In recent assessments conducted by cybersecurity company Cymulate, it was revealed that nearly half of the endpoint detection and response (EDR) tools and organizations tested are vulnerable to the tactics employed by the Clop ransomware gang.
Cymulate performed 3,107 assessments across 340 organizations to gauge the effectiveness of security controls against the exploitation of a MOVEit software vulnerability. The results were alarming, highlighting the need for enhanced cybersecurity measures to combat the increasing threat of ransomware attacks.
The Alarming Findings
During the assessments, Cymulate sent out 14,438 payloads to evaluate the response of organizations in the United States. The results showed that 43% of these organizations were penetrated by Cymulate’s Clop ransomware assessments, indicating significant vulnerabilities in their security controls.
Additionally, the tests revealed that half of the EDR tools tested, a total of 8 out of 16 tools, had a penetration rate exceeding 46%. This highlights the concerning fact that even advanced security tools designed to detect and respond to threats are not infallible.
The Limitations of EDR Tools
Mike DeNapoli, a Cybersecurity Architect and Director at Cymulate, pointed out that while EDR tools may recognize the behavior of an attack after it is executed, they often fail to recognize the known binaries used in the attacks. This oversight can lead to missed indicators of compromise, leaving organizations vulnerable to ransomware attacks.
DeNapoli also noted that even if EDR technologies only identify attack patterns and not individual files, organizations can still be protected. The key lies in having exposure management tools that focus on detecting attack behaviors, thereby providing an additional layer of security.
The MOVEit Vulnerability and Exposure Management
The vulnerability exploited by the Clop ransomware gang revolves around Progress Software’s MOVEit managed file transfer (MFT) system. This vulnerability has affected numerous major organizations, including Abbie, Aer Lingus, the BBC, British Airways, and many others.
Instead of following traditional ransomware tactics, the Clop gang has utilized an SQL injection vulnerability to gain unauthorized access to sensitive data. They then leverage this stolen information to extort victims by threatening to release it unless a ransom is paid.
To effectively mitigate the risk posed by this vulnerability, exposure management becomes crucial. Organizations that do not have software platforms targeted by these attacks, such as the MOVEit platform, are inherently safe, as the attackers have nothing to leverage against them.
By focusing on the behaviors of attacks rather than solely relying on file-based detection, organizations can effectively protect themselves against the Clop gang and similar threats.
Multiple Threat Actors and the Call for Action
Cybersecurity experts have identified the extensive use of the zero-day vulnerability in MOVEit Transfer, linking it to various threat actors, including FIN11, TA505, and Lace Tempest. While FIN11 and TA505 have been used interchangeably in the past, it is now recognized that FIN11 represents a subset of activity within the TA505 group. Additionally, Lace Tempest, the group running the Clop extortion site, is also affiliated with FIN11.
The severity of the situation prompted the U.S. Government to offer a $10 million reward for information leading to the identification and capture of these threat actors. It is crucial for organizations and individuals to remain vigilant and take proactive measures to protect themselves against ransomware attacks. By implementing robust cybersecurity measures, including exposure management and continuous security assessments, organizations can fortify their defenses and reduce the risk of falling victim to ransomware attacks.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.
