ordering federal agencies to secure their systems against ongoing exploitation within three weeks by May 12, 2023.”
Further, “On April 26, Microsoft revealed that both RaaS groups, Cl0p and LockBit, were behind the attacks and used them to steal corporate data from vulnerable servers. They disclosed that the Cl0p ransomware used was traced to the threat actor known as Lace Tempest, and overlapped with FIN11 and TA505, both linked to the ransomware operation. In its exploits, the threat actor deployed TrueBot malware, which has also been previously linked to Cl0p.”
Microsoft reported that some of the intrusions have led to LockBit ransomware attacks, but industry experts say that it isn’t clear whether or not the attacks began after the exploits were publicly released.
“These recent attacks follow a pattern of Cl0p in stealing data to extort companies into paying a ransom,” the alert adds. “This trend was first identified in 2020 when the RaaS group stole data from approximately 100 companies by exploiting an Accellion FTA zero-day vulnerability. As noted in a recent HC3 Secor Alert, in early February, Cl0p also claimed attribution for a mass attack on more than 130 organizations, including those in the healthcare sector, using a zero-day vulnerability in secure file transfer software, GoAnywhere MFT.”
Industry experts attribute the recent increase in ransomware attacks in March 2023 to the exploitation of the GoAnywhere MFT vulnerability.
The alert says that “There was a 91 percent increase in attacks since February 2023, with 459 attacks recorded in March alone. Of those attacks, Cl0p targeted 129 victims. Unlike other RaaS groups, Cl0p unabashedly and almost exclusively targets the healthcare sector. In the calendar year 2021 alone, 77% percent (959) of its attack attempts were on this critical infrastructure industry. The attacks in March of this year mark the second time that the threat group known as LockBit has been knocked off the top spot since September 2021.”
The alert provided recommendations on how to safeguard organizations against ransomware groups Cl0p and LockBit, including:
- Educate staff on social engineering attacks via email and network access
- Assess enterprise risk against all potential vulnerabilities
- Prioritize implementing a security plan with the appropriate budget, staff, and tools
- Develop a cybersecurity roadmap for the entire organization
