Quarterly Briefing: Threat Actor Using Unpatched Vulnerabilities
Dec 28, 2024
ENTRYZERO
32% of ransomware attacks start with an unpatched vulnerability, and these have the greatest business impact. In our weekly ”Top 5 Hacker-Relevant Vulnerabilities" series, we report on vulnerabilities that are particularly pertinent to threat actors. As part of this ongoing effort, we will provide quarterly recaps on selected threat actors, associated breaches, and the vulnerabilities they exploit.
Fourth Quarter 2024
Threat Actor: Clop Ransomware Gang
Threat Actor Whois: Clop (also known as “Cl0p”) is a sophisticated cybercriminal organization active since 2019. The group has targeted a diverse range of organizations across sectors, including energy, cybersecurity, retail, and education. Clop is infamous for employing double extortion tactics, which involve encrypting victims’ data while simultaneously threatening to publicly release sensitive information if ransom demands are not fulfilled.
Threat Actor Key Characteristics:
- Focus on Vulnerabilities in File Transfer Software: Clop frequently exploits vulnerabilities in widely used file transfer software to gain unauthorized access to sensitive data. For example, in the 2023 MOVEit data breach, Clop leveraged a vulnerability in Progress Software’s MOVEit Transfer application, resulting in breaches that affected millions of individuals and numerous organizations. By late 2024, Clop had turned its attention to Cleo’s managed file transfer products, specifically Harmony, VLTrader, and LexiCom.
- Double Extortion: Clop’s hallmark tactic involves exfiltrating sensitive data before encrypting it, coercing victims into payment by threatening to release the stolen data publicly.
- Targeted Attacks: The group focuses on large organizations with high-value assets.
- Collaboration with Other Threat Actors: Clop operates within a broader cybercriminal ecosystem, frequently collaborating with other threat actors to amplify the scale and success of its operations.
Selected Security Breaches Associated with the Threat Actor:
Clop has orchestrated high-profile attacks across various industries worldwide. Notable victims include energy giant Shell, cybersecurity firm Qualys, supermarket chain Kroger, and educational institutions such as the University of Colorado, Stanford Medicine, University of Maryland Baltimore, and the University of California. In December 2024, Clop claimed on its dark web portal to have breached 66 companies and provided a 48-hour ultimatum for ransom payments following data breaches linked to vulnerabilities in Cleo’s software.
Selected MITRE ATT&CK Techniques Used by Threat Actor for Initial Access:
Clop is known to use the following techniques to gain initial access to its victims’ IT infrastructure:
- T1190: Exploit Public-Facing Application
- T1566: Phishing (Specifically Spearphishing Attachments and Links)
Selected Vulnerabilities Exploited by Threat Actor:
Clop has been documented exploiting numerous CVEs, including:
| Product | Vulnerability |
|---|---|
| Cleo Managed File Transfer Products (Harmony, VLTrader, LexiCom) | CVE-2024-50623, CVE-2024-55956 |
| MOVEit Transfer Software | CVE-2023-34362 |
| GoAnywhere Managed File Transfer | CVE-2023-0669 |
| Accellion File Transfer Appliance | CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104 |
| SolarWinds Serv-U FTP | CVE-2021-35211 |
| Microsoft Exchange Server | CVE-2021-26855, CVE-2021-27065 |
| Citrix ADC and Gateway | CVE-2019-19781 |
| Pulse Secure VPN | CVE-2019-11510 |
| Fortinet FortiOS | CVE-2018-13379 |
Further Reading
Third Quarter 2024
Threat Actor: LockBit
Threat Actor Whois: LockBit operates primarily as a Ransomware-as-a-Service model. This threat actor has become one of the most notorious and successful ransomware groups in recent years. It first emerged around 2019 and has undergone multiple iterations (e.g., LockBit 2.0, LockBit 3.0), improving its techniques with each version. Its primary goal is to deploy ransomware on a victim’s network to encrypt data, extort ransom payments, and threaten to leak the victim’s sensitive information. LockBit is not known for favoring big hunt targets, nor does it have specific industries it likes to target. In February, international law enforcement seized LockBit’s infrastructure, and arrests were made in connection with the coordinated international operation. However, less than one week later, the ransomware group relaunched its operation
Threat Actor Key Characteristics:
- Ransomware-as-a-Service: LockBit provides its ransomware tools to affiliates (other cybercriminals) who carry out the attacks. These affiliates receive a percentage of the ransom payment, with LockBit taking a cut
- Double Extortion: Like many modern ransomware groups, LockBit employs double extortion, meaning it not only encrypts the victim’s files but also threatens to release sensitive data if the ransom isn’t paid
- Highly Automated and Fast: LockBit ransomware is known for its high level of automation, which makes it faster to spread across the network and encrypt files
Selected Security Breaches Associated with Threat Actor:
LockBit has been responsible for numerous high-profile breaches, targeting various industries and organizations around the globe. Some notable victims include Evolve Bank and Trust (2024), Boeing (2023), Thales Group (2022), Mercedes-Benz USA (2021), and Accenture (2021). These attacks demonstrate the group’s ability to infiltrate organizations across different sectors. In the third quarter of 2024, LockBit continued its assault on numerous companies. Below is a small list of selected breaches associated with LockBit sourced from Blackfog. While some incidents have been publicly disclosed, many remain undisclosed:
| Victim Name | Victim Information | Victim Location |
|---|---|---|
| Kulicke & Soffa | Semiconductor manufacturer | Singapore |
| KBC Zagreb | University hospital center | Croatia |
| Wattle Range Council | Local government | Australia |
| Clay County Indiana | Local government | USA |
| Federated Co-Operatives | Co-operative federation | Canada |
| Real Hospital Português de Beneficência | Private hospital | Brazil |
| Lothar Rapp | Contractor | Germany |
| Customs Support Group | Customs broker | Netherlands |
| Akanea | Software company | France |
| Barking Well Media | Media company | Greece |
| Luis Oliveras | Food product supplier | Spain |
| Exol Lubricants | Lubricant manufacturer | UK |
| GB Ricambi SpA | Machinery manufacturer | Italy |
Selected MITRE ATT&CK Techniques Used by Threat Actor for Initial Access:
LockBit is known to use the following techniques to gain initial access to its victims’ IT infrastructure:
Selected Vulnerabilities Exploited by Threat Actor:
LockBit affiliates have been documented exploiting numerous CVEs, including:
| Product | Vulnerability |
|---|---|
| Citrix VPN (Bleed) | CVE-2023-4966, CVE-2019-19781 |
| PaperCut MF/NG | CVE-2023-27350 |
| Fortra GoAnyhwere | CVE-2023-0669 |
| Microsoft Exchange (ProxyLogon, ProxyShell) | CVE-2021-2685, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207 |
| Apache (Log4j2) | CVE-2021-44228 |
| F5 BIG-IP and BIG-IQ | CVE-2021-22986 |
| Pulse Secure VPN | CVE-2019-11510 |
| Microsoft RDP | CVE-2019-0708 |
| Fortinet VPN | CVE-2018-13379 |
Further Reading: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a
