Cl0p Ransomware : Latest Attacks
Thumbnail
The Cl0p ransomware group has targeted 43 organizations using exploits, notably the Cleo vulnerability. The majority of these targets were in the manufacturing, retail, and transportation sectors, with a strong focus on U.S.-based organizations. Observations suggest that Cl0p’s activities exhibit sophisticated techniques for initial access and persistence, with numerous indicators of compromise documented. Affected: Manufacturing sector, Retail sector, Transportation sector, Organizations in the US, Organizations in Canada, Organizations in Europe

Keypoints :

  • Cl0p ransomware group has been active since early 2019, encrypting files for ransom.
  • The group has recently targeted 43 organizations, exfiltrating sensitive data.
  • Manufacturing sector (37%), Retail (26%), and Transportation (14%) were the most targeted industries.
  • The majority of attacks were directed at U.S.-based organizations (72%).
  • The Cleo vulnerability was leveraged for initial access with CVE-2024-50623 (CVSS: 9.8).
  • Over 1,600,000 assets are potentially vulnerable due to the Cleo software.
  • Cl0p is associated with the Russian cybercriminal group TA505.
  • Recommendations are provided for enhancing organizational security posture against such attacks.

MITRE Techniques :

  • TA0001: Initial Access – T1190: Exploit Public-Facing Application
  • TA0001: Initial Access – T1566.001: Phishing: Spear phishing attachment
  • TA0001: Initial Access – T1078: Valid accounts
  • TA0002: Execution – T1059: Command and Scripting Interpreter
  • TA0002: Execution – T1106: Native API
  • TA0002: Execution – T1204: User execution
  • TA0003: Persistence – T1547: Boot or logon autostart execution
  • TA0003: Persistence – T1543.003: Create or modify system process: Windows service
  • TA0004: Privilege Escalation – T1484.001: Domain Policy modification: Group Policy modification
  • TA0005: Defense Evasion – T1036.001: Masquerading: invalid code signature
  • TA0005: Defense Evasion – T1562.001: Impair defenses: disable or modify tools
  • TA0010: Exfiltration – T1567: Exfiltration over web service
  • TA0011: Command and Control – T1071: Application Layer Protocol
  • TA0040: Impact – T1486: Data encrypted for impact

Indicator of Compromise :

  • [IP Address] 185[.]181.230.103
  • [IP Address] 181[.]214.147.164
  • [IP Address] 5[.]149.249.226
  • [IP Address] 209[.]127.12.38
  • [Hash] 31e0439e6ef1dd29c0db6d96bac59446


Full Story: https://www.cyfirma.com/research/cl0p-ransomware-latest-attacks/

Views: 23