Clop Ransomware Group Exploiting 0-Day Vulnerability in MOVEit Transfer

Microsoft analysts have reported that a wave of attacks on the 0-day vulnerability in MOVEit Transfer (CVE-2023-34362) is associated with the activity of the Clop ransomware group.
The vulnerability in the file transfer management solution was discovered at the end of last week, and all versions of MOVEit Transfer were affected. The attacks began on May 27, 2023.
Experts from Huntress, Rapid7, TrustedSec, GreyNoise and Volexity have identified the bug as a SQL injection that leads to remote code execution. Exploitation of the vulnerability can lead to privilege escalation and give third parties unauthorized access to the MOVEit Transfer environment.
The attackers have used the vulnerability to place custom web shells on vulnerable servers, which allowed them to get a list of files stored on the server, download files, and steal Azure Blob Storage account credentials and secrets, including the AzureBlobStorageAccount, AzureBlobKey, and AzureBlobContainer settings.
Microsoft analysts have identified the Clop hack group, also known as Lace Tempest (TA505, FIN11 or DEV-0950), as the perpetrators of these attacks.
According to Bleeping Computer, citing their own sources, Clop has not yet begun to extort money from the victims. However, the group usually waits several weeks after the theft of data before sending a ransom letter to the management of the affected company.
At the beginning of this year, Clop massively attacked companies using a 0-day vulnerability in another file transfer tool, GoAnywhere MFT, and even earlier, hackers exploited the problem in Accellion FTA in the same way.
As a rule, Clop begins to extort money from victims, having previously added a list of victims to their “leak site”, threatening that the files stolen from companies will be published in the public domain if the hackers do not receive a ransom. In the case of attacks through the GoAnywhere MFT, the evil it took the thinkers a little over a month before the list of victims appeared on their website.

What is MOVEit Transfer?

MOVEit Transfer is a secure file transfer management solution developed by Ipswitch. It is designed to help organizations securely store, manage, and transfer confidential data. It is used by organizations around the world to protect their data from unauthorized access and malicious attacks.

What is Clop Ransomware?

Clop ransomware is a type of malicious software that is used by cybercriminals to extort money from victims. It is typically spread through malicious emails, malicious websites, and other malicious methods. Once installed, it encrypts the victim’s files and demands a ransom in exchange for the decryption key. Clop ransomware is particularly dangerous because it can spread quickly and can be difficult to detect and remove.