Clop Ransomware Gang Exploiting MOVEit Cybersecurity Vulnerability

June 08, 2023 - The Cybersecurity and Infrastructure Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint cybersecurity advisory (CSA) regarding Clop ransomware, a group that has been active since at least February 2019 and has a history of aggressively targeting critical infrastructure entities.

This time, Clop has taken an interest in the recently discovered cybersecurity vulnerability in Progress Software’s MOVEit Transfer software. As previously reported, the critical vulnerability (CVE-2023-34362) involves a SQL injection flaw that may allow unauthorized actors to gain access to MOVEit transfer’s database, infer information about the structure and contents of the database, and alter database elements. 

“According to open source information, beginning on May 27, 2023, CL0P Ransomware Gang, also known as TA505, began exploiting a previously unknown SQL injection vulnerability (CVE-2023-34362) in Progress Software's managed file transfer (MFT) solution known as MOVEit Transfer,” CISA and the FBI confirmed.

“Internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases. In similar spates of activity, TA505 conducted zero-day-exploit-driven campaigns against Accellion File Transfer Appliance (FTA) devices in 2020 and 2021, and Fortra/Linoma GoAnywhere MFT servers in early 2023.”

The Health Sector Cybersecurity Coordination Center (HC3) has issued multiple alerts about the tactics of Clop ransomware in recent months, warning healthcare entities about Clop’s use of a known vulnerability in Fortra’s GoAnywhere managed file transfer (MFT) solution and two vulnerabilities in a widely used printing management software called PaperCut MF/NG.

“The probability of cyber threat actors, including Cl0p, targeting the healthcare industry remains high,” HC3 said in a May 2023 alert. “Prioritizing security by maintaining awareness of the threat landscape, assessing their situation, and providing staff with tools and resources necessary to prevent a cyberattack remains the best way forward for healthcare organizations.”

CISA and the FBI’s latest alert detailed detection methods and indicators of compromise (IOCs) for the MOVEit Transfer vulnerability and encouraged organizations to implement a variety of mitigations. Specifically, the authoring agencies suggested that organizations audit remote access tools, review logs for the execution of remote access software, restrict the use of PowerShell, and audit user accounts with administrative privileges.

Requiring multi-factor authentication (MFA), maintaining a robust incident response plan, and keeping operating systems up to date can also help organizations mitigate risk.

“In addition to applying mitigations, FBI and CISA recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory,” the CSA continued.

“The authoring authorities of this CSA recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.”

Progress Software has continued to provide updates on how MOVEit customers can protect their systems. MOVEit Cloud has been patched, and Progress urged MOVEit Transfer customers to apply patches immediately.