2023 CL0P Growth

Emerging in early 2019, CL0P was first introduced as a more advanced version of its predecessor the ‘CryptoMix’ ransomware, brought about by its owner CL0P ransomware, a cybercrime organisation. Over the years the group remained active with significant campaigns throughout 2020 to 2022. But in 2023 the CL0P ransomware gang took itself to new heights and became one of the most active and successful ransomware organizations in the world.

Capitalizing on countless vulnerabilities and exploits for some of the world’s largest organizations. The presumed Russian gang took its name from the Russian word “klop,” which translates to “bed bug” and is often written as “CLOP” or “cl0p”. Once their victims’ files are encrypted, “.clop” extensions are added to their files.

CL0P’s Methods & Tactics

The CL0P ransomware gang (closely associated with the TA505. FIN11, and UNC2546 cybercrime groups) was renowned for their extremely destructive and aggressive campaigns, which targeted large organizations around the world throughout 2023. The “big game hunter” ransomware gang utilized the “steal, encrypt and leak” method on numerous large companies with a specific interest for those in the Finance, Manufacturing and Healthcare industries.

CL0P operates a Ransomware-as-a-Service model (RaaS), which frequently employs the ‘steal, encrypt, and leak’ tactics common worldwide among many ransomware affiliates. If its victims fail to meet the demands, their data is published via the gang’s Tor-hosted leak site known as ‘CL0P^_-LEAKS’. Just like many other Russian-speaking cyber gangs, their ransomware was unable to operate on devices located in the CIS (Commonwealth of Independent States).

LockBit also operates as a Ransomware-as-a-service (RaaS) model.

‘In short, this means that affiliates make a deposit to use the tool, then split the ransom payment with the LockBit group. It has been reported that some affiliates are receiving a share as high as 75%. LockBit’s operators have posted advertisements for their affiliate program on Russian-language criminal forums stating they will not operate in Russia or any CIS countries, nor will they work with English-speaking developers unless a Russian-speaking “guarantor” vouches for them.’ – ‘The Prolificacy of LockBit Ransomware’

SecurityHQ’s Global Threat Landscape2024 Forecast talked about CL0P’s resurgence in the ransomware landscape and one to be on the lookout for in 2024.

3rd Most Prolific Group 2023

After examining the data from ‘CL0P^_-LEAKS’, the threat intelligence team at SecurityHQ was able to collect data on various cybercrime gangs around the world and help visualize the extent of CL0P’s rise in activity throughout 2023. The gangs’ transition from remaining outside the topmost active ransomware groups in 2022 to securing the third most prolific in 2023 is something that should not be taken lightly.

©2024 SecurityHQ, SecurityHQ Data on Threat Groups During 2023

Latest Activities

Over a month-long period throughout March of 2023, the CL0P ransomware gang attempted to exploit ‘Fortra GoAnywhere MFT’ zero-day vulnerability. Tracked as CVE-2023-0669, attackers were able to capitalize on unpatched versions of the software with internet access to obtain RCE. The vulnerability was patched the following day, but the group had already successfully targeted over 100 organisations.

Then, in April, Microsoft was able to identify the involvement of two ransomware gangs (CL0P and LockBit) who were exploiting the tracked CVE-2023-27350 and CVE-2023-27351. Contained inside the print management software known as PaperCut, which is a common tool used among all the large printing firms worldwide. The groups were able to exploit this vulnerability, successfully deploying the infamous TrueBot malware that had been used many months prior. A perfect target for the likes of CL0P, whose tactics have shifted from not just encrypting the files anymore but more towards stealing the data to further extort the organisations. This worked perfectly as Papercut features a “Print Archiving” tool that saves any job/document that is sent through their server.

The group’s major event came in May; the widely used MOVEit Transfer (CVE-2023-24362) and MOVEit Cloud Software (CVE-2023-35036) were actively exploited via an unknown SQL injection vulnerability. CL0P was able to capitalize on vulnerable networks and systems extremely quickly, extracting sensitive data from some of the world’s largest organizations (BBC, Ernst Young, PwC, Gen Digital, British Airways, TFL, Siemens, and many more). The group stated they had deleted all data relating to governments, military, and hospitals, but with several US government agencies being affected by the MOVEit breach, a bounty of $10 million was set in place that could help link them to a foreign agent.

Lasting Impact of Quadruple Extortion

The group has not only played a major role on the influx in ransomware activity throughout 2023 but was almost single handedly responsible for the drastic increase in the average ransomware payments.

CL0P’s operators are renowned for going to extreme lengths to get their message across. After publicly displaying the proof of the organisations breach, publishing data on their leak site and their messages being ignored, they will go straight to stakeholders and executives to ensure their demands are met. This is known as quadruple extortion.

From single to double, double to triple and now the progression to quadruple extortion, it’s fair to say ransomware groups aren’t stopping until they get what they came for. Just like the double or triple extortion, quadruple extortion adds a new layer which comes in the form of two main avenues.

1. The first is DDoS attacks, which aim to shut down an organization’s online presence until the ransom is paid.
2. The harassment of various stakeholders (customers, media, employees, etc.) increases pressure on the decision-makers.

