CTI Banner

Bridewell Intelligence Report: Cl0P Ransomware Zero-Day Attacks

Published 24 March 2023

A recent wave of cyber attacks has left approximately 130 organisations exposed to the highly sophisticated CL0P ransomware. The threat actors behind the CL0P group have been leveraging a zero-day vulnerability in the GoAnywhere MFT software (CVE-2023-0669) to compromise systems and are now publishing the victims' details on their dedicated leak site in an effort to extort the victims. Bridewell's advanced threat intelligence capabilities offer organisations invaluable insight and protection against such devastating attacks.

Bridewell's Commentary on the Cl0P Ransomware Attack

Our Cyber Threat Intelligence (CTI) team has been closely monitoring the CL0P group's activities since the discovery of the zero-day vulnerability on 8th February 2023.  

"By conducting in-depth adversary malware analysis, we were able to detect the Command and Control (C2) Indicators of Attack (IoA) 48 days before the attacks occurred. This proactive approach enables us to stay ahead of emerging threats and provides our CTI customers with a critical layer of protection against rapidly evolving cyber threats. - Chris Duggan, Head of Bridewell Cyber Threat Intelligence

Sharing Indicators of Attack to Aid Victims

In light of the recent CL0P attacks, Bridewell is sharing IoAs which some are previously unreported to help impacted organisations investigate and detect any potential threats within their systems. 

These C2 IoAs, are potentially linked to the CL0P attacks:

  • 45.182.189[.]200
  • 45.182.189[.]228 
  • 45.182.189[.]229 
  • 88.214.27[.]100 
  • 88.214.27[.]101 
  • 92.118.36[.]210 
  • 92.118.36[.]213

Organisations should search for these IoAs within their systems and take immediate action to mitigate any detected threats. By sharing this information, we hope to aid victims in their efforts to eradicate the adversary and restore their systems to a secure state. 

Zero-Day Vulnerability and Impacted Technology

The CL0P group exploited a zero-day vulnerability (CVE-2023-0669) in the GoAnywhere MFT secure file transfer tool. The vulnerability allowed remote code execution, enabling the threat actors to compromise the systems of the affected organisations.


Bridewell's Incident Response and Threat Intelligence Capabilities

Bridewell offers an advanced incident response service to help organisations mitigate the damage caused by cyber attacks, such as the CL0P attack. Our team of experienced professionals work swiftly to quickly contain and eradicate threats, ensuring minimal disruption and maximum security for our clients.

Our advanced threat intelligence capabilities, including proactive monitoring and analysis of emerging threats, enable us to provide the critical information organisations need to stay ahead of the ever-changing cyber threat landscape.

If your organisation has been impacted by the recent CL0P ransomware attacks, Bridewell is here to help. We understand the challenges and complexities of dealing with a cyber incident, and our team of experts is ready to assist you in navigating this difficult time. We offer support in incident response, threat mitigation, and recovery to help you regain control of your systems and protect your valuable assets.

The CL0P ransomware attack underscores the significance of vigilance and staying informed on the latest threat intelligence. Bridewell helps its clients stay secure through a comprehensive and integrated approach to cybersecurity, encompassing threat intelligence, vulnerability management, and active 24/7 managed detection and response.

Our clients benefit from our Cyber Threat Intelligence service, which provides real-time insights into emerging threats and vulnerabilities. With a dedicated team analysing the latest intelligence and prioritising threats based on their potential impact, our clients can stay ahead of the evolving cyber threat landscape.

Bridewell's comprehensive Vulnerability Management Program identifies, assesses, and mitigates potential vulnerabilities in clients' networks, systems, and applications. This proactive approach, which includes regular vulnerability scanning, penetration testing, and patch management, helps our clients minimise their exposure to cyber risks.

With our 24/7 Managed Detection and Response service, clients benefit from the expertise of our dedicated Security Operations Centre (SOC). The SOC uses advanced threat detection tools and techniques to actively monitor clients' IT and OT systems, swiftly identifying, investigating, and responding to potential threats in real-time.

The unique advantage for Bridewell clients is the seamless integration of these services. Our threat intelligence team informs the vulnerability management program of new and emerging threats that may affect an organisation. The vulnerability management team then prioritises the most critical vulnerabilities to address, based on the potential impact of a successful attack.

By leveraging insights from vulnerability management and threat intelligence, our SOC can effectively identify and respond to potential threats based on indicators and behaviours. This holistic and proactive approach to cybersecurity allows Bridewell clients to better protect themselves against the constantly evolving threat landscape.


Register for instant alerts to Bridewell threat advisories or to speak with a member of our Cyber Threat Intelligence team.


Learn more about our Bridewell's Threat Intelligence.