Ransomware Roundup: 04.03.23

Cl0p Ransomware Gang Continues Exploiting GoAnywhere Vulnerability

The Cl0p ransomware gang continues its campaign of extorting companies exploiting a known GoAnywhere vulnerability, having added nearly 200 new victims to their leaks website in the past few weeks.

“Over the past month, one hundred new companies have been added to Clop's data leak site, with the extortion gang threatening to leak data if a ransom is not paid,” reports Bleeping Computer.

“While it is not confirmed if all of these companies were breached using the GoAnywhere zero-day, BleepingComputer has confirmed this week that Saks Fifth Avenue, the City of Toronto, Procter & Gamble, Virgin Red, and the UK Pension Protection Fund are related to the vulnerability.”

Takeaway: The mass exploitation of the GoAnywhere vulnerability in this recent wave of Cl0p ransomware attacks should have companies who are using the software on high alert. Over the past month, more than one hundred new victims have been added to Clop's data leak site, including the likes of Saks Fifth Avenue and Virgin Group, to name just a few.

Cl0p is likely to be leveraging automation to identify exposed organizations who have not patched against known vulnerability, which is why we are seeing so many new victims. Many organizations have been added to the Cl0p leaks website who have not reported a cyberattack, so it is likely Cl0p has already exfiltrated large amounts of confidential information from these victims, or they are in the process of exfiltrating data as a precursor to the delivery of a ransomware payload.

These attacks typically involve weeks or even months of activity by attackers as they work to infiltrate as much of the target network and exfiltrate as much data as possible before encrypting systems. Organizations must have the ability to disrupt attacks at initial ingress, when attackers move laterally, command and control is established, data exfiltration begins - not just when the attackers attempt to execute malicious binaries. They also need to assure that in the event of a successful ransomware attack, the organization is resilient and confident in their ability to minimize the duration, spread and overall impact of the attack and get back to normal as quickly as possible.

These are multi-stage attacks, and that means we have multiple opportunities to detect and stop them. Organizations require both a robust prevention and an agile resilience strategy to defend against this wave of ransomware attacks. This approach includes endpoint protection solutions, patch management, data backups, access controls, employee awareness training, and organizational procedure and resilience testing into all ransomware readiness plans to be successful.

Ransomware Attacks: The New Snow Day for Education Sector?

CISA recently warned about the growing risk to the education sector from ransomware attacks, noting that groups like Vice Society disproportionately target schools. CISA released updated guidelines for K-12 organization, but guidelines don’t protect systems, and they don’t pay for security boots on the ground.  

“The federal government recently warned that K-12 schools face a growing threat from cyber groups. According to the FBI, school districts often have limited cybersecurity protections, which makes them even more vulnerable. The FBI also says it anticipates the number of threats to increase” Security Intelligence reports.

“Instead of snow days, students now get cyber days off. Cyberattacks are affecting school districts of all sizes from coast-to-coast. Some schools even completely shut down due to the attacks.”

Takeaway: Ransomware attack trends that include the theft of sensitive data will continue unabated until the profit motives for the threat actors are eliminated. This is organized crime we are dealing with; they only care about bringing pain to victims for their own financial gain. Ransomware groups continue to victimize the education sector simply because they are easy targets. The fact is that schools lack the appropriate funding to stand up and maintain even a basic security program, let alone one that can go head-to-head with highly skilled threat actors.  

Combined with the fact that legacy security tools that are within the means of the education sector, like Antivirus and NextGen Antivirus are simply not designed to address the unique threat that ransomware presents. These factors together are why we keep seeing disruptive ransomware attacks causing school closures due to ransomware attacks. And even if they had better endpoint protection solutions to assist them, they would still lack the staff to properly manage them and realize any benefits in protecting their infrastructure. Worse yet, these students whose personal information is stolen will continue to be at risk of identity theft and financial fraud well into the unforeseeable future.  

