CyberWire Daily - CISA Alert AA23-158A – #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability.
Episode Date: June 9, 2023FBI and CISA are releasing this joint CSA to disseminate known CL0P ransomware IOCs and TTPs identified through FBI investigations as recently as June 2023. AA23-158A Alert, Technical Details, and Mit...igations Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts. Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide. Zero-Day Vulnerability in MOVEit Transfer Exploited for Data Theft | Mandiant MOVEit Transfer Critical Vulnerability (May 2023) - Progress Community MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response (huntress.com) No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered 7th, 2023.
FBI and CISA are releasing this joint advisory to disseminate known CLOP ransomware IOCs and TTPs identified through FBI investigations as recently as June 2023. According to open-source information, beginning on May 27, 2023, Plop Ransomware Gang, also known as TA505,
began exploiting a previously unknown SQL injection vulnerability
in Progress Software's managed file transfer solution, known as Movit Transfer.
Internet-facing Movit Transfer web applications were infected with a web shell named Lemur Loot,
which was then used to steal data from underlying Movit transfer databases.
In similar spates of activity,
TA505 conducted zero-day exploit-driven campaigns
against Accelion file transfer appliance devices
and Fortra Linoma Go Anywhere MFT servers in early 2023.
TA505 is known for frequently changing malware
and driving global trends in criminal malware distribution.
Considered to be one of the largest phishing and mousetrap distributors worldwide,
TA505 is estimated to have compromised more than 3,000 US-based organizations and 8,000 global organizations.
The authors encourage organizations to implement the recommendations in the mitigation section of this alert to reduce the likelihood and impact of similar incidents.
The alert documentation linked in the show notes includes additional technical details, contact CISA at report at cisa.gov, call 888-282-0870,
or report incidents to your local FBI field office.
This report was written by CISA,
the United States Cybersecurity and Infrastructure Security Agency,
and edited and adapted for audio by N2K Networks as a public service.
Please visit www.cisa.gov to read the full report,
which may include additional details,
links, and illustrations.
A link to this report
can be found in the show notes.
This has been a CISA Cybersecurity Alert.