Clop ransomware group knew about the MOVEit zero-day vulnerability since at least July 2021: Kroll

The notorious Clop ransomware gang may have been experimenting with a zero-day vulnerability in the MOVEit Transfer application for almost two years, says risk and financial advisory company Kroll.

On June 5, the Clop ransomware gang claimed responsibility for exploiting a zero-day vulnerability in the MOVEit Transfer application that affected hundreds of companies globally.

According to a report by security researchers at Kroll, the ransomware gang is suspected of experimenting with the vulnerability since as early as July 2021.

The researchers believe that the threat actors had “an exploit for the MOVEit Transfer vulnerability prior to the GoAnywhere MFT secure file transfer tool exploitation in February 2023”, however, the group chose to exploit the vulnerability in a sequential manner.

“Kroll forensic review has also identified activity indicating that the Clop threat actors were likely experimenting with ways to exploit this particular vulnerability as far back as 2021,” the report reads.

Several industry giants including the BBC, British Airways, Boots, and Aer Lingus reported being affected by the security incident. Kroll’s initial analysis of clients impacted by the incident suggested a “broad swath of activity associated with the vulnerability” around May 27 and 28, a few days prior to Progress Software’s announcement of the vulnerability on May 31.

Kroll also reviewed the Microsoft Internet Information Services (IIS) logs of affected companies and found similar activities “occurring in multiple client environments last year around April and some activities even dated back to July 2021”.

“Kroll observed activity consistent with MOVEit Transfer exploitation that collectively occurred on April 27, 2022; May 15–16, 2023; and May 22, 2023, indicating that actors were testing access to organisations via likely automated means and pulling back information from the MOVEit Transfer servers to identify which organization they were accessing,” the report explained.

The Clop ransomware gang has given an ultimatum to all organisations affected by the exploitation of the MOVEit vulnerability to contact the group to avoid the publication of its stolen data. The group has threatened to publish the stolen data on its dark website on June 14 if the organisations do not meet its ransom demand.

According to a screenshot seen by the researchers, Clop will provide proof of data exfiltration and discuss its ransom demand with victims to avoid the publication of stolen data.

“Clop indicates that companies who do not contact them will be published by name on their actor-controlled website. Kroll’s Threat Intelligence team regularly reviews the actor-controlled website and can confirm that in the wake of the GoAnywhere exploitation, nearly 100 victim organizations were listed on the Clop website. Clop typically posts data in a series of posts rather than one large data leak,” Kroll added.