Clop Ransomware Gang Asserts It Hacked MOVEit Instances

The Clop ransomware-as-a-service gang said it’s the actor behind a spate of hacks taking advantage of a vulnerability in Progress Software’s MOVEit managed file transfer application.

See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm

In a Tuesday posting on its dark web leak site, Clop said, in all caps, that it has used the MOVEit flaw to download information from hundreds of companies. “We download alot [sic] of your data as part of exceptional exploit. We are the only one who perform such attack and relax because your data is safe,” the Russian-speaking criminal gang wrote.

Clop’s assertion is not unexpected; Microsoft this week attributed the attacks to Clop affiliate FIN11, which the computing giant tracks as Lace Tempest (see: Microsoft Attributes MOVEit Transfer Hack to Clop Affiliate).

Gang representatives reportedly took credit for the attacks Monday in communications with Bleeping Computer and a Reuters reporter.

Clop says it will begin posting the names of victims starting on June 14 unless it hears from them first. It also asserted that it erased data obtained from “government, city or police service” sources since “We have no interest to expose such information.”

Information Security Media Group could not independently verify Clop’s claims. The gang earlier this year used a vulnerability in another file transfer application made by Fortra to attack dozens of victims.

Threat actors on May 27 began active exploitation of the MOVEit vulnerability, tracked as CVE-2023-34362. Progress Software released a patch on June 2.

Cybersecurity firm GreyNoise said it detected scanning activity associated with the vulnerability as early as March 3. Internet protocol addresses performing the scans came from malicious sources, the firm added.

The MOVEit flaw is a SQL injection vulnerability that enabled hackers to access the server database. Mandiant said it is aware of “multiple cases where large volumes of files have been stolen.” Mandiant also warned that hackers may have stolen Azure system settings.

The list of known victims is, for the moment, short but includes British payroll provider Zellis. Through it, affected firms include airliners British Airways and Aer Lingus, as well as the BBC and U.K. drugstore chain Boots.

The government of Canadian province Nova Scotia acknowledged that MOVEit hackers breached residents’ personal information. The University of Rochester also said Friday it is investigating a cybersecurity attack on its file transfer software. A university spokesperson didn’t immediately confirm that the software in question is MOVEit. A representative of Progress Software also did not immediately return a request for comment.