Scribd
Upload
80 views6 pages

Flashpoint - Clop Ransomware Exploits Moveit Vulnerability (June 13, 2023)

The document summarizes a ransomware attack exploiting a vulnerability in MOVEit file transfer software. Several organizations were compromised, including Aer Lingus, BBC Industries, and the government of Nova Scotia. The ransomware group Clop took credit for the attacks and provided contact information for victims. The wide range of victims suggests all sectors are at risk from this vulnerability.

Uploaded by

Krishna Mungur
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
80 views6 pages

Flashpoint - Clop Ransomware Exploits Moveit Vulnerability (June 13, 2023)

The document summarizes a ransomware attack exploiting a vulnerability in MOVEit file transfer software. Several organizations were compromised, including Aer Lingus, BBC Industries, and the government of Nova Scotia. The ransomware group Clop took credit for the attacks and provided contact information for victims. The wide range of victims suggests all sectors are at risk from this vulnerability.

Uploaded by

Krishna Mungur
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Intelligence Report

lightbulb_outline Clop Ransomware Exploits MOVEit Vulnerability


June 13, 2023

June 16, 2023, Updates:

• Victims

EXECUTIVE OVERVIEW (updated 6/8/23)


On May 31, 2023, Progress Software Corporation reported a critical zero-day vulnerability
affecting the MOVEit Transfer file transfer service. [1] On June 4, Microsoft attributed the
exploitation to the ransomware collective “Clop,” which it tracks as “Lace Tempest.” Clop
appears to have begun exploiting the vulnerability starting on May 27.
Since the initial disclosure of the MOVEit vulnerability, several prominent organizations have
disclosed incidents related to MOVEit, including Aer Lingus, BBC Industries, and the
Provincial Government of Nova Scotia. Several affected companies were compromised due
to relationships with third parties using MOVEit Transfer. Of the ten known affected
companies, four were affected third parties associated with Zellis UK Limited, and two were
affected third parties associated with the Provincial Government of Nova Scotia.
On June 7, the FBI and CISA released a joint Cybersecurity Advisory (CSA) providing the
known Clop ransomware group tactics, techniques, and procedures as of June 2023 and
information concerning the MOVEit vulnerability. The CSA includes a list of the known
indicators of compromise (IOCs) and recommended mitigation steps for affected parties. [2]

Background
Victims
Clop Claims Credit for MOVEit
Assessment
Citations
Change Log

BACKGROUND
[Contents]
On May 31, 2023, Progress Software Corporation reported a critical zero-day vulnerability
affecting the MOVEit Transfer file transfer service. [3] The flaw, tracked as CVE-2023-34362,
could allow a remote attacker to escalate their privileges and ultimately execute arbitrary
code on the affected system. [4] On June 4, Microsoft attributed the exploitation to the
ransomware collective “Clop,” which it tracks as “Lace Tempest.” [5] Clop apparently started
exploiting the vulnerability as early as May 27. According to Microsoft’s tweet:
Exploitation is often followed by deployment of a web shell w/
data exfil capabilities. CVE-2023-34362 allows attackers to
authenticate as any user. Lace Tempest (Storm-0950, overlaps w/
FIN11, TA505) authenticates as the user with the highest privileges
to exfiltrate files. [6]

On June 5, BleepingComputer reported that a Clop representative took credit for the attacks.
Although the exact number of compromised organizations remains unknown, victims will
appear on Clop’s data leak site if they do not pay the ransom. The group, known to delay
ransom demands, confirmed that it has not yet started to extort companies it breached
using the exploit, possibly meaning it is still in the process of examining the stolen data to
ascertain its value. Clop also informed BleepingComputer that it deleted any data it stole
during this campaign from governments, the military, and children's hospitals. [7]

VICTIMS (updated 6/13/23)


[Contents]
Since the initial disclosure of the MOVEit vulnerability, several organizations have disclosed
incidents related to the flaw. A nominal timeline is as follows:

