Clop Ransomware Likely Sitting on MOVEit Transfer Vulnerability (CVE-2023-34362) Since 2021

NOTE: The MOVEit Transfer vulnerability remains under active exploitation, and Kroll experts are investigating. Expect frequent updates to the Kroll Cyber Risk blog as our team uncovers more details.

On June 5, 2023, the Clop ransomware group publicly claimed responsibility for exploitation of a zero-day vulnerability in the MOVEit Transfer secure file transfer web application (CVE-2023-34362). Kroll previously provided guidance on steps to mitigate risks associated with this critical vulnerability, which allows attackers to gain unauthenticated access to MOVEit Transfer servers.

Subsequent Kroll analysis of this exploitation has confirmed that threat actors are using this vulnerability to upload a web shell and exfiltrate data. However, Kroll forensic review has also identified activity indicating that the Clop threat actors were likely experimenting with ways to exploit this particular vulnerability as far back as 2021.

This finding illustrates the sophisticated knowledge and planning that go into mass exploitation events such as the MOVEit Transfer cyberattack. According to these observations, the Clop threat actors potentially had an exploit for the MOVEit Transfer vulnerability prior to the GoAnywhere MFT secure file transfer tool exploitation in February 2023 but chose to execute the attacks sequentially instead of in parallel.

Timeline

Kroll’s initial analysis of clients impacted by the MOVEit Transfer vulnerability indicated a broad swath of activity associated with the vulnerability on or around May 27 and 28, 2023, just days prior to Progress Software’s public announcement of the vulnerability on May 31, 2023.

This time frame coincided with the observation of Memorial Day weekend in the U.S., reinforcing threat actors’ preference to launch major cyber exploitations during holiday weekends (e.g., the Kaseya supply chain attack on July 3, 2021).

Activity during the May 27–28 period appeared to be an automated exploitation attack chain that ultimately resulted in the deployment of the human2.aspx web shell. The exploit centered around interaction between two legitimate components of MOVEit Transfer: moveitisapi/moveitisapi.dll and guestaccess.aspx.

Figure 1 illustrates commonly observed commands during the attack time frame. 

Figure 1: Threat Actor Commands Leading to Exploitation

Kroll’s review of Microsoft Internet Information Services (IIS) logs of impacted clients found evidence of similar activity occurring in multiple client environments last year (April 2022) and in some cases as early as July 2021.

Kroll observed activity consistent with MOVEit Transfer exploitation that collectively occurred on April 27, 2022; May 15–16, 2023; and May 22, 2023, indicating that actors were testing access to organizations via likely automated means and pulling back information from the MOVEit Transfer servers to identify which organization they were accessing.

Figure 2 highlights malicious activity that occurred on May 22, 2023. Such activity appeared to be aimed at pulling back an Organization ID (“Org ID”), a unique identifier that correlates with only one MOVEit Transfer user, helping the threat actors to categorize which entities they could access. This activity, which Kroll observed happening for less than 22 minutes, was associated with one IP address across multiple organizations: 92.51.2.10. This collection of the Org ID would allow for victim categorization and data inventorying by Clop on a per-exfiltration operation.

Figure 2: Threat Actor Pulls Back Organizational Information, May 22, 2023

Similar activity, but on a much larger scale, occurred from May 15, 2023, at 17:55:25 (UTC) to May 16, 2023, at 13:59:06 (UTC) coming from IP address 92.118.36.112. In fact, the traffic that occurred during this time frame (immediately preceding the mass exploitation event) replicated activity that occurred more than a year earlier in April 2022.

Kroll’s historical log review identified identical activity coming from IP address 92.118.36.233 for approximately two hours on April 27, 2022, from 10:50:54 (UTC) to 12:42:58 (UTC).

Figure 3 shows commands across two different clients, revealing that the commands were run against the organizations in less than 24 seconds, pointing to the likelihood of an automated tool running such activity.

Figure 3: Automated Commands Hitting Multiple Organizations on April 27, 2022

Kroll observed similar activity on MOVEit Transfer servers occurring nearly two years ago, between July 6 and 18, 2021, again pulling back the Org ID, and this time coming from IP address 45.129.137.232 (Figure 4).

Figure 4: MOVEit Activity in July 2021

Commands during the July 2021 time frame appeared to be run over a longer amount of time, suggesting that testing may have been a manual process at that point before the group created an automated solution that it began testing in April 2022.

Clop Connections: IP Address Analysis

92.118.36.112/92.118.36.233

• Kroll observed these IP addresses in connection with malicious MOVEit Transfer activity that occurred on April 27, 2022, and May 15–16, 2023. Reporting on the Clop GoAnywhere activity in February 2023 identified the IP addresses 92.118.36.123, 92.118.36.210, 92.118.36.213, and 92.118.36.249 as indicators of compromise.

45.129.137.232

• Kroll observed that this IP address targeted MOVEit Transfer servers in July 2021. Of note, this IP address was previously attributed to Clop ransomware group (aka GRACEFUL SPIDER) trying to exploit the SolarWinds Serv-U product that same month and year.

Clop Extortion Tactics

Since its public statement claiming responsibility for the MOVEit Transfer attacks, the Clop ransomware group has updated its threat actor website, instructing users of MOVEit Transfer products to contact them via email.

According to the post shown in Figure 5, Clop will provide proof of data exfiltration and discuss pricing with victims to avoid the public publication of data.

Clop indicates that companies who do not contact them will be published by name on their actor-controlled website. Kroll’s Threat Intelligence team regularly reviews the actor-controlled website and can confirm that in the wake of the GoAnywhere exploitation, nearly 100 victim organizations were listed on the Clop website. Clop typically posts data in a series of posts rather than one large data leak. Presently, over 100 victims have at least one post containing stolen data, and nearly 75% of victims have had more than one post exposing data.

Figure 5: Clop Group Publishes Mass Notification to MOVEit Customers

Conclusion

It appears that the Clop threat actors may have been experimenting with ways to exploit the MOVEit Transfer vulnerability for quite some time prior to the recent mass exfiltration event. Kroll observed a similar fact pattern across multiple MOVEit Transfer cases, and in some instances, the activity occurred across multiple organizations within seconds or minutes of each other.

Kroll assesses with high confidence that the MOVEit Transfer exploit as it exists today:

• Was available and being used/tested in April 2022
• Was available and being used/tested in July 2021

From Kroll’s analysis, it appears that the Clop threat actors had the MOVEit Transfer exploit completed at the time of the GoAnywhere event and chose to execute the attacks sequentially instead of in parallel. These findings highlight the significant planning and preparation that likely precede mass exploitation events.

Let’s Not Forget

Even though immediate action is needed and the MOVEit vulnerability is under aggressive exploitation, it’s important to keep a level head. Yes, patch as soon as possible but also consider existing detections and your ability to respond should something suspicious happen. For internal teams burdened with a host of other priorities and a remote workforce, support from dedicated experts who have the frontline expertise, resources and technical skills to assess your exposure can greatly reduce your risk profile. Talk to a Kroll expert today via our 24x7 hotlines or contact form.