Clop ransomware gang claims the hack of hundreds of victims exploiting MOVEit Transfer bug

Clop ransomware group claims to have hacked hundreds of companies globally by exploiting MOVEit Transfer vulnerability.

The Clop ransomware group may have compromised hundreds of companies worldwide by exploiting a vulnerability in MOVEit Transfer software.

MOVEit Transfer is a managed file transfer that is used by enterprises to securely transfer files using SFTP, SCP, and HTTP-based uploads.

The vulnerability is a SQL injection vulnerability, it can be exploited by an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database.

“a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to MOVEit Transfer’s database.” reads the advisory published by the company. “Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.”

The vulnerability affects all MOVEit Transfer versions, it doesn’t affect the cloud version of the product.

Over the weekend, the Clop ransomware gang (aka Lace Tempest) was credited by Microsoft for the recent campaign that exploits a zero-day vulnerability, tracked as CVE-2023-34362, in the MOVEit Transfer platform.

On Wednesday, the Clop ransomware gang published an extortion note on its dark web leak site claiming to have information on hundreds of businesses.

“WE HAVE INFORMATION ON HUNDREDS OF COMPANIES SO OUR DISCUSSION WILL WORK VERY SIMPLE.” reads the message published by the gang.

The gang is urging victim organizations to contact them before their name will be added to the list of victims on the leak site. The group has fixed the deadline on June 14.

At this time it not possible to determine the exact number of organizations that were breached by the gang by exploiting the MOVEit Transfer vulnerability.

By May 31, Rapid7 experts discovered approximately 2,500 instances of MOVEit Transfer publicly accessible on the internet, with a significant portion located in the United States.

“Our teams have so far observed the same webshell name in multiple customer environments, which may indicate automated exploitation.” reported Rapid7.

One of the organizations that was hacked by exploiting the above issue is the payroll provider Zellis. The bad news is that as a result of the cyber attack on the payroll provider Zellis, the personal data of employees at the BBC and British Airways has been compromised and exposed.

One of Zellis’s customers, the British health and beauty retailer and pharmacy chain Boots also confirmed to have been impacted by the attack. The company has yet to determine the number of impacted employees.

Another impacted firm is the airline Aer Lingus, which confirmed that “some of our current and former employee data” has been disclosed.

This isn’t the first time that Clop ransomware gang carry out hacking campaign on a large scale by exploiting a zero-day vulnerability.

In February, the Clop ransomware group claimed to have stolen sensitive data from over 130 organizations by exploiting a zero-day vulnerability (CVE-2023-0669) in Fortra’s GoAnywhere MFT secure file transfer tool.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Clop ransomware group)