Clop Ransomware posts 70 new victims after MOVEit attacks

Clop ransomware has posted the names of 70 new victims on its site in the past 24 hours. All these victims have been recently breached. It is speculated that all the latest cyber attack victims are subject to MoveIT vulnerability attacks.

Clop has been targeting the MoveIT vulnerability over the past few weeks. It is expected that the ransomware operator stands to earn at least $75 million as part of the latest ransomware incidents.

Some of the most significant victims of the recent Clop ransomware attacks include the following companies or organizations:

• BBC UK
• DHL in the United Kingdom
• Estee Lauder cosmetics
• Deloitte US
• Toyota subsidiary in Europe (Toyota Boshoku Europe)
• Virgin Pulse

The recent spurt in cyber attacks can be attributed to more threat actors getting active in exploiting the MoveIT vulnerability in the IT infrastructure.

We look at some essential details of the MoveIT vulnerability below.

What is the MoveIT vulnerability?

There have been 2 sets of security vulnerabilities that have been reported for MOVEit Transfer and Cloud deployments.

MOVEit Transfer July 2023 vulnerabilities

MOVEit Transfer and MoveIT Cloud vulnerabilities were first reported in June 2023. Progress Software had released a June Service Pack on 16th June 2023 to mitigate the threats shared in the June MoveIT Transfer vulnerabilities section. However, three new threats have been uncovered in July 2023.

• CVE-2023-36934 (CRITICAL)
  In Progress MOVEit Transfer versions released before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), 2023.0.4 (15.0.4), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.

• CVE-2023-36932 (HIGH)
  In Progress MOVEit Transfer versions released before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), 2023.0.4 (15.0.4), multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.

• CVE-2023-36933 (HIGH)
  In Progress MOVEit Transfer versions released before 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), 2023.0.4 (15.0.4), it is possible for an attacker to invoke a method which results in an unhandled exception.  Triggering this workflow can cause the MOVEit Transfer application to terminate unexpectedly.

All these three threats have been patched in the July 2023 service pack released by Progress Software. The Service Pack was released on 7th July 2023.

MOVEit Transfer June 2023 vulnerabilities

Progress Software’s MOVEit Transfer, a managed secure file transfer tool, was found to have multiple vulnerabilities. These vulnerabilities were disclosed between 31st May 2023 and 16th June 2023.

These threats affect MoveIT Transfer software and MoveIT Cloud.

• CVE-2023-34362 is a critical zero-day SQL injection vulnerability with a CVSS score of 9.8. Details of this vulnerability were shared on 31st May 2023.
• CVE-2023-35036 is a CRITICAL vulnerability with a CVSS score of 9.1. The threat could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. This threat was unveiled on 9th June 2023.
• CVE-2023-35708 – This is a CRITICAL SQL injection vulnerability with a CVSS score of 9.8. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.  This threat was released on 15th June 2023.

All these three threats affect MoveIT transfer software. A patch to cover the threats was released on 16th June 2023.

All the MOVEit transfer deployments must be patched with the security update released on 16th June 2023. All MOVEit Transfer deployments that do not have the 16th June 2023 patch are vulnerable to the three security threats reported above.

These threats have been actively exploited by the Clop ransomware group.

MOVEit vulnerability Security Packs

In all, there are 6 vulnerabilities that have been shared for MOVEit Transfer software since 31st May 2023. Mitigation of these threats requires you to install the following service packs:

• June 2023 Service Pack released on 16th June 2023
• July 2023 Service Pack released on 7th July 2023

Unless you have the June and July Service Packs installed on the MOVEit Transfer deployments, your IT infrastructure shall remain prone to cyberattacks.

The severity of the vulnerabilities led to widespread exploitation attempts by threat actors, notably the Clop ransomware group, who claimed responsibility for deploying the LemurLoot web shell and exfiltrating data from affected organizations.

Meanwhile, June 2023 saw the highest number of ransomware attacks ever. Threat-intelligence company Corvus has published a cyber-security report that lists 456 ransomware incidents in June 2023. You can read more about the Corvus report here.

In March 2023 Clop ransomware actor was very active. There were 452 cyber attacks in the month of June 2023 with 103 of these attacks being attributed to the Clop ransomware group.