CISA and the FBI have issued a warning about the Clop MFT ransomware, which targets healthcare systems via a vulnerability in Progress Software’s MOVEit Transfer tool. Progress Software has issued patches and upgrades to address the problem. Clop, also known as TA505, exploits the vulnerability with a web shell called LEMURLOOT. The ransomware-as-a-service group has targeted healthcare organizations and used various tactics, including disguising files as medical images. The agencies advise implementing recommended mitigations and anticipate widespread exploitation of unpatched software services.
CISA and the FBI have issued a warning to healthcare systems and other organizations about the tactics employed by the Clop MFT ransomware. They have identified a vulnerability in Progress Software’s managed file transfer tool called MOVEit Transfer, which poses a risk to hospitals and healthcare institutions. This joint federal cybersecurity advisory states that the Clop Ransomware Gang, also known as TA505, has recently started exploiting a previously unknown vulnerability in the MOVEit Transfer tool.
To address this issue, Progress Software has announced the discovery of the MOVEit vulnerability and has guided affected versions, starting from 2020.0.x onwards. They have also released software upgrades and patches to mitigate the vulnerability. Progress Software offers cloud services and other solutions that integrate with electronic health records and various systems, providing a comprehensive stack for developing digital applications. MOVEit ensures secure and compliant data transfers through encryption, tracking, and access controls, enabling the development of HIPAA-compliant healthcare applications, among others.
Clop ransomware utilizes a web shell called LEMURLOOT, written in C#, which specifically targets the MOVEit Transfer platform. CISA’s summary and technical details, released on June 7, confirmed this and added the vulnerability to the Known Exploited Vulnerabilities Catalog. The joint advisory explains that the web shell authenticates incoming HTTP requests using a hardcoded password and can execute commands to download files from the MOVEit Transfer system, retrieve Azure system settings, access detailed record information, and manipulate user accounts.
The advisory recommends that IT network defenders review the information and implement the suggested mitigations to safeguard their systems. Clop has set a deadline of June 14 for organizations to negotiate payment; otherwise, they threaten to leak the compromised data.
Community Health Systems reported an incident involving the unauthorized disclosure of patient data as a result of a security breach in a third-party vendor’s secure file transfer system as part of a larger trend. According to CISA, Clop previously claimed to have exfiltrated data from the GoAnywhere MFT platform, affecting approximately 130 victims in ten days. CHS was one of the organizations affected by the wave of zero-day attacks on Fortra’s MFT platform, with approximately one million patients’ health information exposed.
Clop, a ransomware-as-a-service operation, has employed various tactics since its emergence in 2019 to gain control over victims’ data and operations. In January, the Health Sector Cybersecurity Coordination Center highlighted Clop’s direct impact on the healthcare sector. One of their schemes involved infecting files and disguising them as medical images, which were then sent to medical facilities for review, potentially infecting networks before scheduled appointments.
On June 8, the Health Sector Cybersecurity Coordination Center and the U.S. Health & Human Services’ Office of Information Security provided an overview of cyber threat actors targeting the healthcare industry. According to the Office of Information Security, Clop, a Russia-linked ransomware group, primarily targets Windows systems but also affects Linux servers.
Based on previous campaigns, the FBI and CISA expect widespread exploitation of unpatched software services in both private and public networks due to TA505’s rapid and easy exploitation.
