Kroll security experts have discovered that the Clop ransomware gang has been seeking ways to exploit a now-patched zero-day in the MOVEit Transfer managed file transfer (MFT) solution since 2021. While investigating recent Clop data theft attacks targeting vulnerable MOVEit Transfer instances, they found malicious activity consistent with the method used by the gang to deploy the newly discovered LemurLoot web shell.
Kroll stated, "Activity during the May 27–28 period appeared to be an automated exploitation attack chain that ultimately resulted in the deployment of the human2.aspx web shell. The exploit centered around interaction between two legitimate components of MOVEit Transfer: moveitisapi/moveitisapi.dll and guestaccess.aspx." The security experts also found evidence of similar activity occurring in multiple client environments in April 2022 and, in some cases, as early as July 2021.
The threat actors were found to be testing ways to collect and extract sensitive data from compromised MOVEit Transfer servers as far back as April 2022, likely using automated tools. Kroll's report reveals, "Kroll observed activity consistent with MOVEit Transfer exploitation that collectively occurred on April 27, 2022; May 15–16, 2023; and May 22, 2023, indicating that actors were testing access to organizations via likely automated means and pulling back information from the MOVEit Transfer servers to identify which organization they were accessing." The automated malicious activity increased on a much larger scale starting on May 15, 2023, right before the mass exploitation of the zero-day bug began on May 27. This also matched similar commands issued manually against MOVEit Transfer servers in July 2021, suggesting that the ransomware gang waited until it had the tools to launch the final attack in late May 2023.
Over the weekend, the Clop ransomware gang claimed responsibility for recent data-theft attacks that allowed them to breach MOVEit Transfer servers allegedly belonging to "hundreds of companies." While their statement cannot be taken at face value, it confirmed a Microsoft report linking the attacks to the hacking group tracked as Lace Tempest (also known as TA505 and FIN11). The Microsoft Threat Intelligence team tweeted, "Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site. The threat actor has used similar vulnerabilities in the past to steal data & extort victims."
The Clop cybercrime group has also been behind other high-impact data theft campaigns targeting other managed file transfer platforms, including the zero-day exploitation of Accellion FTA servers in December 2020, the 2021 SolarWinds Serv-U Managed File Transfer attacks, and the mass exploitation of a GoAnywhere MFT zero-day in January 2023. Since the detection of Clop's MOVEit data-theft attacks, the first organizations that were breached have begun to surface, with UK payroll and HR solutions provider Zellis reporting a data breach that will likely impact some of its customers. Zellis customers that have already confirmed being affected include Irish flag carrier Aer Lingus and UK's flag carrier British Airways. Clop has threatened all affected organizations to reach out and negotiate a ransom if they don't want their data leaked online in six days, on June 14.