Best Defense Against CL0P Group Defending Against CL0P

To defend against CLOP throughout 2024, it is recommended by SecurityHQ to

• Pay attention to your landscape and your environment. Know what is normal for your environment and what is not so you can act quickly.
• Develop and review your Incident Response Plan, with clear steps shown so that actions are set in the event of a worst-case scenario.
• Ensure that Threat Monitoring is in place to identify threats rapidly.
• Review current cyber security practices to make sure that the best practices are being used.
• Those at greater risk, for instance, those in industries specifically targeted by CLOP (Finance, Manufacturing, Healthcare), or those that hold sensitive data, should work with an MSSP to ensure that the best security practices are in place.

Threat Intelligence for the Future

SecurityHQ’s Threat Intelligence team is a cohesive global unit dedicated to Cyber Threat Intelligence. Their team is focused on researching emerging threats and tracking activities of threat actors, ransomware groups, and campaigns to ensure that they stay ahead of potential risks. Beyond their investigative work, the Intelligence team provides actionable threat intelligence and research, enriching the understanding of SecurityHQ’s customers worldwide. United by a common commitment, the SecurityHQ Threat Intelligence team delivers the insights needed to navigate the intricacies of the cyber security threat landscape confidently.

For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.

Note: This expertly contributed article is written by Patrick McAteer, Cyber Threat Intelligence Analyst at SecurityHQ Dubai, excels in analyzing evolving cyber threats, identifying risks, and crafting actionable intelligence reports to empower proactive defense.

Jan 18, 2024The Hacker NewsAuthentication Security / Passwords

In today’s digital landscape, traditional password-only authentication systems have proven to be vulnerable to a wide range of cyberattacks. To safeguard critical business resources, organizations are increasingly turning to multi-factor authentication (MFA) as a more robust security measure. MFA requires users to provide multiple authentication factors to verify their identity, providing an additional layer of protection against unauthorized access.

However, cybercriminals are relentless in their pursuit of finding ways to bypass MFA systems. One such method gaining traction is MFA spamming attacks, also known as MFA fatigue, or MFA bombing. This article delves into MFA spamming attacks, including the best practices to mitigate this growing threat.

What is MFA spamming?

MFA spamming refers to the malicious act of inundating a target user’s email, phone, or other registered devices with numerous MFA prompts or confirmation codes. The objective behind this tactic is to overwhelm the user with notifications, in the hopes that they will inadvertently approve an unauthorized login. To execute this attack, hackers require the target victim’s account credentials (username and password) to initiate the login process and trigger the MFA notifications.

MFA spamming attack techniques

There are various methods employed to execute MFA spamming attacks, including:

1. Utilizing automated tools or scripts to flood the targeted victims’ devices with a high volume of verification requests.
2. Employing social engineering tactics to deceive the target user into accepting a verification request.
3. Exploiting the API of the MFA system to send a substantial number of false authentication requests to the target user.

By employing these techniques, attackers aim to exploit any unintentional approvals, ultimately gaining unauthorized access to sensitive information or accounts.

Examples of MFA spamming attack

Hackers increasingly leverage MFA spamming attack to bypass MFA systems. Here are two noticeable cyberattacks executed using this technique:

• Between March and May 2021, hackers circumvented the Coinbase company’s SMS multi-factor authentication, which is considered one of the largest cryptocurrency exchange companies worldwide, and stole cryptocurrencies from over 6,000 customers
• In 2022, hackers flooded Crypto.com customers with a large number of notifications to withdraw money from their wallets. Many customers approve the fraudulent transaction requests inadvertently, leading to a loss of 4,836.26 ETH, 443.93 BTC and approximately US$66,200 in other cryptocurrencies

How to mitigate MFA spamming attacks

Mitigating MFA spamming attacks necessitates the implementation of technical controls and the enforcement of relevant MFA security policies. Here are some effective strategies to prevent such attacks.

Enforce strong password policies and block breach passwords

For the MFA spamming attack to be successful, the attacker must first obtain the login credentials of the target user. Hackers employ various methods to acquire these credentials, including brute force attacks, phishing emails, credential stuffing, and purchasing stolen/breached credentials from the dark web.

The first line of defense against MFA spamming is securing your users’ passwords. Specops Password Policy with Breached Password Protection helps prevent users from utilizing compromised credentials, thereby reducing the risk of attackers gaining unauthorized access to their accounts.

End-user training

Your organization’s end-user training program should emphasize the importance of carefully verifying MFA login requests before approving them. If users encounter a significant number of MFA requests, it should raise suspicion and serve as a potential clue of a targeted cyberattack. In such cases, it is crucial to educate users about the immediate action they should take, which includes resetting their account credentials as a precautionary measure and notifying security teams. By leveraging a self-service password reset solution like Specops uReset, end-users gain the ability to swiftly change their passwords, effectively minimizing the window of opportunity for MFA spamming attacks.

Rate limiting

Organizations should implement rate-limiting mechanisms that restrict the number of authentication requests allowed from a single user account within a specific time frame. By doing so, automated scripts or bots are unable to overwhelm users with an excessive number of requests.

Monitoring and alerting

Implement robust monitoring systems to detect and alert on unusual patterns of MFA requests. This can help identify potential spamming attacks in real-time, and allow for immediate action to be taken.

Key takeaways

To effectively protect against MFA spamming, organizations must prioritize robust security practices. One effective tactic is to strengthen password policies and block the use of compromised passwords. Implementing a solution like Specops Password Policy’s Breached Password Protection feature can help organizations achieve this.

Try it free here and see how you can enhance your password security and safeguard your organization against MFA spamming attacks.