Security News > 2023 > June > Clop ransomware likely testing MOVEit zero-day since 2021
The Clop ransomware gang has been looking for ways to exploit a now-patched zero-day in the MOVEit Transfer managed file transfer solution since 2021, according to Kroll security experts.
"Kroll observed activity consistent with MOVEit Transfer exploitation that collectively occurred on April 27, 2022; May 15-16, 2023; and May 22, 2023, indicating that actors were testing access to organizations via likely automated means and pulling back information from the MOVEit Transfer servers to identify which organization they were accessing," the report reveals.
Over the weekend, the Clop ransomware gang told Bleepingomputer that they were behind recent data-theft attacks that allowed them to breach MOVEit Transfer servers allegedly belonging to "Hundreds of companies."
"Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site," the Microsoft Threat Intelligence team tweeted Sunday night.
The Clop cybercrime group was also behind other high-impact data theft campaigns targeting other managed file transfer platforms, including the zero-day exploitation of Accellion FTA servers in December 2020, the 2021 SolarWinds Serv-U Managed File Transfer attacks, the mass exploitation of a GoAnywhere MFT zero-day in January 2023.
Since Clop's MOVEit data-theft attacks were detected, the first organizations that were breached as a result have also slowly started surfacing, with UK payroll and HR solutions provider Zellis reporting they suffered a data breach that will likely also impact some of its customers.
News URL
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-06-02 | CVE-2023-34362 | SQL Injection vulnerability in Progress Moveit Cloud and Moveit Transfer In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. | 9.8 |