Clop Ransomware Exploits MOVEit

by | Jun 26, 2023

Timeline of the Attacks and Lessons Learned 

Almost every day, the echoes of new attacks or the nefarious exploits of insidious attack groups reach our ears. These days, the wind whispers with a sense of dread, carrying the name of the Clop ransomware group. Today, we unveil the dark tale of the Clop, which has orchestrated a calculated attack by leveraging a critical zero-day vulnerability in MOVEit Transfer, a popular file transfer software.  

MOVEit Transfer is a widely-used managed file transfer software product that offers secure file encryption and utilizes robust file transfer protocols to facilitate the secure data exchange. With additional features such as automation services, analytics, and failover options, MOVEit Transfer has been a preferred choice for organizations seeking reliable and secure file transfer capabilities.

This exploit aims to infiltrate customer databases and extract valuable data. The consequences of this calculated attack have been dire, unleashing multiple waves of data breaches since late May. This serves as a stark reminder of the urgent need to take proactive cybersecurity measures. 

This blog provides an overview of the actual timeline of events related to the Clop ransomware campaign (which occurred earlier than previously reported), highlighting the implications and lessons from this cyber assault. 

CHRONICLES OF THE MOVEIT CAMPAIGN  

May 4

 

The initial evidence of one of the indicators of compromise (IoCs) related to the Clop ransomware campaign is identified

May 11

A second command-and-control (C&C) check is discovered.

May 27

A significant increase in traffic to the Clop C&C server, indicates the presence of a third IoC and heightened cyber activity.

The Clop Ransomware Group publicly announces its active exploitation of the MOVEit vulnerability.

May 31

MOVEit discloses the vulnerability, releases an initial patch, and several vendors update their protection against it.

Despite the availability of protection, over 75% of organizations only detect, rather than block, the exploitation. 

June 4

A large-scale campaign exploiting the vulnerability (not attributed to the Clop group) is observed.

EXPLOITATION AND IMPLICATIONS 

On May 27, the Clop ransomware gang initiated the exploitation of the MOVEit Transfer system’s zero-day vulnerability. Notably, instead of immediately extorting the victims, Clop took time to assess the stolen data and determine the most advantageous approach for their ransom demands.

On June 6, the Clop ransomware gang officially claimed responsibility for exploiting the MOVEit vulnerability. They assert that any data related to governments, military entities, and children’s hospitals has been deleted. However, reports indicate that several US federal agencies and government contractors have fallen victim to the Clop ransomware attack. On June 7, the FBI and CISA released a joint alert. It detailed the tactics, techniques, and procedures (TTPs) employed by the Clop ransomware group and recommended mitigation steps. 

Clop confirms its involvement in the MOVEit Transfer data-theft attacks. They announced that they have used the zero-day vulnerability to breach servers of “hundreds of companies” and steal data. Microsoft has identified the vulnerability as CVE-2023-34362 and linked it to the hacking group ‘Lace Tempest’ or TA505/FIN11. An APT group that is known for ransomware campaigns and operation of the Clop extortion site. 

AFTERMATH  

The Clop ransomware gang’s exploitation of the MOVEit Transfer system has underscored the critical need for robust cybersecurity measures and proactive vulnerability management. In this landscape of escalating threats, Veriti stands resolute, empowering organizations to strengthen their security posture and safeguard their assets without sacrificing business uptime. 

More than two-thirds of Veriti’s customers had hardened their security defenses and activated relevant protections as soon as it was available, thanks to Veriti’s advanced optimization and non-disruptive remediation features. 

This proactive approach ensured that organizations were well-prepared and fortified against the impending cyber assault. 

  • With Veriti, organizations gain the advantage of comprehensive configuration optimization. By aligning system configurations with the organization’s threat landscape, Veriti fine-tunes security settings to withstand potential threats, further bolstering the organization’s defenses. 
  • Furthermore, Veriti provides advanced vulnerability mitigation capabilities. Its powerful tools enable organizations to vulnerability assessment reports and BAS recommendations into actionable remediation paths, staying one step ahead of cyber attacks.  
  • Veriti offers streamlined, non-disruptive remediation, allowing organizations to efficiently resolve security issues without interrupting their day-to-day operations. This seamless process ensures continuous business continuity while effectively mitigating vulnerabilities and strengthening the organization’s security foundation. 

Get your security controls assessment now


Recommended Articles

Subscribe to our BLOG

Get the latest security insights, news and articles delivered to your inbox.

Product

Product Overview

Maximize security posture while ensuring business uptime

Odin

AI-Powered Contextual Cybersearch

Automated Security Controls Assessment

Validate your security control

Integrations

Connect Veriti with your security solutions

Use Cases

Agentless OS-Level Remediation

Proactively safeguard your systems directly at the OS-Level on the endpoint

Vulnerability Remediation

Safely remediate vulnerabilities in one click

Validate Risk Posture

Identify postural gaps by querying your security configuration

Eliminate False Positives

Reduce alert fatigue. Increase Security Effectiveness

Maintain Security Hygiene

Monitor the hygiene of your security solutions

Enhance zero-day Protection

Identify and distribute zero-day indicators of attack

Solutions

VERITI FOR Enterprises

increase business outcomes

VERITI FOR MSSPs

Efficiently manage multiple clients in a consolidated platform

VERITI FOR HEALTHCARE

Neutralize security gaps without impacting healthcare operations

VERITI FOR MANUFACTURING

Protect the heart of your production processes

State of Enterprise Security Controls

DOWNLOAD Report >>

Resources

See all resources

Blog

Veriti's security blog

Downloads

The latest guides, white papers and infographics

Events

Live event and on-demand webinars

Glossary

Our Comprehensive Definitions Guide

MASTERING MODERN OS-LEVEL SECURITY: THE AGENTLESS APPROACH

WATCH NOW>>

Our Story

Learn about Veriti

Leadership Team

Meet the team

Careers

Work with us

Newsroom

Our latest updates

Contact US

Get in touch

CHANNEL PARTNERS

Become a partner

MSSPs

Reduce operational costs