Cl0p may have been too successful with its most recent caper.
By Jason Cole, CyberWire staff writer
Jun 8, 2023

Cl0p's exploitation of MOVEit vulnerabilities continues, but with some signs that the gang may be having trouble handling the data they're holding at risk.

Cl0p may have been too successful with its most recent caper.

Cl0p has issued demands to negotiate ransoms to “potentially hundreds” of its victims in the MOVEit vulnerability exploitation, which began on May 27th.

Cl0p's current ransom note.

The Register reports that “Clop, which Microsoft warned on Sunday was behind the attempts to exploit MOVEit, published an extortion note on Wednesday morning claiming that “hundreds” of businesses were affected and warning that these victims needed to contact the gang or be named on the group’s extortion site. The ransomware group, in an uncharacteristic move, gave a June 14th deadline for victims to contact the attackers. This change of tactics, as ITpro reports, could be due to the unusually large amount of data stolen by the group. “The approach taken by the group is atypical from most extortion scenarios which usually sees the attackers approach the victims first. Members of the cyber security industry have speculated that Cl0p… has ingested too much data for it to identify the company to which it belongs.”

British employee financial information may have been stolen.

“More than 100,000 staff at the BBC, British Airways and Boots have been told payroll data may have been taken,” writes the BBC. The BBC notes that the information stolen varies based on the firm. Zellis, a HR outsourcing company, seems to have been the initial victim in the supply chain attack, which allowed Cl0p to obtain “home addresses, national insurance numbers and, in some cases, bank details,” explains the BBC. The BBC released a report imploring those individuals, who may have had their personal information stolen, not to panic as “Hackers are not interested in going after individuals - it is too time consuming and they care about one thing only, getting paid.” The story quotes former National Cyber Center Lead Ciaran Martin: “The important message to organizations right now is not to panic, to install the security patch and not to pay the criminals.”

Cl0p could have had this exploit since 2021.

According to research from Kroll, Cl0p could have discovered the MOVEit zero day exploit as long ago as 2021. They explain that “Kroll’s review of Microsoft Internet Information Services (IIS) logs of impacted clients found evidence of similar activity occurring in multiple client environments last year (April 2022) and in some cases as early as July 2021.” Kroll also advises companies which use MOVEit “to look in the “C:\MOVEit Transfer\wwwroot\” directory for suspicious .aspx files such as “human2.aspx” as indicators of compromise (IoC),” in their blog post regarding the MOVEit attack. Kroll also recommends that MOVEit administrators “disable HTTP and HTTPS traffic to their MOVEit Transfer environment, Check for indicators or unauthorized access in the last 30 days, and Apply patches as they become available.”  Progress, the software developer of MOVEit, has created a web page for the vulnerability that describes mitigation steps and provides situation updates.