The Clop ransomware group, which claims to have stolen data from hundreds of MOVEit Transfer users and their customers, may have been experimenting with the zero-day vulnerability for almost two years.
A forensic review of the exploitation, carried out by researchers at Kroll, indicates the Clop cybergang was likely experimenting with the now-patched file transfer vulnerability (CVE-2023-34362) as early as July 2021.
Organizations that have reported having data exfiltrated by the group last month include the BBC, British Airways, UK drugstore chain Boots, the provincial government of Nova Scotia, and payroll service provider Zellis. Employee data from the BBC, BA and Boots was exposed because the three organizations used Zellis’ services.
Lining up its attacks
Kroll’s discovery that Clop knew about the vulnerability for almost two years suggests it may have had it available when they launched a previous high-profile attack earlier this year.
“According to these observations, the Clop threat actors potentially had an exploit for the MOVEit Transfer vulnerability prior to the GoAnywhere MFT secure file transfer tool exploitation in February 2023 but chose to execute the attacks sequentially instead of in parallel,” Kroll’s report said.
Russian-backed Clop, also known as Lace Tempest, TA505, and FIN11, claimed responsibility for attacks that exploited a zero-day vulnerability in Fortra’s GoAnywhere Managed File Transfer solution, which targeted more than 130 organizations and compromised information belonging to over a million patients.
In a Wednesday joint advisory, the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency said the MOVEit Transfer SQL injection vulnerability exploit was similar to a 2020-21 campaign where the group installed a DEWMODE web shell on Accellion FTA servers.
“Due to the speed and ease TA505 has exploited this vulnerability, and based on their past campaigns, FBI and CISA expect to see widespread exploitation of unpatched software services in both private and public networks,” the advisory read.
Almost two years of suspicious log activity
Kroll said its analysis of impacted MOVEit clients revealed “a broad swath of activity associated with the vulnerability” took place around Memorial Day weekend (May 27-28). Holiday weekends are a favored time for threat actors to launch major offensives, an example being the Kaseya supply chain attack on July 3, 2021.
Clop’s Memorial Day weekend activity appeared to involve instigating an attack chain leading to the human2.aspx web shell being deployed, and was centered around interaction between moveitisapi/moveitisapi.dll and guestaccess.aspx, two legitimate MOVEit Transfer components.
Kroll said a review of Microsoft Internet Information Services (IIS) logs of impacted clients found evidence of similar activity in multiple client environments in April 2022 and as early as July 2021.
The 2022 activity, plus activity seen in the weeks leading up to last month’s attacks, suggested “actors were testing access to organizations via likely automated means and pulling back information from the MOVEit Transfer servers to identify which organization they were accessing”.
The malicious activity appeared to be aimed at exfiltrating Organization IDs (“Org IDs”) which identified specific MOVEit Transfer users and would have helped Clop determine which organizations it could access.
Clop claims hundreds of victims
On its website this week Clop claimed responsibility for the MOVEit attacks and said victims had until July 14 to make contact if they did not want their names published on the site. It would provide examples of exfiltrated data, it said, and if ransom deals were not successfully negotiated it would publish the stolen information.
Mandiant Consulting’s chief technology officer, Charles Carmakal said in a LinkedIn post Clop was “overwhelmed with the number of victims” MOVEit has provided.
“Instead of directly reaching out to victims over email or telephone calls like in prior campaigns, they are asking victims to reach out to them via email,” he said, adding that the group’s threat to publish the names of victims that did not make contact by July 14 “will be a complete debacle”.
In its report, Kroll said after the GoAnywhere attacks, Clop added the names of almost 100 targeted organizations to its site.
“Presently, over 100 victims have at least one post containing stolen data, and nearly 75% of victims have had more than one post exposing data,” the researchers said.