Sectrio

Deconstructing the CL0P RaaS group and understanding the MOVEit breach in 2023

By admin
September 11, 2023
Deconstructing-the-CL0P-ransomware-group-and-understanding-the-MOVEit-breach-in-2023

The large-scale incorporation of connected OT/SCADA systems is a growing trend but are you aware of the increasing presence of sophisticated threat actors and rapidly budding ransomware variants? The question you should ask yourself and your peers is “Are my OT/SCADA systems secure against next-generation cyber threats? In this blog, we will be discussing particular instances where CL0P ransomware has been identified in OT/SCADA systems.

OT/SCADA systems control physical devices and processes, such as water treatment plants, power grids, and manufacturing plants. These systems are often susceptible to attacks due to their setup, pre-existing vulnerabilities and often targeted as a result of lax security protecting these systems. While the scale of attacks targeting such systems can be analyzed further in our global threat landscape report 2023, it is imperative to understand the motive of the actors behind such attacks.

With Sectrio’s ongoing research initiatives, CL0P is one such ransomware that has popped up on our radar multiple times. Its usual methods include infiltration via phishing emails, malicious attachments, and exploit kits. The RaaS group operates methodically and begins its process through meticulous research of its victim on its operations, and understanding how they can be exploited.

Recommended Reading: How to get started with OT security

CL0P follows this process with social engineering, and spear phishing techniques where they are looking to penetrate the victim’s network and deploy the ransomware exploits. After the successful deployment of the ransomware, CL0P publishes a portal on the dark web for the victim to first verify 3 files to validate the compromise and requests a ransomware payout. The whole ordeal lasts between 3 – 7 days. The victim suffers from operational halts, reputational damages, loss of IP, and financial losses.

This report is a comprehensive analysis of CL0P ransomware including attack techniques, verticals targeted, countries targeted, and attack scenarios on OT-specific verticals. Stick around and learn more!

Who is CL0P?

CL0P is a notorious ransomware as a service (RaaS) operation that a Russian-speaking group operates.

CL0P was first seen in February 2019 as a new variant in the Cryptomix family. It was delivered as a payload of a phishing campaign associated with the financially motivated actor TA505.

CL0P was able to inject malicious code into the company’s database servers by exploiting a zero-day vulnerability using SQL injection. This allowed the attackers to access and download the data stored in the databases. This ransomware also used a verified and digitally signed binary, making it look like a legitimate executable file that could evade security detection

1-cl0p-darkweb-home-page
CLOP Dark Web Home Page

CL0P Ransomware

The CL0P ransomware is one of the biggest malware threats in cyberspace today. The attackers once demanded an amount of more than 20+ Million Dollars to restore services from their victim.

Targeting SCADA systems with CL0P ransomware presents a grave risk to vital infrastructure, carrying the potential for operational breakdowns, substantial financial damages, and even endangering human safety. Exploiting vulnerabilities within SCADA systems, malicious actors can illicitly infiltrate and encrypt crucial control files, resulting in the cessation of industrial operations or even the discharge of dangerous materials.

In June 2023, the CL0P ransomware group exploited a zero-day vulnerability in the MOVEit Transfer tool. This vulnerability was announced on May 31, 2023, by the Progress Software Corporation.

Earlier this year, CL0P had used a similar vulnerability to attack the GoAnywhere file transfer product of Fortra, stealing data from more than 130 companies, governments, and organizations. The CL0P attack on MOVEit Transfer is believed to have affected hundreds of organizations worldwide.

CL0P Darkweb page

On the Dark web page, they upload notes, news, and data published information and steps to contact them.

About CL0P Ransomware Gang

Steps for Companies Attacked by CL0P Ransomware Gang

3-Steps-for-companies-who-attacked-by-CL0P-Ransomware-Gang
Steps for companies attacked by CL0P Ransomware Gang

CL0P Gangs uploads published data and victim organization names on their dark web page.

4-name-of-cl0p-victims-with-data
Companies name attacked by CL0P Ransomware Gang

Companies name attacked by CL0P Ransomware Gang

CL0P Email IDs for communication

The ransomware has been known to use Email ID: UNLOCK@RSV-BOX.COM, This was however changed to Email ID: UNLOCK@SUP-BOX.COM. We believe that this change was triggered as a result of technical challenges.

Timelines of CL0P Ransomware and MOVEit

The CL0P ransomware gang was relatively inactive from November 2022 to February 2023 than in March and April of 2023 as accurately predicted in Sectrio’s Global Threat Landscape Analysis and Assessment Report and stated by the NCC report stated that CL0P went from one of the least active threat groups in March to the fourth most active in April. This significant increase in CL0P ransomware activity is a cause for concern, as it suggests that the gang is becoming more active and successful in its attacks.

