Ransomware, Vulnerability Management, Threat Management

After GoAnywhere MFT hack, HHS again warns of Clop ransomware threat

Healthcare business graph data and growth, Insurance Healthcare. Doctor analyzing medical of business report and medical examination with network connection on laptop screen. (iStock via Getty Images)

After the Clop ransomware group claimed responsibility for the massive targeted cyberattacks that exploited a zero-day vulnerability in the Fortra GoAnywhere MFT, the Department of Health and Human Services is again urging entities to bolster its defenses against Clop’s newest tactics.

More than 130 organizations were reportedly targeted by the Russian-backed group, including Community Health Systems in Tennessee. As previously reported, over 1 million patients saw their personal and health information compromised by the exploit of GoAnywhere.

It didn’t take long for Clop to claim responsibility for the attacks and alleged data exfiltration launched over the course of 10 days. The group also claimed it could “encrypt affected healthcare systems by deploying ransomware payloads.” The group has refused to validate these claims.

Fortra warned clients of the remote code execution vulnerability in early February and provided a workaround while it works on a patch. While initially it appeared as if an actor would need access to the admin console from within a private company network, a virtual private network (VPN), or allow-listed IPs, an active exploit was released soon after the disclosure.

Notably, prior to an emergency patch, users were required to create an account to access the vulnerability report, which was heavily criticized by cybersecurity experts. As noted earlier, Ben Krebs was the first to find details on the zero-day vulnerability and post the full alert text.

Cybersecurity & Infrastructure Security Agency recently added the GoAnywhere vulnerability, CVE-2023-0669, to its public catalog of Known Exploited Vulnerabilities. On Feb. 15, CISA ordered all federal civilian executive branch agencies to apply the patch before March 3.

Ever-evolving to increase impact

Although “these claims are uncorroborated, Clop continues to exhibit a history of employing trend-setting TTPs across multiple operations,” according to the alert. “Clop’s alleged attack this year only further exacerbates an ever-growing trend to target the healthcare industry and highlights its vulnerabilities to future attacks.”

The threat is not hypothetical. Just two months ago, research from Hold Security Founder Alex Holden revealed Clop actors were actively working to breach trust between the patient and provider relationship by using telehealth platforms to register as patients and sharing malware-infected files with the doctor.

The research prompted the earlier HHS alert, and an added note that Clop was designed to target Windows systems. That same month, SentinelLabs discovered the first Linux-based Clop variant “using the same encryption method and similar process logic.”

While the variant is currently flawed, the latest HHS alert warned that “the prevalent use of Linux in servers and cloud workloads makes it easy to suggest that Clop could employ this new ransomware campaign to target additional industries, including healthcare.”

What’s more, Clop doesn’t adhere to the same rules as other ransomware-as-a-service (RaaS) groups, as it “unabashedly and almost exclusively targets the healthcare sector.” In 2021, 77% of its attacks were against healthcare. That same year, law enforcement arrested six members, which had little impact on the group’s success.

“Continued and successful attacks, however, demonstrate that this prolific group is still a viable threat to the healthcare sector,” the alert warns. “The probability of cyber threat actors like Clop targeting the healthcare industry remains high.”

Healthcare entities are being urged to review the updated alert on Clop’s threat to the sector, which includes possible new tactics, details on recent attacks, and its techniques for exploiting vulnerabilities, as well as possible defensive measures that could reduce the risk of exploit.

Clop has targeted "healthcare since 2019, evolving its tactics to effectively combine ransomware and data theft in novel ways,” said John Riggi, AHA’s national advisor for cybersecurity and risk, in a statement. “Healthcare organizations should immediately apply the security patches recommended in these alerts and review the scope, security and necessity of secure file transfer systems.”

HHS has also added additional remediation recommendations to its previous alert, which include training staff on social-engineering attacks deployed via email or network access, developing a cyber roadmap taught clearly to all workforce members, and assessing all enterprise risks around vulnerabilities and prioritizing the plan against budget and staff.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.