Microsoft has recently attributed the exploitation of the CVE-2023-34362 zero-day vulnerability in the MOVEit Transfer platform to the Clop ransomware gang, also known as Lace Tempest. The gang is notorious for its ransomware operations and running the Clop extortion site. The Microsoft Threat Intelligence team stated, "Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site." The threat actor has a history of using similar vulnerabilities to steal data and extort victims.
MOVEit Transfer is a managed file transfer (MFT) solution that enables enterprises to securely transfer files between business partners and customers using SFTP, SCP, and HTTP-based uploads. The attacks reportedly began on May 27th, during the long US Memorial Day holiday, with numerous organizations having their data stolen. The threat actors leveraged the zero-day MOVEit vulnerability to deploy specially crafted webshells on servers, enabling them to access a list of files stored on the server, download files, and steal the credentials/secrets for configured Azure Blob Storage containers.
The Clop ransomware operation was suspected to be behind the attacks due to similarities with their previous attacks. The group is known for targeting managed file transfer software and has been responsible for data-theft attacks using a GoAnywhere MFT zero-day in January 2023 and the zero-day exploitation of Accellion FTA servers in 2020. Microsoft has now linked the attacks to 'Lace Tempest,' using a new threat actor naming scheme introduced in April. Lace Tempest is more commonly referred to as TA505, FIN11, or DEV-0950.
At present, the Clop ransomware operation has not started extorting victims, with incident responders stating that victims have not yet received extortion demands. However, the Clop gang typically waits a few weeks after data theft before contacting company executives with their demands. A Clop ransom note sent during the GoAnywhere extortion attacks reads, "We deliberately did not disclose your organization wanted to negotiate with you and your leadership first." The note also threatens to sell the information on the black market and publish it on their blog, which reportedly receives 30-50 thousand unique visitors per day.
Historically, once Clop begins extorting victims, they add a stream of new victims to their data leak site and threaten to publish stolen files to apply further pressure in their extortion schemes. For the GoAnywhere attacks, it took just over a month before victims were listed on the gang's extortion sites.