Businesses and organizations should be aware of the CL0P threat and take steps to protect themselves from ransomware attacks.

  1. The CL0P ransomware was first noticed in February 2019 with wide-scale spear phishing. In January 2020, Fin11 deployed CL0P ransomware on the FTA (File Transfer Application) of Kiteworks, and after this, they gained access to a pharmaceutical company and leaked their data in April 2020.
  2. In November 2021, CL0P ransomware exploited the SolarWinds vulnerability, breaching several organizations. Security Researchers discovered that the MOVEit transfer servers were compromised and had crucial information into 2022.
  3. In 2023, CL0P began exploiting the MOVEit zero-day vulnerability. Although breaching multiple organizations, the group did not immediately extort victims. The CL0P ransomware gang compromised several companies. In May, the MOVEit vulnerability was published by Progress Software Corporation, and in the same year, a vulnerability was assigned, and CISA released a joint Cybersecurity Advisory detailing CL0P’s exploitation of the MOVEit vulnerability. – MOVEit told Cybernews that the bug was patched within 48 hours, adding that it “has implemented a series of third-party validations to ensure the patch has corrected the exploit.”

Affected Countries by CL0P Ransomware

5-cl0p-targeted-countries
CL0P Targeted Countries

Tools, Malwares, and Vulnerabilities Used by CL0P Ransomware

Malware
FlawedAmmyy
SDBOT
Get2 Loader
Malwares used by CL0P
Tools
Cobalt Strike
TinyMet
Tools used by CL0P

List of vulnerabilities exploited by CL0P ransomware

The exploits built are prepared using the vulnerabilities below:

CVE ID Vulnerability Type CVSS Score and Severity
CVE-2023-34362 SQL injection vulnerability 9.8 Critical
CVE-2023-35036 SQL injection vulnerability 9.1 Critical
CVE-2023-0669 Pre-authentication command injection 7.2 High
CVE-2021-27101 SQL injection vulnerability 9.8 Critical
CVE-2021-27102 OS command execution. 7.8 High
CVE-2021-27103 SSRF via a crafted POST request 9.8 Critical
CVE-2021-27104 OS command execution 9.8 Critical
CVE-2021-35211 Remote code execution (RCE) vulnerability 10.0 Critical
vulnerabilities exploited by CL0P ransomware

Analysis of CL0P Ransomware

TA505 is a threat actor that uses phishing emails to deliver malware to its victims. The malware typically arrives as a macro-enabled document that, when opened, drops a loader named Get2. Get2 can then download other tools used by TA505, such as SDBot, FlawedAmmyy, or FlawedGrace.

Once TA505 has gained a foothold on the victim’s system, it will perform reconnaissance, lateral movement, and exfiltration. This will allow them to gather information about the victim’s network and systems and to move laterally to other systems within the network. The final step is to deploy ransomware, encrypting the victim’s files and demand a ransom payment.

Sometimes, SDBot has been observed delivering CL0P as the final payload. CL0P is a ransomware known for its aggressive encryption and high ransom demands.

6-cl0p-ransomware-attack-tree
CL0P Ransomware Attack Tree

How CL0P ransomware could disrupt the OT networks

The CL0P ransomware gang could potentially target OT/ICS systems through methods such as phishing and social engineering, exploiting vulnerabilities in software or hardware, supply chain attacks via compromised suppliers, exploiting weaknesses in Remote Desktop Protocol, watering hole attacks on frequented websites, recruiting insiders for valuable information, exploiting weak network segmentation between IT and OT environments, and taking advantage of misconfigurations in the OT/ICS network.

Defending against these attacks requires robust cybersecurity measures including patch management, network segmentation, employee training, multi-factor authentication, secure remote access, intrusion detection, and regular backups of critical systems.

CL0P ransomware group has used tools such as FlawedAmmyRAT, Cobalt strike, TinyMet, Get2Loader, SDBOT, etc. The CL0P ransomware gang has already bagged a name for itself by attacking 4 organizations hosting several OT systems. The gang has likely gained enough experience to target more organizations hosting. t. They are currently able to perform the attack and disrupt the OT operations with their current posture.

Attack path analysis of CL0P ransomware

The first attack path used by T505

The CL0P ransomware that TA505 first distributed evaded detection using a digitally signed and verified binary to make it seem like a legitimate executable file. The group launched many spear-phishing emails sent to an organization’s employees to trigger the infection process.