• May 27, 2023: The Clop ransomware gang began exploiting a zero-day


vulnerability in the MOVEit Transfer system. Although it claimed to breach
multiple company servers with this vulnerability, it did not immediately extort
the victims.
• June 5: Zellis, a payroll and HR solutions provider based in the UK, confirms
exploitation by the vulnerability. [8]
• June 5: Clop confirms to BleepingComputer that it is responsible for the
MOVEit Transfer data-theft attacks. The group also claims to have deleted any
data stolen from governments, the military, and children's hospitals. [9]
• June 13: Several victims associated with Zellis reveal that they were
compromised. The list of reported victims from open source reporting or
breach reporting as of June 13 includes:
• Aer Lingus (affected third party of Zellis UK Limited)
• BBC Industries (affected third party of Zellis UK Limited)
• The Boots Company PLC (affected third party of Zellis UK Limited)
• British Airways, Plc. (affected third party of Zellis UK Limited)
• Ernst & Young Global Limited
• Extreme Networks
• Finanzmarktaufsicht (FMA; English: Austrian Financial Market Authority)
• Health Service Executive (affected third party of Ernst & Young Global
Limited)
• IWK Health Centre (affected third party of Provincial Government of
Nova Scotia)
• Minnesota Department of Education
• Nova Scotia Health Authority (affected third party of Provincial
Government of Nova Scotia)
• Office of Communications (Ofcom)
• Provincial Government of Nova Scotia
• State Government of Illinois
• University of Rochester
• Zellis UK Limited
• June 6: Clop officially claims credit for exploiting the MOVEit vulnerability.
• June 7: The FBI and CISA released a joint Cybersecurity Advisory (CSA)
providing the known Clop ransomware group tactics, techniques, and
procedures as of June 2023 and information concerning the MOVEit
vulnerability. The CSA includes a list of the known indicators of compromise
(IOCs) and recommended mitigation steps for affected parties. [10]

CLOP CLAIMS CREDIT FOR MOVEIT


[Contents]
On June 6, Clop officially claimed credit for the compromises related to the MOVEit
vulnerabilities. In a possible change in tactics, techniques, and procedures associated with
Clop, it urged its victims to reach out to its team via the email addresses unlock[@]rsv-
box[.]com and unlock[@]support-mult[.]com.
Clop stated that it has “information on hundreds of companies,” likely limiting its ability to
update its ransomware leak site. Rapid7 reported that as of May 31, there were roughly
2,500 devices with MOVEit exposed to the public internet. [11, 12]
Clop’s post indicates that if it does not hear from ransomed victims by June 14, it will post
those victims on its ransomware website.

Image 1: Clop’s ransomware blog acknowledges Clop’s most recent exploits. (Source: Clop Ransomware Blog)

ASSESSMENT
[Contents]
The incident underscores the adaptive nature of ransomware groups. While Clop's claim
about deleting sensitive data is unverified and potentially self-serving, it could suggest a
public relations attempt to present the group as merely interested in highlighting prominent
vulnerabilities.
The wide variety of affected companies suggests that no sector is immune to this
vulnerability. Furthermore, analysts note that there may be additional third-party
risks related to other organizations affected by the MOVEit flaw.

CITATIONS
[Contents]
[1] hxxps://community[.]progress[.]com/s/article/MOVEit-Transfer-Critical-Vulnerability-
31May2023
[2] hxxps://www[.]cisa[.]gov/news-events/cybersecurity-advisories/aa23-158a
[3] hxxps://community[.]progress[.]com/s/article/MOVEit-Transfer-Critical-Vulnerability-
31May2023
[4] hxxps://community[.]progress[.]com/s/article/MOVEit-Transfer-Critical-Vulnerability-
31May2023
[5] hxxps://twitter[.]com/MsftSecIntel/status/1665537730946670595
[6] hxxps://twitter[.]com/MsftSecIntel/status/1665537730946670595
[7] hxxps://www[.]bleepingcomputer[.]com/news/security/clop-ransomware-claims-
responsibility-for-moveit-extortion-attacks/
[8] hxxps://www[.]bbc[.]com/news/technology-65814104
[9] hxxps://www[.]bleepingcomputer[.]com/news/security/clop-ransomware-claims-
responsibility-for-moveit-extortion-attacks/
[10] hxxps://www[.]cisa[.]gov/news-events/cybersecurity-advisories/aa23-158a
[11] hxxps://www[.]rapid7[.]com/blog/post/2023/06/01/rapid7-observed-exploitation-of-
critical-moveit-transfer-vulnerability/
[12] hxxps://www[.]shodan[.]io/search?query=http.favicon.hash%3A989289239

CHANGE LOG
[Contents]

• 6/6/23: First publication


• 6/8/23:
• Executive Overview (updated)
• Victims (updated)
• 6/13/23: Victims (updated)

Header image: Courtesy Sora Shimazaki via Pexels,


hxxps://www[.]pexels[.]com/photo/unrecognizable-hacker-with-smartphone-typing-on-laptop-at-
desk-5935791/

=======
All Flashpoint intelligence reports, related data, and content are the property of Flashpoint,
and are protected under all applicable laws. Flashpoint reports and data are intended solely
for the internal use of the individual and organization to which they are addressed, and are
subject to the applicable terms and conditions of your Subscription Agreement with
Flashpoint and/or your NDA, as applicable. Flashpoint reports and data are Flashpoint
Confidential Information, and as such, may not be shared outside of your company or
disclosed publicly for any purposes without Flashpoint’s written consent; provided, however,
that you may share such materials to third parties if legally required, or on a need-to-know
basis, and then only to those parties who are bound by confidentiality obligations no less
protective of Flashpoint than those contained in your Agreement and/or your NDA.
=======

You might also like