To protect themselves and their students, EDU organizations must reevaluate what kinds of data they collect and store, for how long and pinpoint where it’s stored. Eliminating the unnecessary storage of sensitive data will make EDU organizations a less attractive target to attackers and help reduce risk. Since the options for detection and prevention are limited for the education sector, they should also focus on implementing a resilience strategy and assume they will be the victim of a ransomware attack and have the contingencies in place to recover as quickly as possible. This approach includes endpoint protection solutions, patch management, data backups, access controls, staff/student awareness training, and organizational procedure and resilience testing to be successful.

Cl0p’s Massive Ransomware Campaign Likely Driven by Automation

Scores of organizations that have not patched a known vulnerability on the GoAnywhere file transfer software have fallen victim to ransomware attack by the threat actor Cl0p in recent weeks.  

Scores more have been added to the group’s leaks website but have yet to report they were attacked yet, so we can expect this mass attack campaign to continue.

“Over the past few days, the Russia-linked Clop gang has added dozens of other organizations to its dark web leak site, which it uses to extort companies further by threatening to publish the stolen files unless a financial ransom demand is paid,” TechCrunch reports.

“Since the attack in late January or early February — the exact date is not known — Clop has disclosed less than half of the 130 organizations it claimed to have compromised via GoAnywhere, a system that can be hosted in the cloud or on an organization’s network that allows companies to securely transfer huge sets of data and other large files.”

Takeaway: The mass exploitation of the GoAnywhere vulnerability in this recent wave of Cl0p ransomware attacks should have companies who are using the software on high alert. Over the past month, more than one hundred new victims have been added to Clop's data leak site. Cl0p is likely to be leveraging automation to identify exposed organizations who have not patched against known vulnerability, which is why we are seeing so many new victims.

Automation means more victims faster, hence the recent "wave" of attacks. And GoAnywhere is not the only buggy solution out there that can be exploited en masse like this - it's just a really good example of what we can expect as these RaaS operators continue to improve their capabilities.

Also of note is the fact that many organizations that have been added to the Cl0p leaks website have not reported a cyberattack, so it is likely Cl0p has already or are in the process of exfiltrated large amounts of confidential information from these victims as a precursor to the delivery of a ransomware payload.

These attacks typically involve weeks or even months of activity by attackers as they work to infiltrate as much of the target network and exfiltrate as much data as possible before encrypting systems. Organizations must have the ability to disrupt attacks at initial ingress, when attackers move laterally, command and control is established, data exfiltration begins - not just when the attackers attempt to execute malicious binaries. They also need to assure that in the event of a successful ransomware attack, the organization is resilient and confident in their ability to minimize the duration, spread and overall impact of the attack and get back to normal as quickly as possible.

These are multi-stage attacks, and that means we have multiple opportunities to detect and stop them. Organizations require both a robust prevention and an agile resilience strategy to defend against this wave of ransomware attacks. This approach includes endpoint protection solutions, patch management, data backups, access controls, employee awareness training, and organizational procedure and resilience testing into all ransomware readiness plans to be successful.

IBM Aspera Faspex Vulnerability: The Next GoAnywhere-Style Mass-Exploit for Ransomware Gangs?

Is the IBM Aspera Faspex vulnerability (CVE-2022-47986) the next GoAnywhere-style mass exploit for ransomware gangs? Scores of organizations have been hit by the Cl0p ransomware gang in recent weeks after attackers exploited a known vulnerability on the GoAnywhere file transfer software for which there has been a patch available for some time.  

Users of a similar file transfer program - IBM Aspera Faspex – should seriously prioritize deploying the patch for this bug as soon as possible, as it could be the next mass exploit leveraged by ransomware operators (or other attackers) to infiltrate an organization’s network.

High profile victims of the recent Cl0p campaign using the GoAnywhere exploit include Saks Fifth Avenue, the City of Toronto, Procter & Gamble, Virgin Red, the UK Pension Protection Fund and dozens more. Dozens more have been added to Cl0p’s leaks website but have yet to publicly report a ransomware attack, so we can expect new victims from this widespread attack campaign to continue to emerge.

Aspera Faspex vulnerability is based on a YAML deserialization flaw that can be activated remotely with a specially crafted obsolete API call to enable code execution on the targeted system. It is rated 9.8 (critical) and impacts IBM Aspera Faspex 4.4.2 and earlier versions, and a patch was issued in January.

Takeaway: Similar to the issues with the GoAnywhere vulnerability, just because a patch is available does not mean all organizations will apply the fix in a timely manner. Attackers are keen to jump on new vulnerabilities, and often only become aware of the flaw after a patch is issued, so they count on organizations being slow to mitigate.

Cl0p was able to hit a large number of targets in a very short time period because they have likely automated scans that search the internet for networks still vulnerable to the bug, and it is highly likely that a number of threat actors are similarly looking for exploitable instances of IBM’s Aspera Faspex.

Reports indicate that the IceFire ransomware gang is already exploiting the vulnerability, and recent scans using Shodan identified 138 vulnerable instances. This is likely what attackers like Cl0p and IceFire are doing, simply using automating scans that look for the vulnerability in these file transfer programs and then leveraging exploits to infiltrate and move laterally through the network of their victims.

Organizations can’t wait for an attacker to hit them with a ransomware payload before their ransomware defense strategy kicks in. They must have the ability to detect and disrupt attacks at the earliest stages – at initial ingress when attackers move laterally, or when command and control is established, or data exfiltration begins. And in the event of a successful ransomware attack, the organization needs to be prepared for resilience by having the tools and processes in place to minimize the duration and overall impact of the attack.

Organizations need to focus on both a robust prevention and an agile resilience strategy to defend against this wave of ransomware attacks. This includes deploying endpoint protection solutions designed to defeat ransomware, good patch management, isolated data backups, robust access and identity controls, an employee awareness program, and periodic organizational procedure and resilience testing into all ransomware readiness plans to have a good security posture.

Cylance Ransomware Family Emerges with Both Linux and Windows Versions

A new ransomware family dubbed Cylance Ransomware by the developers has emerged touting both Windows and Linux targeting capabilities, with samples in the wild and indications that active attacks are underway.

“The Unit 42 threat intelligence division of Palo Alto Networks revealed the existence of the Cylance strain in the early hours of Friday morning, saying that it appears to be targeting both Windows and Linux machines,” IT Pro reports.

“Little information exists at present on the tactics or reach of Cylance, though it appears that the strain has emerged recently.”

Takeaway: The emergence of yet another ransomware strain is not surprising. Ransomware operations will continue to come and go, but the imminent threat of ransomware will persist. While this new variant has been given a catchy name that mirrors a security product, it's just a branding ploy by the developers that does not have any real significance. What is interesting though is that this strain emerged with both Windows and Linux versions. While more groups have been developing Linux versions recently, not much attention has been paid to what this trend means for the ransomware threat landscape.

Groups like LockBit, IceFire, Black Basta, and Cl0p all have developed Linux targeting capabilities, which makes the likelihood of a really widespread, disruptive ransomware attack in the near future something to be concerned about. While Linux has a much smaller footprint than Windows systems overall, Linux arguably runs the most important system, including the vast majority of web servers, a good chunk of embedded and IoT devices used in manufacturing and energy, almost every smartphone and supercomputer, almost all of the US government and military systems, and pretty much all of the critical backbone systems in any large network.  

Despite this, we barely see mention of Linux ransomware advancements in the media as they have been developed or in unique cases like the Cylance Ransomware where the Linux version was developed at the same time as the code for Windows. This is very unusual.

The takeaway here is that any organization running critical Linux distributions should start preparing to defend these systems that until recently were rarely targeted. Linux systems have very few security solution options available to adequately defend them, and virtually none that focus on stopping ransomware specifically. The targeting of Linux systems has the potential to cause a serious disruption beyond the scale of what we saw in the Colonial Pipeline attack. The consequences of not redoubling our efforts to defend Linux systems could prove catastrophic.

‍

‍Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.