Clop ransomware group behind MOVEit file transfer hacks: Microsoft

The Clop ransomware group is allegedly exploiting a serious zero-day vulnerability affecting the widely-used MOVEit file transfer tool, according to research from Microsoft.

Since Thursday, cybersecurity experts have raised alarms about the new vulnerability — tagged as CVE-2023-34362 — affecting Progress Software’s MOVEit Transfer solution.

The vulnerability was added to the Cybersecurity and Infrastructure Security Agency’s (CISA) list of exploited bugs on Friday, giving all federal civilian agencies in the U.S. until June 23 to apply any mitigations or patches, which were released this weekend.

On Sunday, Microsoft identified the perpetrators as the Clop ransomware group — which has made a point of exploiting popular file transfer services used by major corporations and governments in the last three years.

“Microsoft is attributing [the] attacks … to Lace Tempest, known for ransomware operations & running the Clop extortion site,” Microsoft’s security team said on Sunday. “The threat actor has used similar vulnerabilities in the past to steal data & extort victims … Exploitation is often followed by deployment of a web shell w/ data exfil capabilities.”

The BBC and British Airways became the first victims to confirm that they had data stolen through the exploitation of the issue after their payroll provider, Zellis, was affected by the vulnerability. BleepingComputer first reported that MOVEit-related attacks started over Memorial Day weekend.

Security firm Censys has observed 3,803 hosts exposed to the internet currently running the MOVEit service, and experts have spent recent days trying to understand which group was behind the bug’s exploitation.

The vulnerability has sparked concern because of its wide usage among governments and large financial institutions. Data from the software company Censys shows the education sector has 27 hosts exposed on the internet while more than 60 from U.S. federal and state government arms are still exposed.

On Sunday, incident responders from the cybersecurity company Rapid7 identified a method to determine which, and how much, data was exfiltrated from MOVEit customer environments.

The Clop ransomware group recently exploited a vulnerability affecting Fortra’s GoAnywhere file transfer product. The group said it stole data from more than 130 companies, governments and organizations — including the government of Tasmania, the city of Toronto, British multinational conglomerate Virgin, mining giant Rio Tinto, Procter & Gamble, Japanese tech giant Hitachi, Hatch Bank, the U.K. Pension Protection Fund, cloud data management giant Rubrik and more.

Clop ransomware actors were also the primary cybercriminals behind a spate of attacks that targeted the Accellion file transfer tool, stealing data from some of the biggest companies and schools in the world including the University of Colorado, Kroger, Morgan Stanley and Shell.