Skip to main content
close search
site logo

Clop claims hundreds of MOVEit vulnerability victims

The prolific threat actor is responsible for two of the three high-profile, actively exploited vulnerabilities in file-transfer services so far this year.

Published June 8, 2023
Matt Kapko's headshot
Senior Reporter
exclamation point depicted hovering above network infrastructure
Just_Super/Getty Images via Getty Images

Cyber authorities are warning organizations that use Progress Software’s MOVEit file transfer service to gird for widespread exploitation of the zero-day vulnerability the vendor first disclosed last week.

The Clop ransomware group, also known as TA505, published a statement on its dark web site on Tuesday claiming to have exploited the MOVEit vulnerability to exfiltrate data from hundreds of organizations.

The prolific ransomware operator set an initial deadline of June 14 for victims to make contact with the organization. It threatened to list organizations on its leak site that do not communicate with the threat actor before then and will start leaking stolen data later this month.

“Due to the speed and ease TA505 has exploited this vulnerability, and based on their past campaigns, FBI and CISA expect to see widespread exploitation of unpatched software services in both private and public networks,” the Cybersecurity and Infrastructure Security Agency and FBI said Wednesday in a joint advisory.

This is the third high-profile, actively exploited zero-day vulnerability currently linked to a file-transfer service this year. Clop is responsible for two of these supply-chain attacks, including a zero-day vulnerability in Fortra’s GoAnywhere file-transfer service the group exploited in March.

Clop was also responsible for the zero-day exploit driven campaign against Accellion file transfer devices in 2020 and 2021.“In recent campaigns beginning 2021, Clop preferred to rely mostly on data exfiltration over encryption,” federal authorities said in the advisory.

Prior to Clop’s latest spree of attacks, CISA and the FBI estimated the threat actor group has compromised more than 3,000 U.S.-based organizations and 8,000 organizations based elsewhere.

Rick Holland, VP and CISO and ReliaQuest, underscored that shift in Clop’s tactics. “Clop is a dangerous ransomware group and was one of the earlier adopters of extorting stolen data, not just pure-play ransomware,” Holland said via email.

“Given their propensity to exploit zero-day vulnerabilities, they demonstrate a technical capability beyond many extortion groups. Clop is known to be selective in which victims they extort — they initially compromise many victims but prefer to focus their limited resources on the larger organizations with the resources to pay ransoms,” Holland said.

To that end, Clop claimed it has no interest in exposing information from government agencies, cities or police departments caught up in its wide net of MOVEit vulnerability exploits and said that data has been deleted.

Large pool of potential victims

The number of victims potentially compromised by Clop’s mass exploitation of the MOVEit zero-day vulnerability is exemplified by some of the instructions the group made in its statement on the dark web.

Clop is “overwhelmed with the number of victims,” Mandiant Consulting CTO Charles Carmakal said Tuesday in a LinkedIn post.

“Instead of directly reaching out to victims over email or telephone calls like in prior campaigns, they are asking victims to reach out to them via email,” Carmakal said. “They are threatening to post names of victims on their shaming site that do not reach out to them by June 14. This will be a complete debacle.”

Experts are split on the exploit timeline for the vulnerability. While Progress said it’s not aware of any active exploits of the MOVEit vulnerability prior to last week, Trustwave said it observed activity of source IPs exploiting the MOVEit application since at least February.

Mandiant pins the earliest known evidence of exploitation to May 27, but said it observed the threat actor conducting reconnaissance on MOVEit instances on May 15.

Cyber authorities, incident response firms, threat hunters and researchers have all shared findings, including detection methods, indicators of compromise and other observed malicious activity to help organizations assess potential exposure and respond accordingly.

Mandiant published a 31-page containment and hardening guide for MOVEit customers on Tuesday.

Progress declined to answer questions about Clop’s threats to leak data or the alleged number of victim organizations. CISA, CrowdStrike, Mandiant, Microsoft, Huntress and Rapid7 are all assisting Progress with incident response and ongoing investigations, the company said.

“We are still in the early stages of the MOVEit zero-day vulnerability campaign, which will continue to play out in the coming weeks and months,” Holland said. “The number of victims in this current campaign remains to be seen, but any organization that exposed the vulnerable MOVEit solutions to the internet must assume breach.”

Editors' picks

Company Announcements

View all | Post a press release
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell