CISA Alert AA23-158A – #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability.
This is a CISA Cybersecurity Alert.
ID number Alpha Alpha Two Three tack One Five Eight Alpha.
Original release date: June 7th, 2023.
FBI and CISA are releasing this joint advisory to disseminate known CL0P ransomware IOCs and TTPs identified through FBI investigations as recently as June 2023.
According to open source information, beginning on May 27, 2023, CL0P Ransomware Gang, also known as T A 505 (pronounced “T A five oh five”), began exploiting a previously unknown SQL injection vulnerability in Progress Software's managed file transfer solution known as MOVEit Transfer. Internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases. In similar spates of activity, TA505 conducted zero-day-exploit-driven campaigns against Accellion File Transfer Appliance devices, and Fortra Linoma GoAnywhere MFT servers in early 2023.
TA505 is known for frequently changing malware and driving global trends in criminal malware distribution. Considered to be one of the largest phishing and malspam distributors worldwide, TA505 is estimated to have compromised more than 3,000 U.S.-based organizations and 8,000 global organizations.
The authors encourage organizations to implement the recommendations in the Mitigations section of this alert to reduce the likelihood and impact of similar incidents. The alert documentation linked in the show notes includes additional technical details, IOCs, mitigations, and response recommendations.
To report incidents and anomalous activity or to request incident response resources or technical assistance, contact CISA at email@example.com, call (888) 282-0870, or report incidents to your local FBI field office.
This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by N2K Networks as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations.
A link to this report can be found in the show notes.
This has been a CISA Cybersecurity Alert.