Clop Ransomware Strikes Again: Exploiting MOVEit Vulnerability

In a recent turn of events, the notorious Clop ransomware group has claimed responsibility for exploiting a zero-day vulnerability (CVE-2023-34362) in the popular file transfer software, MOVEit. This claim, made on June 5, 2023, marks a significant escalation in the group's activities, demonstrating their advanced strategy of exploiting vulnerabilities in popular enterprise file transfer solutions.

Clop stated that they began exploiting the MOVEit vulnerability on May 27, 2023, and had not yet started extorting victims. However, the situation took a dramatic turn on June 6, 2023, when Clop published a post on its data-leak site, claiming to have stolen data from hundreds of organizations using the MOVEit flaw. The group set a deadline of June 14, 2023, for victims to enter extortion negotiations. If organisations fail to contact Clop by the deadline, their data will be exposed on Clop's data-leak site.

The MOVEit vulnerability allows threat actors to escalate privileges and gain unauthorised access to environments. As unpatched MOVEit servers remain exposed to the Internet, it is likely that exploitation will continue over the next few days by Clop and other threat actors.

This latest attack showcases a new approach from Clop. For the first time ever, Clop posted on its data-leak site to announce its latest campaign and demanded that victims reach out to Clop to pay ransom payments. This change in tactics is designed to increase the pressure on every organisation using MOVEit versions vulnerable to CVE-2023-34362, even those that may not have been compromised by Clop.

The total number of organisations compromised by Clop remain sunknown, suggesting a potentially larger campaign than previous attacks. Clop has a history of extorting a large number of organisations simultaneously and has kept their promises in the past.

Companies need to evaluate the files that are stored on their MOVEit solutions and any third-party MOVEit servers.

Given Clop’s history of targeting Managed File Transfer (MFT) solutions, we can confidently say that Clop will target similar solutions in the future. It is fundamental that organisations understand their MFT solution’s public footprint and do what they can to harden them. That includes restricting public access to authorized users, setting up firewall rules to exclude unknown IPs, and quickly applying software patches.

For more details about the vulnerability, you can visit the NIST database entry for CVE-2023-34362.