News

Hack group Clop extorts money from companies hacked via MOVEit Transfer

Security Parrot Editorial Team

Clop Ransomware Group Extorts Money from Companies Affected by MOVEit Transfer Zero-Day Vulnerability

The Clop ransomware group has begun extorting money from companies affected by a mass attack on a zero-day vulnerability in MOVEit Transfer. The hackers have already started listing the names of the victim companies on their site for leaks, with the hack being confirmed by oil and gas company Shell and several US federal agencies.

Vulnerability Discovered in MOVEit Transfer

The attack began with a 0-day vulnerability (CVE-2023-34362) in the MOVEit Transfer file transfer management solution, which was discovered in early June 2023. All versions of MOVEit Transfer were affected by the problem, and it was reported that attacks on them began as early as May 27, 2023.
Attackers used this vulnerability to deploy custom web shells on affected servers, allowing them to list files stored on the server, download files, and steal Azure Blob Storage account credentials and secrets, including the AzureBlobStorageAccount, AzureBlobKey, and AzureBlobContainer settings.

Hundreds of Companies Affected

The attack was linked to the Clop ransomware hack group (aka Lace Tempest, TA505, FIN11 or DEV-0950). In total, hundreds of companies were compromised during these attacks. Over the past weeks, the break-in has been confirmed by many victims, including Zellis, a UK-based payroll and HR solution provider whose customers include Sky, Harrods, Jaguar, Land Rover, Dyson and Credit Suisse. Due to the Zellis hack, the data of the Irish airline Aer Lingus, British Airways, the BBC, and the British pharmacy chain Boots were compromised.
It also became known that data leaks affected the University of Rochester, the government of Nova Scotia, the authorities of the US states of Missouri and Illinois, BORN Ontario, Ofcam, Extreme Networks and the American Therapeutic Society. Moreover, it emerged this week that the attacks also affected the US Cybersecurity and Infrastructure Security Agency (CISA), which works with various federal agencies, and according to information and the Federal News Network, two divisions of the US Department of Energy were also hacked.

Data Deleted for Government Organizations

In conversations with journalists, Clop participants emphasized that they automatically delete all data stolen from government organizations. According to them, they try to prevent such attacks, and if they happen, then the data is immediately deleted for the military, children’s hospitals, and government information is erased, and so on.

Hackers Posting Lists of Affected Companies

As Bleeping Computer now reports, the hackers have already begun posting lists of affected companies on their website and are promising to start leaking data on June 21 if ransoms are not paid.
Five of the companies listed by the hackers, British oil and gas company Shell, UnitedHealthcare Student Resources (UHSR), the University of Georgia and the University System of Georgia, Heidelberger Druck and Landal Greenparks, confirmed to reporters that they were affected to varying degrees by attacks on the vulnerability in MOVEit Transfer.

Weekly Updates For Our Loyal Readers!

Share this Article
Lost your password?