Understanding Zero-Day Vulnerabilities and the Clop Ransomware Fallout

The Clop ransomware gang has claimed responsibility for the exploitation of a zero-day vulnerability in the secure managed filed transfer (MFT) solution GoAnywhere from software company Fortra, according to Bleeping Computer. The vulnerability (CVE-2023-0669) allowed the ransomware group to execute administrative remote code injection.

“The Clop ransomware group exploited this vulnerability and after authenticating the administrative console, declared they stole documents from 130 companies through administrator ports,” explains Andrew Obadiaru, CISO of cybersecurity and pentesting company Cobalt.

Zero-day vulnerabilities allow threat actors to exploit them before vendors become aware of and patch the flaws. What could the consequences of this breach look like, and what is the outlook on future attacks that exploit this type of vulnerability?

Clop, initially observed in 2019, operates with a ransomware-as-a-service model. Its operators have secured payouts as high as $500 million, according to the US Department of Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3). The HC3 report notes that the arrest of a number of ransomware operators in 2021 was expected to lead to a decline in Clop activity, but that has not been the case.

The Consequences of the Attack

“The GoAnywhere MFT software had a vulnerability in the administrator console, allowing attackers to take advantage of it without any authentication. What makes this worse is that more than 1,000 administrator ports (ports 8000 and 8001) for the software appear to remain exposed to the internet and at risk of being exploited,” Shankar Somasundaram, CEO of healthcare IoT security company Asimily, tells InformationWeek.

With Clop’s claim that it was able to steal data from more than 130 organizations, the impact of this zero-day exploit is likely to be significant. “This could have widespread implications for these businesses regarding data loss or being locked out of their own systems. Any organization using GoAnywhere MFT should take this very seriously,” Somasundaram says.

Already, Community Health Systems (CHS) has come forward as a victim of the security breach. In a filing with the United States Securities and Exchange Commission (SEC), the health care provider disclosed that the breach did not interrupt its business operations, but personal information (PI) and protected health information (PHI) was exposed. “With regard to the PHI and PI compromised by the Fortra breach, the company currently estimates that approximately one million individuals may have been affected by this attack,” according to the filing.

The fallout from this breach is likely still unfolding. “When such a breach occurs, attackers are typically able to use data stolen from one breach to impersonate users and successfully breach additional systems. This cascading spiral of breaches can last years after a primary breach, especially when PII [personal identifiable information] and PHI are involved,” says Arti Raman, CEO and founder of cybersecurity company Titaniam.

GoAnywhere is one of many MFT solutions enterprises use to move sensitive information, says Aviv Grafi, CTO and founder of cybersecurity company Votiro. “This newly disclosed exploit of a managed file system is extremely worrisome given the pervasive use of file transfer technologies like GoAnywhere, in large and mid-size organizations,” he says.

Outlook on Zero-Day Vulnerabilities

Zero-day vulnerabilities and exploitation are on the rise. Threat intelligence and cybersecurity company Mandiant identified a total of 80 zero-day exploitations in the wild in 2021, up from the previous record of 32 in 2019.

Somasundaram anticipates the zero-day vulnerability exploitation to continue. “With more black-market movements toward exploit-as-a-service, you are going to find more attackers using such zero-day vulnerabilities to disrupt organizations,” he says.

With threat actors eager to find ways to exploit these vulnerabilities, how can organizations recognize and manage their risks?

Embracing cybersecurity awareness and identifying risk is an important first step. “First and foremost, understand your inventory -- not just your devices but your services, your applications, your connections, your external connectivity, etc. If you cannot see what you have, you cannot protect it,” Somasundaram explains. “Organizations need to evaluate their devices as they bring them into the environment. Analyzing the risk of devices at procurement goes a long way in understanding and mitigating risks.”

It is also important to understand how threat actors execute attacks and prepare accordingly. “Organizations must be aware of each stage a ransomware attack can occur: infiltration, data exfiltration, and system lockup via encryption. Success at any stage could mean cybercriminals now have access to enough leverage to extort their chosen victim for an extended period of time,” Raman says.

Network segmentation, vigilant system monitoring, and regular system patching are all vital tools in an enterprise’s cybersecurity strategy. Andrew Wildrix, CIO of cyber threat intelligence company Intrusion, also argues for the importance of zero trust. “Zero-trust endpoint solutions can help detect and contain the source and spread. Zero-trust gateways can kill the command and control, rendering further attacks useless,” he says.

But threat actors are persistent and resourceful. If and when they find zero-day vulnerabilities, they will exploit them. Organizations can minimize the impact of zero-day exploitation and ransomware. “Invest in backup and recovery tools to help restore systems without being forced to pay for a decryption key,” Raman recommends.

What to Read Next:

6 Worthless Security Tactics That Won't Go Away

Zero Trust: Not Just for Government

How Organizations Should Respond to the CircleCI Security Incident