HC3 Issues HPH Sector Alert Following Suspected Clop Cyberattacks
In Early February, a zero-day vulnerability in Fortra’s GoAnywhere MFT secure file transfer software (CVE-2023-0669) was exploited in attacks on more than 130 organizations, including several in the healthcare industry such as Community Health Systems (CHS) in Tennessee. That attack affected up to 1 million patients. Fortra issued an alert about the vulnerability in early February when it was discovered to have been exploited in attacks and issued workarounds to prevent exploitation ahead of an emergency patch being released, which was made available on February 7.
The attacks have prompted the Health Sector Cybersecurity Coordination Center (HC3) to issue a further warning about the Clop ransomware group, which claimed responsibility for the attacks. According to Clop, the attacks occurred over a period of around 10 days. The group claims to have exploited the vulnerability – a pre-authentication remote code execution vulnerability in the License Response Servlet – allowing the theft of sensitive data. Clop typically uses ransomware to encrypt files after exfiltrating sensitive data, then issues a ransom demand and a threat to publicly release data if payment is not made. In these attacks, the group said it could have deployed ransomware but chose not to do so, instead opting for an extortion-only approach.
Clop is a Russia-linked ransomware group that has been active since at least February 2019, when the first observed attack was conducted by a threat group tracked as TA505 – the group behind the infamous Dridex banking Trojan. Clop (or Cl0p) is the name of the ransomware variant deployed in attacks, which have largely been conducted on organizations in the HPH sector and other critical infrastructure operators. A law enforcement operation against Clop saw 6 individuals arrested in Ukraine in June 2021; however, the group has continued to operate, apparently unaffected by those arrests and continues to pose a major threat to the healthcare and public health (HPH) sector.
HC3 first issued a warning about the Clop ransomware group in March 2021, and in January this year issued an updated Analyst Note following continued attacks on the HPH sector. While details of some of the tactics, techniques, and procedures used by the Clop ransomware gang have been shared by HC3, the Clop group continues to evolve its tactics as the latest string of attacks has clearly demonstrated.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Defending against cyberattacks by a highly capable threat group that constantly changes tactics can be a challenge; however, HC3 recommends following the advice of many cybersecurity professionals by “prioritizing security by maintaining awareness of the threat landscape, assessing their situation, and providing staff with tools and resources necessary to prevent a cyberattack remains the best way forward for healthcare organizations.”