The threat group behind the Clop ransomware took credit for the recent attacks exploiting a zero-day SQL injection vulnerability in a popular web-based managed file transfer (MFT) tool called MOVEit Transfer. In a message posted on its data leak site, the gang instructs victims to contact them and negotiate a payment until June 14 or see their data leaked publicly.
The message, which was modified several times, including to extend the deadline from June 12 to June 14, tells organizations that after initial contact over email they will receive a unique link to a real-time chat over the Tor network where they will be given a price for the secure deletion of their stolen data and can ask for a small number of random files as verification. If no agreement is reached in seven days, the attackers threaten to start publishing the data.
This is in line with the observed TTPs, where attackers used the MOVEit exploit to inject a web shell called human2.aspx and created an admin account in the application database that the web shell can then leverage to exfiltrate data. No deployment of file-encrypting ransomware has been observed, so this is a case of data leak extortion only.
New report reveals 20 victims of Clop MOVEit exploit
Cybersecurity firm SentinelOne said in a report that it has confirmed attacks against more than 20 organizations from industries including aviation, transportation, logistics, entertainment, financial services, insurance, healthcare, pharmaceuticals, manufacturing, mechanical engineering, media, technology, utilities, and public services.
Interestingly, the Clop gang said in its message that it erased any data exfiltrated from websites belonging to governments, municipalities, or police agencies because they “have no interest in exposing such information.” It’s not clear if the same exception is extended to utilities and public services, but this statement is more likely an attempt by the group to avoid drawing additional heat like other gangs did in the past after targeting governments.
For example, following a major attack against the Costa Rican government by the Conti ransomware gang in 2022, the US State Department put up a reward of $10 million for information related to the identity or location of Conti’s leaders, which likely contributed to the group’s decision to shut down operations shortly after.
Clop group active and successful since 2019
The Clop gang, or TA505 as it’s also known in the security industry, has been involved in ransomware distribution and extortion since 2019. According to a new CISA advisory, the group has compromised over 3,000 organizations in the US and over 8,000 globally to date. Aside from running the Clop ransomware-as-a-service operation, the group also acted as an initial access broker (IAB) selling access to compromised corporate networks to other groups, as well as operated a large botnet specialized in financial fraud and phishing.
The group’s technical skill and resources is also highlighted in the fact that it developed three zero-day exploits so far: for Accellion File Transfer Appliance (FTA) devices in 2020 and 2021, the Fortra/Linoma GoAnywhere MFT servers in early 2023, and now the MOVEit transfer application. The group has also developed a diverse malware toolkit and custom webshells for these attacks instead of relying on open-source ready-made tools like other extortion groups that target web servers.
“Cloud-focused extortion actors like Bianlian and Karakurt use multipurpose file management tools like Rclone and Filezilla,” the SentinelOne researchers said. “A bespoke webshell designed to steal Azure files through SQL queries specific to the targeted environment represents a notable departure from this established norm and suggests the tooling was likely developed and tested well in advance of ITW [in-the-wild] attacks.”
Enterprise file transfer applications a target for threat groups
SentinelOne notes a trend in the exploitation of zero-day and N-day flaws in enterprise managed file transfer applications with another example being the exploitation of a deserialization flaw in the IBM Aspera Faspex file sharing software in March that led to deployment of the IceFire ransomware. “There is likely an abundant exploit development ecosystem focused on enterprise file transfer applications,” the researchers concluded.
More worrying is that among the targets for the MOVEit exploit, SentinelOne saw managed IT service providers (MSPs) and managed security service providers (MSSPs). These type of organizations are high-value targets for ransomware groups because they potentially hold data that could allow attackers to gain access to many other organizations.
Cyber insurance firm Coalition monitored its honeypots and saw a spike in traffic on May 15 to the legitimate /human.aspx path of MOVEit Transfer deployments, indicating that attackers were likely performing reconnaissance to build a list of targets.
According to Caitlin Condon, senior manager of security research at Rapid7, the first confirmed attack was recorded on May 27, four days before the exploit became public knowledge, with attackers generally working under a timeline of 24 to 48 hours to exfiltrate data. Since public disclosure, Rapid7 has seen an uptick in patching and a slow-down in the number of exploit attempts, she said.
The SentinelOne report contains threat hunting queries that organizations can use to search for activity associated with these attacks in their environments and the CISA advisory has YARA detection rules and indicators of compromise.