Fraud Management & Cybercrime , Governance & Risk Management , Patch Management
Clop Ransomware Gang Asserts It Hacked MOVEit Instances
Russian-Speaking Extortion Operation Says It Will Start Listing Victims on June 14The Clop ransomware-as-a-service gang said it is the actor behind a spate of hacks taking advantage of a vulnerability in Progress Software's MOVEit managed file transfer application.
See Also: Ransomware Response Essential: Fixing Initial Access Vector
On Tuesday, Clop said on its dark web leak site, in all caps, that it has used the MOVEit flaw to download information from hundreds of companies. "We download alot of your data as part of exceptional exploit. We are the only one who perform such attack and relax because your data is safe," the Russian-speaking criminal gang wrote in a misspelled post.
Clop's assertion is not unexpected; Microsoft this week attributed the attacks to Clop affiliate FIN11, which the computing giant tracks as Lace Tempest (see: Microsoft Attributes MOVEit Transfer Hack to Clop Affiliate).
Gang representatives reportedly took credit for the attacks Monday in communications with Bleeping Computer and a Reuters reporter.
Clop said it will begin posting the names of victims starting on June 14 unless it hears from them first. It also asserted that it had erased data obtained from "government, city or police service" sources since "We have no interest to expose such information."
Information Security Media Group could not independently verify Clop's claims. The gang earlier this year used a vulnerability in another file transfer application made by Fortra to attack dozens of victims.
Threat actors on May 27 began active exploitation of the MOVEit vulnerability, tracked as CVE-2023-34362. Progress Software released a patch on May 31*.
Cybersecurity firm GreyNoise said it had detected scanning activity associated with the vulnerability as early as March 3. Internet protocol addresses performing the scans came from malicious sources, the firm added.
The MOVEit flaw is an SQL injection vulnerability that enabled hackers to access the server database. Mandiant said it is aware of "multiple cases where large volumes of files have been stolen." Mandiant also warned that hackers may have stolen Azure system settings.
The list of known victims is, for the moment, short, but it includes British payroll provider Zellis. Through it, affected firms include airliners British Airways and Aer Lingus, as well as the BBC and U.K. drugstore chain Boots.
The government of Canadian province Nova Scotia acknowledged that MOVEit hackers had breached residents' personal information. And the University of Rochester said Friday it is investigating a cybersecurity attack on its file transfer software. A university spokesperson didn't immediately confirm that the software in question is MOVEit. A representative of Progress Software also did not immediately return a request for comment.
*Correction June 8, 2023 21:49 UTC: Corrects the date that Progress Software issued a patch for the MOVEit zero day vulnerability, which was May 31.