Security News

The Clop ransomware gang has started extorting companies impacted by the MOVEit data theft attacks, first listing the company's names on a data leak site-an often-employed tactic before public disclosure of stolen information. The Clop gang took responsibility for the attacks, claiming to have breached "Hundreds of companies" and warning that their names would be added to a data leak site on June 14th if negotiations did not occur.

On Monday, Microsoft was the first to attribute the attacks to the Clop ransomware operation, followed by the threat actors telling BleepingComputer that they started exploiting servers on May 27th. After analyzing historic telemetry, Kroll security experts also found that the Clop gang likely tested the MOVEit Transfer zero-day since 2021 in limited attacks. Rhysida ransomware group claims attack on Martinique June 5th 2023 Microsoft links Clop ransomware gang to MOVEit data-theft attacks.

The Clop ransomware gang has been looking for ways to exploit a now-patched zero-day in the MOVEit Transfer managed file transfer solution since 2021, according to Kroll security experts. "Kroll observed activity consistent with MOVEit Transfer exploitation that collectively occurred on April 27, 2022; May 15-16, 2023; and May 22, 2023, indicating that actors were testing access to organizations via likely automated means and pulling back information from the MOVEit Transfer servers to identify which organization they were accessing," the report reveals.

The Clop ransomware gang has been looking for ways to exploit a now-patched zero-day in the MOVEit Transfer managed file transfer solution since 2021, according to Kroll security experts. "Kroll observed activity consistent with MOVEit Transfer exploitation that collectively occurred on April 27, 2022; May 15-16, 2023; and May 22, 2023, indicating that actors were testing access to organizations via likely automated means and pulling back information from the MOVEit Transfer servers to identify which organization they were accessing," the report reveals.

The U.S. Cybersecurity and Infrastructure Security Agency and Federal Bureau of Investigation have published a joint advisory regarding the active exploitation of a recently disclosed critical flaw in Progress Software's MOVEit Transfer application to drop ransomware. "The Cl0p Ransomware Gang, also known as TA505, reportedly began exploiting a previously unknown SQL injection vulnerability in Progress Software's managed file transfer solution known as MOVEit Transfer," the agencies said.

Clop, the ransomware crew that has exploited the MOVEit vulnerability extensively to steal corporate data, has given victims a June 14 deadline to pay up or the purloined information will be leaked. Crucially, to steal the data, Clop exploited a deployment of MOVEit used by payroll services provider Zellis; British Airways et al are customers of Zellis, so when Clop broke into the payroll company's IT systems, the miscreants were able to snatch valuable employee data belonging to a host of orgs.

The Clop ransomware gang has told BleepingComputer they are behind the MOVEit Transfer data-theft attacks, where a zero-day vulnerability was exploited to breach multiple companies' servers and steal data. Conducting attacks around holidays is a common tactic for the Clop ransomware operation, which has previously undertaken large-scale exploitation attacks during holidays when staff is at a minimum.

Microsoft has linked the Clop ransomware gang to recent attacks exploiting a zero-day vulnerability in the MOVEit Transfer platform to steal data from organizations. "Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site," the Microsoft Threat Intelligence team tweeted Sunday night.

A financially motivated cybercriminal group known as FIN7 resurfaced last month, with Microsoft threat analysts linking it to attacks where the end goal was the deployment of Clop ransomware payloads on victims' networks. "The group was observed deploying the Clop ransomware in opportunistic attacks in April 2023, its first ransomware campaign since late 2021.".

It has been a very quiet week for ransomware news, with only a few reports released and not much info about cyberattacks. An item of interest was Microsoft linking the recent PaperCut server attacks on the Clop and LockBit ransomware operation.