CL0P likes to MOVEit MOVEit


For the last couple of years, the threat actors associated with the CL0P ransomware group have occasionally ditched encryption in favour of exploiting file transfer applications in mass data-theft-extortion campaigns. This includes attacking Accellion FTA servers (December 2020), SolarWinds Serv-U FTP servers (November 2021), GoAnywhere MFT servers (February 2023), and PaperCut MF/NG servers (April 2023).

The operators of CL0P are a financially motivated, Russian-speaking cybercrime group. They are tracked, with varying degrees of connections, under multiple threat actor monikers by CTI vendors. This includes TA505 (Proofpoint), Lace Tempest (Microsoft), Graceful Spider (CrowdStrike), FIN11 (Mandiant), and GOLD TAHOE (Secureworks).

The main thing to remember about CL0P is that it is the name of the ransomware family as well as the organized cybercrime group. Plus, the ransomware family has more recently been used by other threat actors, such as FIN7, in targeted intrusions according to both Microsoft and Secureworks.

What are CL0P are doing now?

On or around 27 May 2023, the CL0P operators exploited another file transfer server. This time they targeted the MOVEit Transfer application by Progress Software using an SQLi vulnerability tracked as CVE-2023-34362.

Much like the last set of campaigns against file transfer applications, the threat actors have stolen the files stored by companies on these servers. The CL0P operators will then try to ransom the victims for cryptocurrency in exchange for not leaking the files publicly. No ransomware has been deployed.

So What?

The reason many organizations are concerned about this is that many high profile victims (e.g., British Airways and the BBC, etc) are impacted, largely due to their vendors and suppliers using MOVEit Transfer to store their files, containing sensitive data. 

A Shodan query for the Favicon of the application also revealed that up to 2,500 systems may be exposed to the internet vulnerable to the attack. It is unclear, however, to tell exactly how many organizations were impacted, but it is anticipated to be in the three or four digits realm.

This incident has gained headline news around the world and many CTI analysts have been, or will inevitably be, questioned about it by their stakeholders.

New Resource

Curated Intelligence is here to help. Our trust group is tracking all the developments of CL0P's MOVEit Transfer hacking campaign in our GitHub repository here:

Campaign Brief Summary (as of 8 June 2023):
  • Rapid7 and Mandiant reportedly began observing exploitation on 27 May 2023
  • GreyNoise reportedly observed scanning for the "human.aspx" files in March 2023
  • It is suspected that CL0P waited until it was a long bank holiday weekend (Sat, Sun, Mon), both in the US and UK to launch their attack
  • Kroll also claimed they believe CL0P has been trying exploit MOVEit since 2021
  • CISA and the FBI released an advisory, tying CL0P to TA505 campaigns
  • One of the main victims (that we know about so far) is an HR and Payroll solution called Zellis, whose impacted customers include British Airways, the BBC, Aer Lingus, and Boots, among others.
  • CL0P has made an announcement on their Tor data leak site "CL0P ^_- Leaks" claiming responsibility and providing instructions for how victims can pay the ransom to stop their data from being published