Quartals-Briefing: Bedrohungsakteure und ungepatchte Schwachstellen

Image cover for blog post.

28.12.2024

Profile image of ENTRYZERO

ENTRYZERO

32% der Sicherheitsvorfälle durch Ransomware-Angriffe starten mit ungepatchten Schwachstellen, die zu geschäftskritischen Folgen führen. In unserem wöchentlichen Briefing zu den fünf relevantesten Schwachstellen für Hacker haben wir über Schwachstellen berichtet, die für Bedrohungsakteure von Bedeutung sind. In dieser fortlaufenden Serie werden wir vierteljährliche Rückblicke auf ausgewählte Bedrohungsakteure sowie die damit verbundenen Sicherheitsvorfälle und ausgenutzten Schwachstellen bereitstellen.

Fourth Quarter 2024

Threat Actor: Clop Ransomware Gang

Threat Actor Whois: Clop (also known as “Cl0p”) is a sophisticated cybercriminal organization active since 2019. The group has targeted a diverse range of organizations across sectors, including energy, cybersecurity, retail, and education. Clop is infamous for employing double extortion tactics, which involve encrypting victims’ data while simultaneously threatening to publicly release sensitive information if ransom demands are not fulfilled.

Threat Actor Key Characteristics:

  • Focus on Vulnerabilities in File Transfer Software: Clop frequently exploits vulnerabilities in widely used file transfer software to gain unauthorized access to sensitive data. For example, in the 2023 MOVEit data breach, Clop leveraged a vulnerability in Progress Software’s MOVEit Transfer application, resulting in breaches that affected millions of individuals and numerous organizations. By late 2024, Clop had turned its attention to Cleo’s managed file transfer products, specifically Harmony, VLTrader, and LexiCom.
  • Double Extortion: Clop’s hallmark tactic involves exfiltrating sensitive data before encrypting it, coercing victims into payment by threatening to release the stolen data publicly.
  • Targeted Attacks: The group focuses on large organizations with high-value assets.
  • Collaboration with Other Threat Actors: Clop operates within a broader cybercriminal ecosystem, frequently collaborating with other threat actors to amplify the scale and success of its operations.

Selected Security Breaches Associated with the Threat Actor:

Clop has orchestrated high-profile attacks across various industries worldwide. Notable victims include energy giant Shell, cybersecurity firm Qualys, supermarket chain Kroger, and educational institutions such as the University of Colorado, Stanford Medicine, University of Maryland Baltimore, and the University of California. In December 2024, Clop claimed on its dark web portal to have breached 66 companies and provided a 48-hour ultimatum for ransom payments following data breaches linked to vulnerabilities in Cleo’s software.

Selected MITRE ATT&CK Techniques Used by Threat Actor for Initial Access:

Clop is known to use the following techniques to gain initial access to its victims’ IT infrastructure:

Selected Vulnerabilities Exploited by Threat Actor:

Clop has been documented exploiting numerous CVEs, including:

ProductVulnerability
Cleo Managed File Transfer Products (Harmony, VLTrader, LexiCom)CVE-2024-50623, CVE-2024-55956
MOVEit Transfer SoftwareCVE-2023-34362
GoAnywhere Managed File TransferCVE-2023-0669
Accellion File Transfer ApplianceCVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
SolarWinds Serv-U FTPCVE-2021-35211
Microsoft Exchange ServerCVE-2021-26855, CVE-2021-27065
Citrix ADC and GatewayCVE-2019-19781
Pulse Secure VPNCVE-2019-11510
Fortinet FortiOSCVE-2018-13379

Further Reading

Third Quarter 2024

Threat Actor: LockBit

Threat Actor Whois: LockBit operates primarily as a Ransomware-as-a-Service model. This threat actor has become one of the most notorious and successful ransomware groups in recent years. It first emerged around 2019 and has undergone multiple iterations (e.g., LockBit 2.0, LockBit 3.0), improving its techniques with each version. Its primary goal is to deploy ransomware on a victim’s network to encrypt data, extort ransom payments, and threaten to leak the victim’s sensitive information. LockBit is not known for favoring big hunt targets, nor does it have specific industries it likes to target. In February, international law enforcement seized LockBit’s infrastructure, and arrests were made in connection with the coordinated international operation. However, less than one week later, the ransomware group relaunched its operation

