Cyber Crime

Clop ransomware gang was testing MOVEit Transfer bug since 2021

Researchers discovered that the Clop ransomware gang was looking for a zero-day exploit in the MOVEit Transfer since 2021.

Kroll security experts discovered that the Clop ransomware gang was looking for a zero-day exploit in the MOVEit Transfer since 2021.

Kroll investigated the exploitation attempts for the MOVEit Transfer vulnerability and discovered that Clop threat actors were likely experimenting with how to exploit this issue as far back as 2021.

The discovery demonstrates the level of sophistication of this specific ransomware gang and its important capabilities. The threat actors were planning and organizing attacks on a large scale by exploiting flaws like MOVEit Transfer of GoAnywhere MFT. The experts speculate the Clop group potentially had an exploit for the MOVEit Transfer vulnerability prior to the GoAnywhere MFT secure file transfer tool exploitation that took place in February 2023.

Kroll observed exploitation attempts for the MOVEit Transfer vulnerability on or around May 27 and 28, 2023, a few days before Progress Software publicly disclosed the issue on May 31, 2023.

This time frame coincided with the observation of Memorial Day weekend in the U.S., a circumstance that suggests that threat actors planned to to launch the attacks during holiday weekends.

Between May 27 and May 28, the experts observed an automated exploitation attack chain aimed at the deployment of the human2.aspx web shell.

“Kroll’s review of Microsoft Internet Information Services (IIS) logs of impacted clients found evidence of similar activity occurring in multiple client environments last year (April 2022) and in some cases as early as July 2021.” reads the analysis published by the security firm. “Kroll observed activity consistent with MOVEit Transfer exploitation that collectively occurred on April 27, 2022; May 15–16, 2023; and May 22, 2023, indicating that actors were testing access to organizations via likely automated means and pulling back information from the MOVEit Transfer servers to identify which organization they were accessing.”

The attackers employed an automated system to run multiple commands against the organizations in less than 24 seconds.

The threat actors were also testing how to collect and extract sensitive data from compromised MOVEit Transfer servers as far back as April 2022.

The commands sent to the device in July 2021 appeared to be run over a longer amount of time, suggesting that attackers were using a manual process.

“It appears that the Clop threat actors may have been experimenting with ways to exploit the MOVEit Transfer vulnerability for quite some time prior to the recent mass exfiltration event. Kroll observed a similar fact pattern across multiple MOVEit Transfer cases, and in some instances, the activity occurred across multiple organizations within seconds or minutes of each other.” concludes Kroll.

“Kroll assesses with high confidence that the MOVEit Transfer exploit as it exists today:

  • Was available and being used/tested in April 2022
  • Was available and being used/tested in July 2021″

This week, the Clop ransomware group claimed to have compromised hundreds of companies worldwide by exploiting a vulnerability in MOVEit Transfer software.

Over the weekend, the Clop ransomware gang (aka Lace Tempest) was credited by Microsoft for the recent campaign that exploits a zero-day vulnerability, tracked as CVE-2023-34362, in the MOVEit Transfer platform.

On Wednesday, the Clop ransomware gang published an extortion note on its dark web leak site claiming to have information on hundreds of businesses.

“WE HAVE INFORMATION ON HUNDREDS OF COMPANIES SO OUR DISCUSSION WILL WORK VERY SIMPLE.” reads the message published by the gang.

The gang is urging victim organizations to contact them before their name will be added to the list of victims on the leak site. The group has fixed the deadline on June 14.

At this time it not possible to determine the exact number of organizations that were breached by the gang by exploiting the MOVEit Transfer vulnerability.

By May 31, Rapid7 experts discovered approximately 2,500 instances of MOVEit Transfer publicly accessible on the internet, with a significant portion located in the United States.

One of the organizations that was hacked by exploiting the above issue is the payroll provider Zellis. The bad news is that as a result of the cyber attack on the payroll provider Zellis, the personal data of employees at the BBC and British Airways has been compromised and exposed.

One of Zellis’s customers, the British health and beauty retailer and pharmacy chain Boots also confirmed to have been impacted by the attack. The company has yet to determine the number of impacted employees.

Another impacted firm is the airline Aer Lingus, which confirmed that “some of our current and former employee data” has been disclosed.

This isn’t the first time that Clop ransomware gang carry out hacking campaign on a large scale by exploiting a zero-day vulnerability.

In February, the Clop ransomware group claimed to have stolen sensitive data from over 130 organizations by exploiting a zero-day vulnerability (CVE-2023-0669) in Fortra’s GoAnywhere MFT secure file transfer tool.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Clop ransomware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Mozilla fixed zero-days recently demonstrated at Pwn2Own Berlin 2025

Mozilla addressed two critical Firefox vulnerabilities that could be potentially exploited to access sensitive data…

7 hours ago

Japan passed a law allowing preemptive offensive cyber actions<gwmw style="display:none;"></gwmw>

Japan passed a law allowing preemptive offensive cyber actions, shifting from its pacifist stance to…

12 hours ago

Pwn2Own Berlin 2025: total prize money reached $1,078,750

Pwn2Own Berlin 2025 wrapped up with $383,750 awarded on the final day, pushing the total…

18 hours ago

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 45

Security Affairs Malware newsletter includes a collection of the best articles and research on malware…

2 days ago

Security Affairs newsletter Round 524 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…

2 days ago