More than 130 healthcare institutions and other organizations were impacted by a ransomware attack targeting the file transfer utility GoAnywhere MFT in February 2023. This attack, linked to the Clop ransomware gang by Microsoft, exploited a zero-day vulnerability that had just been added to the Known Exploited Vulnerabilities public catalog.
This is just the latest ransomware attack leveraging flaws in backup software to target critical infrastructure and other important systems. In the past, attacks have targeted backup servers and other critical applications including Pulse SecureVPN, Citrix, and Fortinet.
The FBI and CISA advise critical infrastructure companies not to pay ransoms, because payment does not guarantee that files will be restored and may embolden adversaries to continue attacking other organizations. Instead, they recommend sharing boundary logs showing communication with CLOP group actors, a sample of the ransom note, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.
In the last year, attackers have been using flaws in backup and other software to gain access to victim networks. The BianLian gang, for example, gained access to critical infrastructure organizations in the US and private entities in Australia by using stolen remote desktop protocol (RDP) credentials acquired through initial access brokers or phishing attacks. Once inside the network, the gang deployed file-encrypting ransomware to target systems.
After encrypting data, the gang has also been seen exfiltrating files from victim networks and using file-sharing services. It has been suggested that the Cuba gang is Russian based on linguistic clues, the exclusion of computers that use a Russian keyboard layout from infections, Russian 404 pages in parts of its infrastructure and the targeted targeting of Western entities.
Threatpost recently published an article on how the Clop gang is exploiting flaws in backup and other software to target critical infrastructure and other important systems. The article noted that the gang has been exploiting flaws in Veeam Backup and Replication to infiltrate victim networks, and also leveraging a host-based exploit tool called XCodec, which targets a variety of popular software applications including Adobe products.
This is the second time in 2023 that a flaw in backup and recovery software has been used to launch ransomware attacks. The first was the Dish breach, where attackers accessed the network and attacked VMware ESXi servers and backups using a vulnerability in Veritas NetBackup.
The 2023 X-Force Threat Intelligence Index found that the share of cyber incidents involving ransomware has declined by 4 percent, likely because defenders are getting better at detecting and blocking these attacks. However, the overall number of attacks has remained constant over that same period, meaning that threat actors are still succeeding in hitting organizations and stealing their valuable data. In order to mitigate these risks, enterprises should assess their security posture against the top 5 cybersecurity threats of 2023. They should also consider implementing backup best practices that can help protect against these attacks. In addition, they should explore the many alternatives to Windows for critical infrastructure and consider a more resilient platform that supports multiple operating systems.