Clop Ransomware, New Credential-Stealing Malware, Prioritizing Cybersecurity

3 minute read

February 2023

by cybergrx

In this episode of GRXcerpts, get updates on:

  • Clop Ransomware and GoAnywhere MFT Vulnerabilities
  • New Credential-Stealing Malware
  • Executive Cybersecurity Concerns

Watch now:

Clop Ransomware – GoAnywhere MFT Server Vulnerability

Topping our news is an update on the Clop ransomware gang, which claims to be behind recent attacks that exploited a zero-day vulnerability in the GoAnywhere MFT secure file transfer tool. Clop says they have stolen data from over 130 organizations by breaching vulnerable servers with unpatched GoAnywhere MFT instances. The gang claims they can move laterally through their victims’ networks and deploy ransomware payloads to encrypt their systems but so far, has only stolen documents stored on the compromised GoAnywhere MFT servers. GoAnywhere’s developer, Fortra, disclosed to customers that the vulnerability was being exploited as a zero-day in the wild, and issued an emergency security update followed by another update, only to discover an unauthorized party accessed the systems via a previously unknown exploit and created unauthorized user accounts. In a precautionary move, Fortra implemented a temporary service outage and is restoring service on a customer-by-customer basis, as mitigation is applied and verified within each environment.

Clop has been one of the most active ransomware groups over the past several years, targeting private and public organizations globally, in sectors such as aerospace, energy, education, finance, high-tech, healthcare, manufacturing, telecommunications, and transportation. Additionally, Clop is believed to be behind at least one of the recent attacks on telecommunications companies, targeting a third-party vendor’s unsecured cloud storage and gaining access to 37 million AT&T client records.

Similarly, the Health Sector Cybersecurity Coordination Center (HC3) has issued a warning to healthcare and public health organizations, stating the Clop ransomware gang is highly capable, well-funded, and prolific, and is considered to pose a significant threat to the HPH sector.

New Credential-Stealing Malware

Proofpoint researchers warn that a new threat actor has been targeting over a thousand organizations since October with the goal of deploying credential-stealing malware. The attacks appear to be financially motivated, but also have an espionage component to them. The attack chain involves reconnaissance components including a Trojan that takes screenshots of the infected computer desktop to gather information on the compromised host before deploying additional payloads. The latest attack involves phishing emails with lures such as, “please judge my business presentation,” and upon downloading it, releases malicious macros or malicious Javascript files. If executed, the malicious files deploy a malware program called WasabiSeed that’s delivered as an MSI installer and establishes persistence by creating an autorun shortcut in the Windows startup folder. The goal of WasabiSeed is to download and execute additional payloads, enabling attackers to perform different tasks including installing information-stealing malware, stealing crypto wallets, passwords from browsers, FTP clients, VPN configurations, cookies, and any other files the attacker may want.  What’s most concerning is the threat actors appear to be manually reviewing infections to identify high-value targets with follow-on activities that could lead to compromises on all domain-joined hosts.

Apple iOS Update

Apple released a new version of the operating system for iPhones and iPads after becoming aware that hackers were using a vulnerability to hack Apple devices. This latest bug was in WebKit, Apple’s browser engine that’s used in Safari, and a historically popular target for hackers since it can open up access to the rest of the device’s data. According to Apple, the chances that an average iPhone user will be targeted with a zero-day are slim, but notes you should still update your phone.

Executives Prioritizing Cybersecurity

And finally, with the surge in cybercrime and more sophisticated attacks, cybersecurity and business interruption are now considered top corporate risks, according to research from the Allianz Group. In fact, data security is a priority issue at most senior levels within US organizations, with executives concerned about a range of potential incidents, from ransomware to data breaches to supply chain disruptions, not to mention the costs associated with a breach. IBM data shows the average cost of a data breach hit a record $4.35 million in 2022 and is expected to surpass $5 million this year. The report also shows organizations that have an incident response plan and test it regularly can lower their breach costs, saving as much as $2.6 million. Or in other words, proper preparation just makes good financial sense.

All information is current as of February 14, 2023. Subscribe to receive future episodes as they are released.

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit www.processunity.com.