Clop, LockBit Leveraging 3 Known Vulnerabilities in Healthcare Ransomware Attacks, HHS Warns

May 01, 2023 - The Health Sector Cybersecurity Coordination Center (HC3) issued a sector alert about the current operations of Clop and LockBit ransomware groups. The Ransomware-as-a-Service (RaaS) groups have recently been leveraging three known vulnerabilities (CVE-2023-27351, CVE-2023-27350, and CVE-2023-0669) to target healthcare organizations.

Specifically, two of the vulnerabilities (CVE-2023-27351, CVE-2023-27350) that are being exploited involve a widely used printing management software called PaperCut MF/NG, and the third (CVE-2023-0669) stems from Fortra’s GoAnywhere Managed File Transfer (MFT) solution.

The sector alert follow numerous past HC3 briefs and alerts about Clop and LockBit. As previously reported, Clop claimed a large-scale attack against 130 organizations earlier this year, including healthcare entities, using the GoAnywhere MFT vulnerability.

According to the vulnerability disclosure filing in the National Vulnerability Database (NVD), GoAnywhere MFT suffers from a “pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object,” which opens it up to attackers.

Meanwhile, the two PaperCut vulnerabilities allow remote attackers to bypass authentication. PaperCut has more than 100 million users worldwide.

“Industry experts also noted that the recent increase in ransomware attacks this past March was attributed to the exploitation of the GoAnywhere MTF vulnerability. There was a 91 [percent] increase in attacks since February 2023, with 459 attacks recorded in March alone,” the most recent alert stated.

“Of those attacks, Cl0p targeted 129 victims. Unlike other RaaS groups, Cl0p unabashedly and almost exclusively targets the healthcare sector. In the calendar year 2021 alone, 77 [percent] (959) of its attack attempts were on this critical infrastructure industry. The attacks in March of this year mark the second time that the threat group known as LockBit has been knocked off the top spot since September 2021.”

To mitigate risk related to the PaperCut vulnerabilities, security researchers advised administrators to immediately patch servers and take proactive steps to prevent remote exploitation.

“This includes blocking all traffic to the web management port (default port 9191) from external IP addresses on an edge device, as well as blocking all traffic to the same port on the server’s firewall to restrict management access solely to the server and prevent potential network breaches,” the alert stated.

For the GoAnywhere MFT vulnerability, Fortra recommended that users rotate the Master Encryption Key, review audit logs, delete any suspicious administrator or user accounts, and reset all credentials.

Additionally, healthcare organizations should follow traditional security best practices to reduce risk, including training employees, developing a cybersecurity roadmap, and addressing known vulnerabilities as soon as possible.

“The probability of cyber threat actors, including Cl0p, targeting the healthcare industry remains high,” HC3 warned. “Prioritizing security by maintaining awareness of the threat landscape, assessing their situation, and providing staff with tools and resources necessary to prevent a cyberattack remains the best way forward for healthcare organizations.”