The notorious Clop ransomware gang was found responsible for a new round of sophisticated assaults targeting the widely used MOVEit Transfer transfer service, cybersecurity experts said.
Concerns about unauthorized access to the compromised MOVEit servers' databases are growing as the first victims come forward. Progress Software, MOVEit's creator, has issued fixes for the newly identified vulnerability.
UK-based HR software developer and payroll service provider Zellis reported over the weekend that a small number of its business clients had been impacted by a security breach in its MOVEit system.
The Clop cyber attack, which exposed personal information, has also prompted warnings from major corporations, including British Airways and Boots, to their staff, per a report from Yahoo! Life.
Russian-speaking hacking gang Clop is suspected behind the attack per an earlier media report. This hack mainly uses a weakness in MOVEit Transfer. Many businesses use MOVEit, this widely used file transfer program, throughout the globe, which leaves them open to cybercriminal exploitation.
According to publicly accessible devices and records found by the search engine Shodan, around 2,500 MOVEit Transfer servers are available online.
Immediate Action Recommended
Companies using the impacted software were strongly recommended to take immediate action. According to Microsoft researchers, data leakage often happens once the MOVEit vulnerability has been exploited, per TechCrunch.
Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site. The threat actor has used similar vulnerabilities in the past to steal data & extort victims. pic.twitter.com/q73WtGru7j
— Microsoft Threat Intelligence (@MsftSecIntel) June 5, 2023
Read Also: Bybit Joins DMCC as Ecosystem Partner
Mandiant wrote in a weekend blog post that there are "notable" similarities between UNC4857, a recently formed threat cluster with "unknown motivations," and FIN11, a notorious ransomware group that operates Clop ransomware. Mandiant said continuing examination of occurring activity "may provide additional insights."
Charles Carmakal, chief technology officer of Mandiant, corroborated indications of data leakage from numerous victims, indicating that more MOVEit breach victims may come forward in the days to come.
A Threat of High-Risk
The Clop ransomware, active under the ransomware-as-a-service (RaaS) model for more than four years, primarily targets businesses with yearly revenues of $5 million or more in the United States, Canada, Latin America, Asia Pacific, and Europe, according to the Blackberry Blog.
Clop, who employs multi-level extortion strategies and a broad range of tools, has been classified by BlackBerry threat analysts as having a high impact and risk.
When the Clop ransomware attacks, it turns off several Windows processes and encrypts the related files using its anti-analysis and anti-virtual system features. Before the encryption operation, it also tries deactivating anti-malware programs like Windows Defender and Microsoft Security Essentials. After data has been encrypted, victims are presented with a ransom letter.
The capacity of the Clop ransomware to exfiltrate data, placing victims at risk of double extortion, is one of its main dangers. The organization may use the threat of selling specific data on the dark web or public exposure as leverage over its victim if the ransom demand is not fulfilled.
Related Article: WWDC 2023: Apple Set to Reveal Groundbreaking VR Headset, OS Enhancements
