CISA, FBI warn health systems and others of Clop MFT ransomware tactics

They say a vulnerability in MOVEit, a managed file transfer product from Progress Software that provides automated high-volume, HIPAA- and GDPR-compliant transfers, could leave hospitals or healthcare organizations at risk.
By Andrea Fox
10:07 AM

Photo: cottonbro/Pexels

A new joint federal cybersecurity warning says that the Clop Ransomware Gang, also known as TA505, began exploiting a previously unknown vulnerability this past month in one of Progress Software's managed file transfer tools, known as MOVEit Transfer.

WHY IT MATTERS

Progress Software announced the discovery of the MOVEit vulnerability and issued guidance on known affected versions – from 2020.0.x and forward – along with software upgrades and patches. 

The company provides cloud and other services, which integrate with electronic health records and other systems, and a full stack for developing digital applications. Users can build HIPAA-compliant healthcare applications, for example, and MOVEit controls data transfers with encryption, tracking and access controls.

Clop is using LEMURLOOT, a web shell written in C# that is designed to target the MOVEit Transfer platform, CISA said in its summary and technical details released on June 7. CISA added this vulnerability to the Known Exploited Vulnerabilities Catalog. 

"The web shell authenticates incoming http requests via a hard-coded password and can run commands that will download files from the MOVEit Transfer system, extract its [Microsoft] Azure system settings, retrieve detailed record information and create, insert, or delete a particular user," the agencies said in the joint advisory

They are asking IT network defenders to review the advisory and implement the recommended mitigations.

CSO reports that Clop is giving organizations until June 14 to negotiate payment, or it will leak their data.

THE LARGER TREND

In February, Community Health Systems filed with the Securities and Exchange Commission that it was notified by a third-party vendor for secure file transfer of an incident that resulted in unauthorized disclosure of its patient data.

Clop claimed to have exfiltrated data from the GoAnywhere MFT platform that impacted approximately 130 victims over the course of 10 days, according to CISA.

When CHS reported it was part of the wave of zero-day attacks targeting Fortra's MFT platform, as many as one million patients had their health information exposed.

"The company may have incurred, and may incur in the future, expenses and losses related to this incident that are not covered by insurance," CHS said in its SEC filing.

The ransomware-as-a-service operation has used multiple tactics to take control of its victims' data and operations since its appearance in 2019. 

In January, The Health Sector Cybersecurity Coordination Center said Clop shifted tactics, directly impacting the healthcare and public health sector. In one scheme, Clop operators infected files and disguised them to look like medical images that could be reviewed for a remote diagnosis. 

Bad actors submitted them to medical facilities and booked telehealth appointments in the hope that a provider would open the document, infecting its network before a scheduled appointment. 

On June 8, HC3 and the U.S. Health & Human Services' Office of Information Security provided an overview of cyber threat actors targeting healthcare. Clop – a Russia-linked ransomware group – mostly targets Windows systems, but also affects Linux servers, according to OIS. 

ON THE RECORD

"Due to the speed and ease, TA505 has exploited this vulnerability, and based on their past campaigns, FBI and CISA expect to see widespread exploitation of unpatched software services in both private and public networks," the agencies said in the announcement.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.