Clop ransomware gang was testing MOVEit Transfer bug since 2021

Pierluigi Paganini June 09, 2023

Researchers discovered that the Clop ransomware gang was looking for a zero-day exploit in the MOVEit Transfer since 2021.

Kroll security experts discovered that the Clop ransomware gang was looking for a zero-day exploit in the MOVEit Transfer since 2021.

Kroll investigated the exploitation attempts for the MOVEit Transfer vulnerability and discovered that Clop threat actors were likely experimenting with how to exploit this issue as far back as 2021.

The discovery demonstrates the level of sophistication of this specific ransomware gang and its important capabilities. The threat actors were planning and organizing attacks on a large scale by exploiting flaws like MOVEit Transfer of GoAnywhere MFT. The experts speculate the Clop group potentially had an exploit for the MOVEit Transfer vulnerability prior to the GoAnywhere MFT secure file transfer tool exploitation that took place in February 2023.

Kroll observed exploitation attempts for the MOVEit Transfer vulnerability on or around May 27 and 28, 2023, a few days before Progress Software publicly disclosed the issue on May 31, 2023.

This time frame coincided with the observation of Memorial Day weekend in the U.S., a circumstance that suggests that threat actors planned to to launch the attacks during holiday weekends.

Between May 27 and May 28, the experts observed an automated exploitation attack chain aimed at the deployment of the human2.aspx web shell.

“Kroll’s review of Microsoft Internet Information Services (IIS) logs of impacted clients found evidence of similar activity occurring in multiple client environments last year (April 2022) and in some cases as early as July 2021.” reads the analysis published by the security firm. “Kroll observed activity consistent with MOVEit Transfer exploitation that collectively occurred on April 27, 2022; May 15–16, 2023; and May 22, 2023, indicating that actors were testing access to organizations via likely automated means and pulling back information from the MOVEit Transfer servers to identify which organization they were accessing.”

The attackers employed an automated system to run multiple commands against the organizations in less than 24 seconds.

The threat actors were also testing how to collect and extract sensitive data from compromised MOVEit Transfer servers as far back as April 2022.

The commands sent to the device in July 2021 appeared to be run over a longer amount of time, suggesting that attackers were using a manual process.

“It appears that the Clop threat actors may have been experimenting with ways to exploit the MOVEit Transfer vulnerability for quite some time prior to the recent mass exfiltration event. Kroll observed a similar fact pattern across multiple MOVEit Transfer cases, and in some instances, the activity occurred across multiple organizations within seconds or minutes of each other.” concludes Kroll.

“Kroll assesses with high confidence that the MOVEit Transfer exploit as it exists today:

  • Was available and being used/tested in April 2022
  • Was available and being used/tested in July 2021″

This week, the Clop ransomware group claimed to have compromised hundreds of companies worldwide by exploiting a vulnerability in MOVEit Transfer software.

Over the weekend, the Clop ransomware gang (aka Lace Tempest) was credited by Microsoft for the recent campaign that exploits a zero-day vulnerability, tracked as CVE-2023-34362, in the MOVEit Transfer platform.

On Wednesday, the Clop ransomware gang published an extortion note on its dark web leak site claiming to have information on hundreds of businesses.

“WE HAVE INFORMATION ON HUNDREDS OF COMPANIES SO OUR DISCUSSION WILL WORK VERY SIMPLE.” reads the message published by the gang.

Clop ransomware MOVEit Transfer

The gang is urging victim organizations to contact them before their name will be added to the list of victims on the leak site. The group has fixed the deadline on June 14.

At this time it not possible to determine the exact number of organizations that were breached by the gang by exploiting the MOVEit Transfer vulnerability.

By May 31, Rapid7 experts discovered approximately 2,500 instances of MOVEit Transfer publicly accessible on the internet, with a significant portion located in the United States.

One of the organizations that was hacked by exploiting the above issue is the payroll provider Zellis. The bad news is that as a result of the cyber attack on the payroll provider Zellis, the personal data of employees at the BBC and British Airways has been compromised and exposed.

One of Zellis’s customers, the British health and beauty retailer and pharmacy chain Boots also confirmed to have been impacted by the attack. The company has yet to determine the number of impacted employees.

Another impacted firm is the airline Aer Lingus, which confirmed that “some of our current and former employee data” has been disclosed.

This isn’t the first time that Clop ransomware gang carry out hacking campaign on a large scale by exploiting a zero-day vulnerability.

In February, the Clop ransomware group claimed to have stolen sensitive data from over 130 organizations by exploiting a zero-day vulnerability (CVE-2023-0669) in Fortra’s GoAnywhere MFT secure file transfer tool.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Clop ransomware)



you might also like

leave a comment