The Clop ransomware gang has been looking for ways to exploit a now-patched zero-day in the MOVEit Transfer managed file transfer (MFT) solution since 2021, according to Kroll security experts.
While analyzing logs on some clients’ compromised networks during the investigation of recent Clop data theft attacks targeting vulnerable MOVEit Transfer instances, they found malicious activity matching the method used by the gang to deploy the newly discovered LemurLoot web shell.
“Activity during the May 27–28 period appeared to be an automated exploitation attack chain that ultimately resulted in the deployment of the human2.aspx web shell. The exploit centered around interaction between two legitimate components of MOVEit Transfer: moveitisapi/moveitisapi.dll and guestaccess.aspx, “Kroll said.
“Kroll’s review of Microsoft Internet Information Services (IIS) logs of impacted clients found evidence of similar activity occurring in multiple client environments last year (April 2022) and in some cases as early as July 2021.”
They also discovered the threat actors were testing ways to collect and extract sensitive data from compromised MOVEit Transfer servers as far back as April 2022, likely with the help of automated tools.
“Kroll observed activity consistent with MOVEit Transfer exploitation that collectively occurred on April 27, 2022; May 15–16, 2023; and May 22, 2023, indicating that actors were testing access to organizations via likely automated means and pulling back information from the MOVEit Transfer servers to identify which organization they were accessing,” the report reveals.
The automated malicious activity picked up on a much larger scale starting on May 15, 2023, right before the zero-day bug mass exploitation began on May 27.
This also matched similar commands issued manually against MOVEit Transfer servers in July 2021, indicating that the ransomware gang waited until it had the tools to launch the final attack in late May 2023.
Servers of “hundreds of companies” allegedly breached
Over the weekend, the Clop ransomware gang told Bleepingomputer that they were behind recent data-theft attacks that allowed them to breach MOVEit Transfer servers allegedly belonging to “hundreds of companies.”
While the threat actors’ words can’t be taken at face value, Clop’s statement confirmed a Microsoft report linking the attacks to the hacking group they track as Lace Tempest (also known as TA505 and FIN11).
“Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site,” the Microsoft Threat Intelligence team tweeted Sunday night.
“The threat actor has used similar vulnerabilities in the past to steal data & extort victims.”
The Clop cybercrime group was also behind other high-impact data theft campaigns targeting other managed file transfer platforms, including the zero-day exploitation of Accellion FTA servers in December 2020, the 2021 SolarWinds Serv-U Managed File Transfer attacks, the mass exploitation of a GoAnywhere MFT zero-day in January 2023.
Since Clop’s MOVEit data-theft attacks were detected, the first organizations that were breached as a result have also slowly started surfacing, with UK payroll and HR solutions provider Zellis reporting they suffered a data breach that will likely also impact some of its customers.
Zellis customers that have already confirmed they were impacted include the Irish flag carrier Aer Lingus and UK’s flag carrier British Airways.
Clop has threatened all affected organizations to reach out and negotiate a ransom if they don’t want their data leaked online in six days, on June 14.
