top of page


  • yobie14

It's Not Funny But Big Boys Do Cry: Recent Breaches and the Unyielding Threat of CLOP

Updated: Sep 2, 2023

By: Greg Benjamin and Yobie Benjamin

In the ever-evolving digital landscape, cyberattacks targeting critical information and data have become a persistent and potent threat. Recently, an IT firm providing services to Medicaid, Medicare, U.S. student loan servicers, and government programs fell victim to hackers who exploited the MOVEit file transfer software, potentially exposing the information of up to 10 million people.

This alarming incident serves as a wake-up call for organizations worldwide to bolster their cybersecurity defenses. Furthermore, the far-reaching impact of the hacking group Clop, compromising prominent entities across various sectors, serves as a stark reminder of the sophisticated and audacious nature of modern cyber threats. In this comprehensive analysis, we will delve deeper into these incidents, explore key examples, and glean vital lessons on safeguarding against the relentless threat of cyberattacks.

The breach of the MOVEit file transfer software, a commonly used IT tool, highlights the dire implications of data security vulnerabilities. The potential exposure of sensitive data, including government program information and individuals' data, underscores the critical need for secure file sharing protocols and robust cybersecurity measures.

To mitigate such breaches, organizations must adopt a multi-layered security approach. This includes thoroughly knowing and verifying the passive and active Software Bill of Materials (SBOM) for all current production software, whether on-premises or in the cloud. Implementing data encryption, access controls, and intrusion detection systems can add an extra layer of protection against potential threats. Regular security assessments and audits are essential for identifying vulnerabilities and addressing them proactively.

The Menace of Clop: A Ruthless Cyber Threat:

Clop, an aggressive Russian hacking group (believed to be state-sponsored), has unleashed cyber havoc worldwide, targeting various organizations, including Toyota Boshoku Corporation, Deloitte, EY, PWC, and others. This chilling reality underscores that no government, industry, or company is exempt from the peril of cyber threats.

Clop's association with other notorious hacking groups like TA505 and FIN11 reveals a high level of sophistication and coordination in their operations. Their characteristic ransomware, Clop or Cl0p, suspected to be developed in the Russian Federation, shatters the myth that these hackers are merely inexperienced teenagers exploring software vulnerabilities.

Clop's techniques and exploits are continually evolving, demanding constant vigilance and adaptive cybersecurity measures. The group predominantly targets Windows systems using a Win32 executable written in C++. Their ransomware encrypts files using an RSA 1024-bit public key with RC4 encryption. Phishing emails serve as the primary initial access vector, and Clop exploits Common Vulnerabilities and Exposures (CVE) like CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104, and CVE-2021-35211.

Cobalt Strike and Beacon: Double-Edged Swords

Clop leverages Cobalt Strike, a paid penetration testing product, to enhance their attacks. Cobalt Strike deploys an agent named 'Beacon' on victim machines, empowering hackers with numerous functionalities, such as command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning, and lateral movement.

Beacon's in-memory/file-less nature makes it highly elusive, and its advanced capabilities render it a favorite among targeted attackers and criminal users alike. The availability of a toolkit called Artifact Kit enables cybercriminals to further customize their attacks.

Governments and companies across various sectors must prioritize cybersecurity readiness to defend against cyber threats. Investing in advanced and proactive runtime SBOM tools, alongside advanced threat detection and response systems, can help organizations detect and neutralize potential threats before significant damage occurs. Collaboration among industry peers and the sharing of threat intelligence can create a unified defense network against cybercriminals.

Companies must dispel the notion that cyber threats come solely from inexperienced hackers. Investing in robust cybersecurity training for employees can empower them to recognize and report potential threats effectively. Understanding the tactics used by hacking groups like Clop can aid in developing targeted defense strategies.

To counter phishing attacks, organizations should invest in passive and active SBOM systems, robust email filtering, and conduct regular phishing simulations for employees. Implementing strict patch management policies can prevent CVE exploits by ensuring systems are up-to-date and resilient against known vulnerabilities.

The recent MOVEit file transfer breach and the persistent threat of Clop underscore the relentless nature of cyberattacks in the modern world. Organizations must remain vigilant, continuously updating their cybersecurity practices, and fostering a culture of security awareness among employees. By learning from these real-world examples and investing in comprehensive cybersecurity solutions, businesses can effectively fortify their defenses and protect sensitive data from the ever-evolving tactics of cybercriminals. Additionally, collaboration among industry peers and the sharing of threat intelligence can create a unified front against cyber threats, ensuring a safer digital environment for all.



bottom of page