Cl0P Gang Sat on Exploit for MOVEit Flaw for Nearly 2 Years

Over that time, the group carried multiple tests to see if the exploit worked and to identify potential victims. It was like turning the doorknob to check for access, a researcher says.

Turns out the Cl0p ransomware group sat on a zero-day vulnerability it discovered in Progress Softwares MOVEit Transfer file transfer app for nearly two years before starting to exploit it — which it did with devastating effect earlier this month.
Over that holding period, members of the group periodically launched waves of malicious activity against vulnerable systems to test their access to organizations and to identity the ones to target.
The analogy I have been using is turning the doorknob, seeing it turn, then walking away knowing I can come back later, open the door, and walk through it, says Scott Downie, associate managing director at Krolls Cyber Risk Business. It can also be interpreted as them identifying potential targets, he says.
Researchers at Kroll Threat Intelligence, who investigated the recent attacks, found evidence showing Cl0P actors
experimenting with ways to exploit the MOVEit Transfer vulnerability
as far back as July 2021.
Krolls review of Microsoft Internet Information Services (IIS) logs
belonging to clients impacted in the attacks unearthed evidence of the threat actors conducting similar activity in April 2022 and twice last month, just days before the attacks.
The telemetry suggests the threat actors were testing access to vulnerable MOVEit Transfer clients and attempting to retrieve information that could help them identity the organizations where it was installed. Much of the malicious reconnaissance and testing activity in the early stages — in July 2021 — appears to have been manual in nature. But starting April 2022, Cl0p actors began using an automated mechanism for probing multiple organizations at the same time and collecting information from them.
The last of the testing activity — before mass exploitation began — was in May and appeared designed to extract the unique Org ID identifier associated with each MOVEit Transfer user. The information could have helped the attackers categorize the organizations they could access, Kroll said. The companys analysis of the IP addresses associated with the malicious activity showed them to be located in Russia and the Netherlands, Downie says.
CVE-2023-34362 is a multi-stage process of exploitation Downie notes. This activity is consistent with the first stage of CVE-2023-34362.
Kroll has concluded with a high degree of confidence that Cl0P actors had a working exploit for the MOVEit vulnerability back in July 2021. But the group likely chose to sit on it for two years for a few reasons, theorizes Laurie Iacono, associate managing director, Cyber Risk Business at Kroll.
In 2021, the same threat actor exploited yet another file-transfer zero-day it discovered, this time in
Accellions File Transfer Appliance
. For the rest of 2021 and early 2022, Cl0p was very active in connection with the Accelion FTA breach. So, it likely had its hands full already.
The threat actor site was then fairly inactive during much of 2022 and may even have diverted activities away from extortion for a period, possibly in relation to
arrests of Cl0p members in 2021
, Iacono says. The Ukraine/Russia conflict which slowed down overall ransomware activity in early to mid 2022, may also have been a factor, she says.
Cl0p was originally classified as FIN11 [and was] known for POS malware attacks, etc., Iacono says. They entered the ransomware game during the boom of 2020/2021. But it stands to reason their group has a diversified portfolio of cybercrime services it leverages, not just ransomware extortion.
By way of background, vendor reports of attack activity targeting a SQL injection vulnerability in MOVEit Transfer began surfacing on June 1. Researchers at Mandiant and other vendors who
investigated the attacks
found the threat actor exploiting the flaw to steal data from customers of Progress Softwares app. Some surmised — correctly — that the attacks and data theft were a precursor to ransom demands.
On June 4, Microsoft
attributed the attacks
to the Cl0P ransomware group (which the company tracks as Lace Tempest, and which is known to be related to the TA505 threat group) as the first reports of organizations victimized by the attacks began to roll in. So far, the list has included BBC, British Airways, and the
government of Nova Scotia
. Cl0p itself has claimed hundreds of victims. The US Cybersecurity and Information Security Agency on June 7
warned of potentially widespread impact
: Due to the speed and ease with which TA505 has exploited this vulnerability, and based on their past campaigns, FBI and CISA expect to see widespread exploitation of unpatched software services in both private and public networks.
MOVEit is a managed file transfer app that thousands of organizations, including giants like Disney, Chase, GEICO, and US federal agencies use to transfer sensitive data and large files. Such apps have become a popular target for attackers because of the access they provide to the kind of data that organizations are likely willing to pay for, to prevent it from getting leaked or locked up in a ransomware attack.
File transfer attacks are hot for this group: In addition to MOVEit and Accelion, Cl0p threat actors in February exploited a zero-day flaw in
Fortras GoAnywhere MFT
to extort customers of the managed file transfer product.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Cl0P Gang Sat on Exploit for MOVEit Flaw for Nearly 2 Years