7-attack-path-of-t505-cl0p
Attack path of T505 for CL0P ransomware

Updated attack path of T505

In January 2020, TA505 changed the infection flow by using SDBOT alone to collect and exfiltrate data to the command-and-control (C&C;) server.

8-updated-attack-path-of-t505-for-cl0p-ransomware
Updated Attack path of T505 for CL0P ransomware

Compromise attack path of FIN11

infection chain of FIN11’s exploit of the multiple zero-day vulnerabilities in Kiteworks’ FTA so that it could install a newly discovered web shell, DEWMODE. FIN11 then used this same web shell to exfiltrate data from the FTA and deliver the CL0P ransomware as a payload.

9-compromise-attack-patch-of-fin-11-cl0p
Compromise attack path of FIN11

CL0P ransomware note

The CL0P ransomware gang adds the ransom note after the successful encryption and exploitation.  

10-cl0p-ransomware-note
Ransom Note by CL0P ransomware gang

 

TTPs (Tactics, Techniques, and Procedures) of CL0P Ransomware

The CL0P ransomware gang is known for using a variety of tactics, techniques, and procedures (TTPs) to infect victims. These TTPs may include:

Tactic ID Tactic Name Technique ID Techniques Name CL0P Uses
TA0001 Initial Access T1566.001  Phishing: Spear-phishing attachment CL0P actors send a large volume of spear-phishing emails to employees of an organization to gain initial access
T1190 Exploit public-facing application CL0P ransomware group exploited the zero-day vulnerability CVE-2023-34362 affecting MOVEit Transfer software; it begins with a SQL injection to infiltrate the MOVEit Transfer web application.
T1078 Valid accounts Gain unauthorized access to victims systems using RDP
TTPs of CL0P Ransomware 1
Tactic ID Tactic Name Technique ID Techniques Name CL0P Uses
TA0002 Execution T1106 Native API Event-Triggered execution: Application Shimming
T1059.001 Command and scripting interpreter PowerShell CL0P actors use SDBot as a backdoor to enable other commands and functions to be executed in the compromised computer
T1059.002 Command and scripting interpreter CL0P actors use TinyMet, a small open-source Meterpreter stager, to establish a reverse shell to their C2 server
T1129 Shared Modules CL0P actors use Truebot to download additional modules.
T1204 User execution User execution is needed to carry out the payload from the spear-phishing link/attachments
TA0003 Persistence T1547 Boot or logon autostart execution CL0P creates registry run entries to execute the ransomware as a service
T1543.003 Create or modify system process: Windows service. CL0P creates a service to execute the ransomware
T1505.003 Server Software Component: Web Shel DEWMODE is a web shell designed to interact with a MySQL database and is used to exfiltrate data from the compromised network.
T1546.011 Event Triggered execution: Application Shimming CL0P actors use SDBot malware for application shimming for persistence and to avoid detection.
TA0004  Privilege Escalation T1484.001 Domain Policy modification: Group Policy modification CL0P uses stolen credentials to access the AD servers to gain administrator privilege and attack other machines within the network
TTPs of CL0P Ransomware 2
Tactic ID Tactic Name Technique ID Techniques Name CL0P Uses
TA0005  Defense Evasion T1068 Exploitation for privilege escalation CL0P actors gained access to MOVEit Transfer databases before escalating privileges within the compromised network.
T1036.001 Masquerading: invalid code signature CL0P injects dll payloads into legitimate processes.
T1562.001 Impair defenses: disable or modify tools Disables security-related software by terminating them
T1140 Deobfuscate/Decode files or information The tool used for exfiltration has a part of its malware trace removal, and it drops a base-64 encoded file.
T1070.004 Indicator removal on host: file deletion CL0P Deletes traces of itself in the infected machine
T1055.001 Process injection: DLL injection CL0P runs the startup script before the system gets to the login screen via startup registry.
T1574.002 Hijack execution flow CL0P actors use Truebot to side-load DLLs
T1202 Indirect command execution CL0P searches for specific files and the directory related to their encryption 
T1070.001 Indicator removal on host: clear Windows Event logs CL0P clears the Event Viewer log files
TA0007 Discovery T1083 File and directory discovery CL0P searches for specific files and the directory related to its encryption 
T1018 Remote system discovery CL0P actors use Cobalt Strike to expand network access after gaining access to the AD servers.
T1057 Process discovery CL0P Discovers certain processes for process termination
T1082  System information discovery CL0P identifies keyboard layout and other system information
T1012 Query registry CL0P queries certain registries as part of its routine
T1063 Security software discovery CL0P discovers security software for reconnaissance and termination
TTPs of CL0P Ransomware 3
Tactic ID Tactic Name Technique ID Techniques Name CL0P Uses
TA0008 Lateral Movement T1570 Lateral tool transfer CL0P can make use of RDP to transfer the ransomware or tools within the network
T1021.002 Remote services: SMB/Windows admin shares CL0P actors have been observed attempting to compromise the AD server using Server Message Block (SMB) vulnerabilities with follow-on Cobalt Strike activity.
T1563.002 Remote Service Session Hijacking: RDP Hijacking CL0P ransomware actors have been observed using Remote Desktop Protocol (RDP) to interact with compromised systems after initial access.
TA0009 Collection T1005 Data from a local system CL0P might make use of RDP to manually search for valuable files or information
T1113 Screencaptures CL0P actors use Truebot to take screenshots to collect sensitive data.
TA0011 Command and Control T1071  Application Layer Protocol CL0P actors use FlawedAmmyy remote access trojan (RAT) to communicate with the Command and Control (C2).
T1105 Ingress Tool Transfer CL0P actors are assessed to use FlawedAmmyy remote access trojan (RAT) to download additional malware components. CL0P actors use SDBot to drop copies of itself in removable drives and network shares.
TTPs of CL0P Ransomware 4
Tactic ID Tactic Name Technique ID Techniques Name CL0P Uses
TA0010 Exfiltration T1041 Exfiltration Over C2 Channel CL0P abuse the network shares to encrypt and spread files across connected system.
T1567 Exfiltration over Web service DEWMODE web shell extracts list of available files from a MySQL database on the FTA and lists these files and corresponding their metadata. These will then be downloaded using the DEWMODE web shell.
TA0040 Impact T1486  Data encrypted for impact CL0P uses a combination of Salsa20, AES, and ECDH to encrypt the files and key
T1490 Inhibit system recovery CL0P deletes the shadow copies
TTPs of CL0P Ransomware 4