Threat Actor Key Characteristics:

  • Ransomware-as-a-Service: LockBit provides its ransomware tools to affiliates (other cybercriminals) who carry out the attacks. These affiliates receive a percentage of the ransom payment, with LockBit taking a cut
  • Double Extortion: Like many modern ransomware groups, LockBit employs double extortion, meaning it not only encrypts the victim’s files but also threatens to release sensitive data if the ransom isn’t paid
  • Highly Automated and Fast: LockBit ransomware is known for its high level of automation, which makes it faster to spread across the network and encrypt files

Selected Security Breaches Associated with Threat Actor:

LockBit has been responsible for numerous high-profile breaches, targeting various industries and organizations around the globe. Some notable victims include Evolve Bank and Trust (2024), Boeing (2023), Thales Group (2022), Mercedes-Benz USA (2021), and Accenture (2021). These attacks demonstrate the group’s ability to infiltrate organizations across different sectors. In the third quarter of 2024, LockBit continued its assault on numerous companies. Below is a small list of selected breaches associated with LockBit sourced from Blackfog. While some incidents have been publicly disclosed, many remain undisclosed:

Victim NameVictim InformationVictim Location
Kulicke & SoffaSemiconductor manufacturerSingapore
KBC ZagrebUniversity hospital centerCroatia
Wattle Range CouncilLocal governmentAustralia
Clay County IndianaLocal governmentUSA
Federated Co-OperativesCo-operative federationCanada
Real Hospital Português de BeneficênciaPrivate hospitalBrazil
Lothar RappContractorGermany
Customs Support GroupCustoms brokerNetherlands
AkaneaSoftware companyFrance
Barking Well MediaMedia companyGreece
Luis OliverasFood product supplierSpain
Exol LubricantsLubricant manufacturerUK
GB Ricambi SpAMachinery manufacturerItaly

Selected MITRE ATT&CK Techniques Used by Threat Actor for Initial Access:

LockBit is known to use the following techniques to gain initial access to its victims’ IT infrastructure:

Selected Vulnerabilities Exploited by Threat Actor:

LockBit affiliates have been documented exploiting numerous CVEs, including:

ProductVulnerability
Citrix VPN (Bleed)CVE-2023-4966, CVE-2019-19781
PaperCut MF/NGCVE-2023-27350
Fortra GoAnyhwereCVE-2023-0669
Microsoft Exchange (ProxyLogon, ProxyShell)CVE-2021-2685, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207
Apache (Log4j2)CVE-2021-44228
F5 BIG-IP and BIG-IQCVE-2021-22986
Pulse Secure VPNCVE-2019-11510
Microsoft RDPCVE-2019-0708
Fortinet VPNCVE-2018-13379

Further Reading: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a

Alle Rechte vorbehalten von ENTRYZERO GmbH

Website by Sanico Software

IMPRESSUM: ENTRYZERO GmbH, Konrad-Zuse-Straße 18, 44801 Bochum, Sitz: Bochum, Registergericht: Amtsgericht Bochum, HRB Nr.: 21709, USt-IdNr: DE369315057, Geschäftsführer: Dr. Mohamad Sbeiti, Samet Gökbayrak, Tel.: +49 151 56561989, E-Mail: info@entryzero.ai

DATENSCHUTZERKLÄRUNG: Diese Website erhebt keine personenbezogenen Daten. Wir verwenden keine Cookies, Tracker, Formulare oder ähnliche Technologien. Durch den Besuch unserer Website erklären Sie sich jedoch damit einverstanden, dass bei jeder Seitenanfrage die folgenden nicht-personenbezogenen Informationen zu statistischen Zwecken, zur Erkennung/Verhinderung von Eindringversuchen und zur Fehlerbehebung auf dem Webserver gespeichert werden: angeforderte Adresse (URL), Anfragedatum und -uhrzeit, IP-Adresse des Clients, User-Agent und Referer. Es werden keine Informationen an Dritte weitergegeben oder mit Dritten geteilt