The Clop ransomware group has claimed responsibility for multiple recent attacks utilizing a zero-day SQL injection vulnerability in the MOVEit Transfer, a widely-used web-based managed file transfer (MFT) tool. The group has instructed its victims to contact them and negotiate a payment by June 14 to prevent their data from being leaked publicly. The initial deadline of June 12 was extended. Clop ransomware group reportedly injected a web shell called human2.aspx and created an admin account leveraging the application database to exfiltrate the data. Meanwhile, cybersecurity firm SentinelOne reports in a recent study that it found attacks against more than 20 organizations across several sectors, including logistics, financial services, pharmaceuticals, public services, and others. However, this is only a case of data leak extortion, and no deployment of file-encrypting ransomware has been observed so far.
SentinelOne has also noted that it is an emerging trend for hackers to exploit zero-day and N-day weaknesses in enterprise managed file transfer applications. It should be remembered that earlier this year, the exploitation of a deserialization flaw in the IBM Aspera Faspex file-sharing software led to the deployment of the IceFire ransomware. SentinelOne researchers suspect that a thriving ecosystem of vulnerability development is focusing on enterprise file transfer applications.
The Clop ransomware group also claimed that it has erased any data taken from governments, municipalities, or police organizations as they have “no interest in exposing such information.” The group has been active and successful since 2019, compromising more than 3,000 US organizations and over 8,000 globally, according to a new advisory from the Cybersecurity and Infrastructure Security Agency (CISA). The group is also known as TA505 and ran the Clop ransomware-as-a-service operation. Additionally, the group acted as an initial access broker (IAB), selling the access to the compromised corporate networks to other groups and operating a large botnet focused on financial fraud and phishing.
With their technical skills and resources, the group developed three zero-day exploits for Accellion File Transfer Appliance devices in 2020 and 2021, the Fortra/Linoma GoAnywhere MFT servers in early 2023, and recently, for the MOVEit transfer application. The group has also created a varied malware toolkit and custom webshells for these attacks, rather than relying on open-source ready-made tools like other extortion groups targeting web servers.
IT service providers and managed security service providers (MSSPs) also became victims of Clop. These types of organizations pose as high-value targets for ransomware groups as they potentially hold data that could allow attackers to gain access to many other organizations. Cyber insurance firm Coalition recorded a large spike in traffic on May 15, indicating that hackers were likely performing reconnaissance at the legitimate /human.aspx path of MOVEit Transfer deployments to develop a list of targets. Rapid7, on the other hand, observed the first verified breach on May 27, four days before the exploit became public knowledge. Since public disclosure of the weakness, Rapid7 has observed an increase in patching and a slowdown in the number of exploit attempts, says Caitlin Condon, Senior Manager of Security Research at the company.
The SentinelOne report contains threat hunting queries that organizations can use to search for activity associated with these attacks in their environments. Meanwhile, CISA’s advisory has YARA detection rules and indicators of compromise.