Searchlight Cyber Analysts

Cl0p Orchestrates Mass Attack With MOVEit Transfer Zero Day

Events International

Our threat intelligence team provides context on the MOVEit Transfer supply chain attack that took place this week, and the Cl0p ransomware group that claims to be behind it.

the story so far

On June 1, 2023 Progress Software disclosed a zero day vulnerability in their file transfer software, MOVEit. Very quickly, victims emerged from the mass-exploitation of the critical vulnerability (CVE-2023-34362).

June 4, 2023 Microsoft Threat Intelligence linked the attacks to the threat actor Lace Tempest, who is known for operating the Cl0p ransomware leak site.

The Cl0p ransomware gang then took responsibility for the attacks in a dark web post, where they said they had the data of “hundreds of companies”, following a spree of attacks that they have claimed took place during the Memorial Day weekend.

In the post, the Cl0p group asked impacted organizations to email them to begin the negotiation process to pay a ransom for the data to be deleted. The group threatened that if the victims do not initiate contact before June 14 they will be named on their dark web site. The group also claimed to have already deleted all data from government, city or police services.

In addition to Cl0p’s activity, we have observed posts on the dark web hacking forums about the MOVEit Transfer vulnerability and the data that has allegedly been stolen. For example, this post on the hacking forum Exploit where a threat actor is requesting to buy data that has been stolen from one of the UK victims:

What Is The MOVEit Transfer Vulnerability?

MOVEit Transfer is a tool provided by Progress Software to allow easy movement and sharing of files between locations. The zero day that is being exploited is a SQL Injection vulnerability that allows unauthenticated users to gain access to the MOVEit database, and execute code of their choice. These types of Remote Code Execution are one of, if not the, most dangerous vulnerabilities because hackers can do literally anything with the ability to run code of their choice on a target machine.

The campaign exploiting MOVEit demonstrates the persistent danger of supply chain attacks because it was a software used by companies such as payroll services, which has led to many other businesses being impacted. For example, the payroll service provider Zellis in the UK has confirmed that eight of its users may have had data stolen through the vulnerability, including British Airways, the BBC, and Boots. Payroll data could include home addresses, national insurance numbers and, in some cases, bank details.

wHO ARE CL0P?

Cl0p is a ransomware-as-a-service operation that has been active since at least February 2019. It is one of the most prevalent ransomware gangs, having listed 123 victims on its leak site just last year alone.

This latest attack using the MOVEit Transfer vulnerability follows a pattern of activity that is indicative of the Cl0p ransomware gang – who have a track record of using zero-day exploits to target several organizations at once.

For example, in 2020, Cl0p exploited a zero day in Accellion to attack multiple victims and – early this year – the group used a zero day in the GoAnywhere software from Fortra to ransom over 130 organizations.

As Bleeping Computer notes, Cl0p also has a track record for executing their attacks during western holidays, having completed the Accellion attack on December 23rd 2020, in the run up to Christmas.

update 06/13

  • Progress Software has released new patches for MOVEit after researchers from the security firm Huntress discovered other vulnerabilities while analyzing the zero day. There is no evidence that these vulnerabilities (CVE-2023-35036) have been exploited.
  • Researchers at Kroll have found evidence that the MOVEit vulnerability was being manually tested by cybercriminals as far back at July 2021, possibly as a pre-curser to the attackers producing automated tools.

update 06/21

  • On Wednesday May 14 Cl0p began posting the names of victims on their dark web leak site, as they had threatened.
  • The US Cybersecurity and Infrastructure Security Agency (CISA) reported that it is supporting multiple federal agencies who have faced intrusions as a result of the MOVEit vulnerability.
  • The US Department of Justice has put out a $10m bounty for information on the Cl0p ransomware gang.
  • Finally, Progress disclosed a third vulnerability in the MOVEit Transfer application.

A patch is available for the MOVEit vulnerability and users should apply it as soon as possible, while closely monitoring or restricting network traffic to and from the software in the meantime to minimize risk of attack. Click HERE to find out more about the Cl0p ransomware gang or GET IN TOUCH.