YARA Rules for CL0P Ransomware Detection

  1. SS_Gen_MOVEitTransferExploit_Webshell_ASPX_202308160701_A
  2. SS_Gen_MOVEitTransferExploit_Webshell_DLL_202308160702_B

OT and IT Organizations Affected by CL0P Ransomware

The CL0P ransomware gang has been active in recent months, targeting organizations in various sectors. Victims of CL0P attacks have included water utilities, oil and gas companies, OEMs, and consulting firms.

From the look of the attack pattern, this ransomware gang is going after mainstream companies including Big-4s consulting companies. This fuels them to get more clout and get hyper-motivated to attack companies popular in their respective sectors.

11-ot-it-sectors-affected-by-cl0p
OT and IT Sectors affected by CL0P ransomware gang

Recommendations by Sectrio and CISA

  • Sectrio recommends deploying intrusion detection and prevention systems (IDS/IPS) to detect and block malicious traffic.
  • Implementing network segmentation to isolate SCADA systems from other networks.
  • If RDP service is used on OT networks, disable or close it.
  • Stay steps ahead of CL0P using our advanced Sectrio IDS/IPS, harnessing AI and behavioral analysis to proactively detect and deflect their targeted attacks. Take an inventory of assets and data, identifying authorized and unauthorized devices and software.
  • Grant admin privileges and access only when necessary, establishing a software allow list that only executes legitimate applications.
  • Monitor network ports, protocols, and services, activating security configurations on network infrastructure devices such as firewalls and routers.
  • Regularly patch and update software and applications to their latest versions and conduct regular vulnerability assessments.
  • Disable command line and scripting.
  • Restrict the use of PowerShell.

For more information contact Sectrio’s IoT and OT cybersecurity experts here: Contact us

Download Sectrio’s global threat landscape report 2023 now: Download IoT and OT threat report 2023

The 2023 Global Threat Landscape Assessment Report | Sectrio

This blog has been atributed to Yash Mehta from the Sectrio’s global threat research team.

Key Points

Discover more with topics that matter to you most.

Get the latest news and insights beamed directly to you

Share

Key Points

Get the latest news and insights beamed directly to you

Share

Deconstructing-the-CL0P-ransomware-group-and-understanding-the-MOVEit-breach-in-2023

Read More

Protecting your critical assets is only a few steps away

Scroll to Top
Major US Government Agencies Hit in Cyberattack by Clop Ransomware Gang Hackers Shut Down 2 of World’s Most Advanced Telescopes