Clop Ransomware Group Exploited MOVEit Transfer Vulnerability Since 2021

According to security researchers, the Clop ransomware group has been looking for a way to exploit a vulnerability in MOVEit Transfer since 2021. Hackers say hundreds of companies have been compromised in recent attacks, with Irish airline Aer Lingus, British Airways, the BBC and British pharmacy chain Boots already confirmed the hack.

Vulnerability Discovered

A 0-day vulnerability (CVE-2023-34362) in MOVEit Transfer’s file transfer management solution became known late last week. All versions of MOVEit Transfer were affected by the problem, and it was reported that attacks on them began as early as May 27, 2023.
The bug itself was a SQL injection that leads to remote code execution. For example, exploitation of a vulnerability can lead to privilege escalation and give third parties unauthorized access to the MOVEit Transfer environment.
Attackers used the vulnerability to deploy custom web shells on affected servers, allowing them to list files stored on the server, download files, and steal Azure Blob Storage account credentials and secrets, including the AzureBlobStorageAccount, AzureBlobKey, and AzureBlobContainer settings.
Earlier this week, Microsoft analysts linked these attacks to the Clop ransomware hack group (aka Lace Tempest, TA505, FIN11, or DEV-0950).

Exploitation Since 2021

As experts from the information security company Kroll now report, it seems that hackers have been looking for ways to exploit the mentioned zero-day vulnerability long before the start of mass attacks, and more precisely since 2021.
“Kroll’s review of the Microsoft Internet Information Services (IIS) logs of affected clients found evidence of similar activity occurring in several client environments in the past year (April 2022), and in some cases as late as July 2021,” the researchers wrote.
They also discovered that attackers were testing different ways to collect and steal sensitive data from compromised MOVEit Transfer servers back in April 2022.
“Kroll watched a activity related to the exploitation of a vulnerability in MOVEit Transfer that took place on April 27, 2022, May 15–16, 2023, and May 22, 2023. This indicates that the attackers were checking access to organizations and extracting information from MOVEit Transfer, likely using automated tools,” the report says.
Automated malicious activity increased markedly on May 15, 2023, right before the start of massive attacks on the 0-day vulnerability.
Since similar activity was performed manually in 2021, experts believe that the attackers knew about the bug for a long time, but were preparing the necessary tools to automate mass attacks.

Confirmed Victims

Hackers told reporters this past weekend that the vulnerability allowed them to break into MOVEit Transfer servers owned by “hundreds of companies.” Although after that the media urged not to take the word of the hackers, unfortunately, some victims have already confirmed the fact of compromise.
Zellis, a UK-based payroll and HR solution provider whose customers include Sky, Harrods, Jaguar Land Rover, and the NHS, confirmed that their systems were compromised.
“We can confirm that Zellis was the victim of a cyber attack on May 27, 2023. We immediately took steps to protect our systems and customers, and we are now working with the relevant authorities and our customers to investigate the incident,” the company said in a statement.
British Airways also confirmed the attack, saying that the hackers had accessed the personal and financial details of some of its customers.
“We are investigating the incident and have informed the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC). We are also in contact with the police and relevant authorities,” the airline said in a statement.
The BBC also confirmed the attack, saying that the hackers had accessed the personal and financial details of some of its customers.
“We can confirm that we were the victim of a cyber attack on May 27, 2023. We immediately took steps to protect our systems and customers, and we are now working with the relevant authorities and our customers to investigate the incident,” the BBC said in a statement.
British pharmacy chain Boots also confirmed the attack, saying that the hackers had accessed the personal and financial details of some of its customers.
“We can confirm that we were the victim of a cyber attack on May 27, 2023. We immediately took steps to protect our systems and customers, and we are now working with the relevant authorities and our customers to investigate the incident,” Boots said in a statement.
The Clop ransomware group has been exploiting the MOVEit Transfer vulnerability since 2021, and hundreds of companies have already been affected. The hackers have accessed the personal and financial details of some of their customers, and the victims have already confirmed the fact of the attack. Companies affected by the attack are now working with the relevant authorities and their customers to investigate the incident.