Progress Software’s MOVEit Transfer file transfer app was recently targeted by the Cl0p ransomware group, which held a zero-day vulnerability it discovered for nearly two years before finally exploiting it. Kroll Threat Intelligence researchers investigated the recent attacks and discovered evidence that Cl0P actors were experimenting with ways to exploit the MOVEit Transfer vulnerability as far back as July 2021.
Over the holding period, the Cl0p ransomware group periodically launched waves of malicious activity against vulnerable systems to test their access to organizations and to identify the ones to target. The group’s strategy involved probing multiple organizations simultaneously and collecting information from them. The telemetry suggests the threat actors were testing access to vulnerable MOVEit Transfer clients and attempting to retrieve information that could help them identify the organizations where it was installed.
Kroll has concluded with a high degree of confidence that Cl0P actors had a working exploit for the MOVEit vulnerability back in July 2021. But the group likely chose to sit on it for two years for a few reasons. Laurie Iacono, associate managing director, Cyber Risk Business at Kroll, theorized that the group was busy with exploiting another file-transfer zero-day, which it discovered in Accellion’s File Transfer Appliance. Hence, the group may have postponed using the MOVEit Transfer exploit until now.
Additionally, Cl0p members were arrested in 2021, which may have slowed down ransomware activity. And the Ukraine/Russia conflict could have also been a factor. Cl0p’s group has a diversified portfolio of cybercrime services, not just ransomware extortion.
The MOVEit Transfer app is a managed file transfer application used by thousands of organizations, including giants like Disney, Chase, GEICO, and US federal agencies, to transfer sensitive data and large files. Apps like MOVEit Transfer have become popular targets for attackers because of the access they provide to the kind of data that organizations are likely willing to pay for, to prevent it from getting leaked or locked up in a ransomware attack.
Cl0p actors exploited a zero-day flaw in Fortra’s GoAnywhere MFT to extort customers of the managed file transfer product earlier this year. The group also exploited yet another file-transfer zero-day it discovered, this time in Accellion’s File Transfer Appliance in 2021.
Vendor reports of attack activity targeting a SQL injection vulnerability in MOVEit Transfer began surfacing on June 1. The threat actor exploited the flaw in the MOVEit Transfer app to steal data from customers of Progress Software. Cl0p has recently targeted several organizations with the stolen data, leading to ransom demands by the group. The US Cybersecurity and Information Security Agency warned of potentially widespread impact in its recent advisory.
In conclusion, Cl0p ransomware group’s tactics have shown the group’s sophistication and patience in exploiting its stash of zero-day vulnerabilities. The two-year wait to launch the attack on the MOVEit Transfer app highlights the group’s careful and calculated approach to exploiting its zero-day vulnerabilities. Organizations must remain vigilant and patch their systems as soon as possible to avoid falling prey to future attacks by ransomware groups like Cl0p.