Clop Ransomware Exploits MOVEit

Timeline of the Attacks and Lessons Learned 

Almost every day, the echoes of new attacks or the nefarious exploits of insidious attack groups reach our ears. These days, the wind whispers with a sense of dread, carrying the name of the Clop ransomware group. Today, we unveil the dark tale of the Clop, which has orchestrated a calculated attack by leveraging a critical zero-day vulnerability in MOVEit Transfer, a popular file transfer software.  

MOVEit Transfer is a widely-used managed file transfer software product that offers secure file encryption and utilizes robust file transfer protocols to facilitate the secure data exchange. With additional features such as automation services, analytics, and failover options, MOVEit Transfer has been a preferred choice for organizations seeking reliable and secure file transfer capabilities.

This exploit aims to infiltrate customer databases and extract valuable data. The consequences of this calculated attack have been dire, unleashing multiple waves of data breaches since late May. This serves as a stark reminder of the urgent need to take proactive cybersecurity measures. 

This blog provides an overview of the actual timeline of events related to the Clop ransomware campaign (which occurred earlier than previously reported), highlighting the implications and lessons from this cyber assault. 

CHRONICLES OF THE MOVEIT CAMPAIGN  

EXPLOITATION AND IMPLICATIONS 

On May 27, the Clop ransomware gang initiated the exploitation of the MOVEit Transfer system’s zero-day vulnerability. Notably, instead of immediately extorting the victims, Clop took time to assess the stolen data and determine the most advantageous approach for their ransom demands.

On June 6, the Clop ransomware gang officially claimed responsibility for exploiting the MOVEit vulnerability. They assert that any data related to governments, military entities, and children’s hospitals has been deleted. However, reports indicate that several US federal agencies and government contractors have fallen victim to the Clop ransomware attack. On June 7, the FBI and CISA released a joint alert. It detailed the tactics, techniques, and procedures (TTPs) employed by the Clop ransomware group and recommended mitigation steps. 

Clop confirms its involvement in the MOVEit Transfer data-theft attacks. They announced that they have used the zero-day vulnerability to breach servers of “hundreds of companies” and steal data. Microsoft has identified the vulnerability as CVE-2023-34362 and linked it to the hacking group ‘Lace Tempest’ or TA505/FIN11. An APT group that is known for ransomware campaigns and operation of the Clop extortion site. 

AFTERMATH  

The Clop ransomware gang’s exploitation of the MOVEit Transfer system has underscored the critical need for robust cybersecurity measures and proactive vulnerability management. In this landscape of escalating threats, Veriti stands resolute, empowering organizations to strengthen their security posture and safeguard their assets without sacrificing business uptime. 

More than two-thirds of Veriti’s customers had hardened their security defenses and activated relevant protections as soon as it was available, thanks to Veriti’s advanced optimization and non-disruptive remediation features. 

This proactive approach ensured that organizations were well-prepared and fortified against the impending cyber assault. 

• With Veriti, organizations gain the advantage of comprehensive configuration optimization. By aligning system configurations with the organization’s threat landscape, Veriti fine-tunes security settings to withstand potential threats, further bolstering the organization’s defenses. 
• Furthermore, Veriti provides advanced vulnerability mitigation capabilities. Its powerful tools enable organizations to vulnerability assessment reports and BAS recommendations into actionable remediation paths, staying one step ahead of cyber attacks.  

• Veriti offers streamlined, non-disruptive remediation, allowing organizations to efficiently resolve security issues without interrupting their day-to-day operations. This seamless process ensures continuous business continuity while effectively mitigating vulnerabilities and strengthening the organization’s security foundation.