Published: June 16, 2023

Overview

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) issued a joint cybersecurity advisory (CSA) regarding two ransomwares- LockBit 3.0 ransomware and CL0P ransomware. The CSA warns critical infrastructure of LockBit 3.0 ransomware attacks and provides technical details on the ransomware. They released a joint Advisory on CL0P ransomware gang for their recent attack exploiting the MOVEit vulnerability.  LockBit 3.0 is more modular and evasive than its previous versions and shares similarities with Blackmatter and Blackcat ransomware. The advisory includes recommended actions and mitigations that organizations can take to protect their assets and data from these ransomwares. 

The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit. Since January 2020, LockBit has functioned as an affiliate-based ransomware variant; affiliates deploying the LockBit RaaS use many varying TTPs and attack a wide range of businesses and critical infrastructure organizations, which can make effective computer network defense and mitigation challenging. 

CL0P, which is associated with the TA505 group, is known for frequently changing malware and driving global trends in criminal malware distribution. The advisory also highlights a previously unknown SQL injection vulnerability in Progress Software’s managed file transfer solution, MOVEit Transfer (CVE-2023-34362), which CL0P has exploited to steal data from underlying MOVEit Transfer databases. The objective of the CL0P ransomware gang has been to steal data from various organizations. All organizations are encouraged to view the advisory and implement the recommended mitigations to reduce the likelihood and impact of CL0P and other ransomware incidents.  

Impact 

Both ransomware attacks seek to acquire the victim’s data and then encrypts the data to extort advantages from the victim. 

LockBit 3.0 was responsible for 21% of the 189 ransomware attacks detected against critical infrastructure in Q4 2022, accounting for 40 incidents. A majority of those attacks impacted food and beverage and manufacturing sectors. 

MOVEit Transfer is a managed file transfer solution from Progress Software. CVE-2023-34362 is a SQL injection vulnerability in the MOVEit Transfer web application. An unauthenticated attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable MOVEit Transfer instance. Successful exploitation would give an attacker access to the underlying MOVEit Transfer database instance. 

Applicable Versions 

The Progress MOVEit Transfer versions effected by the SQL injection vulnerability are- 13.0.6, 13.1.4, 14.0.4, 14.1.5, and 15.0.1. 

Mitigations and Workarounds 

To mitigate against infection by both the ransomwares, one can use multi-factor authentication (2FA/MFA) to control access to local and cloud apps. Phishing emails should be recognized and sanitized. CL0P can circumvent local anti-virus tools, so one can augment traditional AV tools by using a Web Content Filtering platform. We can also stop these ransomwares at the source by using an email protection service to stop spam emails before they hit employee devices. Take an inventory of assets and data, identifying authorized and unauthorized devices and software. Grant admin privileges and access only when necessary, establishing a software allow list that only executes legitimate applications. Monitor network ports, protocols, and services, activating security configurations on network infrastructure devices such as firewalls and routers. Regularly patch and update software and applications to their latest versions and conduct regular vulnerability assessments. 

Best Practices 

For more information and best practices on preventing and mitigating ransomware and data extortion incidents, refer to the resources listed on StopRansomware.gov.

Netsurion Detection and Response 

Netsurion follows strictly the guidelines present in the ransomware-guide. Our security analysts have added the IOCs (Indicators of Compromise – the hashes of malicious files and the IP addresses) to Netsurion’s Threat Center, our Threat Intelligence Platform. This will help detect malicious files and suspicious Command and Control communications to malicious IP addresses. Netsurion’s vulnerability management system will also detect the vulnerability (CVE-2023-34362) for customers who have subscribed to Netsurion Vulnerability Management. 

References: 

  1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a 
  2. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a 
  3. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a  
  4. https://www.cisa.gov/news-events/news/cisa-and-fbi-release-advisory-cl0p-ransomware-gang-exploiting-moveit-vulnerability 
  5. https://www.cisa.gov/stopransomware/official-alerts-statements-fbi 
  6. https://nvd.nist.gov/vuln/detail/CVE-2023-34362 
  7. https://www.cisa.gov/known-exploited-vulnerabilities-catalog 
  8. https://www.cisa.gov/stopransomware/ransomware-guide 
Cybersecurity Updates
Latest Advisory Alerts

Palo Alto PAN-OS Command Injection Vulnerability

D-Link NAS Command Injection Vulnerability

VMware ESXi, Workstation, and Fusion Vulnerabilities

Latest Data Source Integrations

AWS Key Management Service (KMS)

Have I Been Pwned

SentinelOne

Latest Enhancements

Netsurion Open XDR Now Supports PCI DSS 4.0

Extended Data Source Integrations and Alerts Released for Essentials

Enriched Application Control in Open XDR 9.4