FOCUS MODE
EXTRACT IOC
Threat Research

CL0P Ransomware : Latest Attacks

Cyfirma
CL0P Ransomware : Latest Attacks
The Cl0p ransomware group has targeted 43 organizations using exploits, notably the Cleo vulnerability. The majority of these targets were in the manufacturing, retail, and transportation sectors, with a strong focus on U.S.-based organizations. Observations suggest that Cl0p’s activities exhibit sophisticated techniques for initial access and persistence, with numerous indicators of compromise documented. Affected: Manufacturing sector, Retail sector, Transportation sector, Organizations in the US, Organizations in Canada, Organizations in Europe

Keypoints :

  • Cl0p ransomware group has been active since early 2019, encrypting files for ransom.
  • The group has recently targeted 43 organizations, exfiltrating sensitive data.
  • Manufacturing sector (37%), Retail (26%), and Transportation (14%) were the most targeted industries.
  • The majority of attacks were directed at U.S.-based organizations (72%).
  • The Cleo vulnerability was leveraged for initial access with CVE-2024-50623 (CVSS: 9.8).
  • Over 1,600,000 assets are potentially vulnerable due to the Cleo software.
  • Cl0p is associated with the Russian cybercriminal group TA505.
  • Recommendations are provided for enhancing organizational security posture against such attacks.

MITRE Techniques :

  • TA0001: Initial Access – T1190: Exploit Public-Facing Application
  • TA0001: Initial Access – T1566.001: Phishing: Spear phishing attachment
  • TA0001: Initial Access – T1078: Valid accounts
  • TA0002: Execution – T1059: Command and Scripting Interpreter
  • TA0002: Execution – T1106: Native API
  • TA0002: Execution – T1204: User execution
  • TA0003: Persistence – T1547: Boot or logon autostart execution
  • TA0003: Persistence – T1543.003: Create or modify system process: Windows service
  • TA0004: Privilege Escalation – T1484.001: Domain Policy modification: Group Policy modification
  • TA0005: Defense Evasion – T1036.001: Masquerading: invalid code signature
  • TA0005: Defense Evasion – T1562.001: Impair defenses: disable or modify tools
  • TA0010: Exfiltration – T1567: Exfiltration over web service
  • TA0011: Command and Control – T1071: Application Layer Protocol
  • TA0040: Impact – T1486: Data encrypted for impact

Indicator of Compromise :

  • [IP Address] 185[.]181.230.103
  • [IP Address] 181[.]214.147.164
  • [IP Address] 5[.]149.249.226
  • [IP Address] 209[.]127.12.38
  • [Hash] 31e0439e6ef1dd29c0db6d96bac59446


Full Story: https://www.cyfirma.com/research/cl0p-ransomware-latest-attacks/

Views: 23

Tags: LATERAL MOVEMENT, VULNERABILITY, SIEM, TOOL, EXFILTRATION, DISCOVERY, MONITOR, IMPACT