MOVEit Data Theft Cyberattacks Connected to Cl0p Ransomware

Microsoft has connected the Clop ransomware group to recent Moveit data thefts that stole data from companies by exploiting a zero-day vulnerability in the MOVEit Transfer platform. The attacks are attributed to the exploit of the CVE-2023-34362 MOVEit Transfer 0-day vulnerability by Lace Tempest that’s known for ransomware operations and running the Clop extortion site. In the past, threat actors exploited similar vulnerabilities to steal data and extort victims. Threat actors from Moveit data thefts were stealing data from companies by exploiting zero-day vulnerabilities in MOVEit Transfer servers. MOVEit is a managed file transfer (MFT) solution that allows companies to securely transfer files between companies’ partners and clients through SFTP, SCP, and HTTP-based uploads. The attacks are thought to have begun on May 27^th, during the long United States Memorial Day holiday, with one source aware of numerous companies having their data stolen from the attacks.

Details of the MOVEit Data Thefts

Threat actors exploited the zero-day MOVEit vulnerability to install specially crafted webshells on servers, allowing them access to the files stored on the server during the Moveit data thefts, downloading files, and stealing the credentials/secrets for configured Azure Blob Storage containers. Even though it was unknown who was behind the Moveit data thefts at the time, it was widely assumed that the Clop ransomware operation was responsible because of the similarities with previous attacks carried out by the group. Clop ransomware is known for targeting managed file transfer software and was previously responsible for data theft attacks in January 2023 utilizing a GoAnywhere MFT zero-day and the zero-day exploitation of Accellion FTA servers in 2020. The Moveit data thefts are now being connected to a new threat actor naming scheme, “Lace Tempest,” that was established in April. Additionally, Lace Tempest is known as TA505, FIM11, and DEV-0950. The Clop ransomware operation hasn’t begun extorting victims, according to incident responders, because they haven’t received extortion demands.

The Clop group, on the other hand, is known for waiting several weeks following data theft before emailing company executives with their demands. The Clop ransom note, sent during the GoAnywhere extortion attacks, read that they didn’t disclose companies, but wanted to negotiate with companies and their leadership. The ransomware groups warn that ignoring them will result in them selling victims’ information on the black market and publishing it on their blog, which receives between 30 and 50 thousand unique visitors per day. Once Clop begins extorting victims, the group will add new victims to their data leak site threatening to publish the stolen files to put additional pressure on their extortion schemes. It took more than a month for GoAnywhere attack victims to appear on the group’s extortion sites.

With ransomware groups exploiting more zero-day vulnerabilities and stealing sensitive data, it’s important for companies to remain vigilant of the latest threat landscape and regularly update their software to avoid potential new vulnerabilities, like the Moveit data thefts. At SpearTip, our certified engineers are working continuously at our 24/7/365 Security Operations Center monitoring companies’ data networks and software for potential ransomware attacks and exploitations. We focus on restoring companies’ operations, isolating ransomware to reclaim their networks, and recovering business-critical assets. Our engineers will examine companies’ security postures to improve weak points in their networks. Our team engages with companies’ people, processes, and technology to measure the maturity of the technical environment. SpearTip provides technical roadmaps for all vulnerabilities uncovered ensuring companies have the awareness and support to optimize their overall cybersecurity posture.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.