Cl0P gang sat on exploit for MOVEit flaw for nearly two years
Turns out the Cl0p ransomware group sat on a zero-day vulnerability it discovered in Progress Software’s MOVEit Transfer file transfer app for nearly two years before starting to exploit it — which it did with devastating effect earlier this month.
Over that holding period, members of the group periodically launched waves of malicious activity against vulnerable systems to test their access to organizations and to identity the ones to target.
“The analogy I have been using is turning the doorknob, seeing it turn, then walking away knowing I can come back later, open the door, and walk through it,” says Scott Downie, associate managing director at Kroll’s Cyber Risk Business. “It can also be interpreted as them identifying potential targets,” he says.
Experimenting With a MOVEit Exploit for Nearly 2 Years
Researchers at Kroll Threat Intelligence, who investigated the recent attacks, found evidence showing Cl0P actors experimenting with ways to exploit the MOVEit Transfer vulnerability as far back as July 2021. Kroll’s review of Microsoft Internet Information Services (IIS) logs belonging to clients impacted in the attacks unearthed evidence of the threat actors conducting similar activity in April 2022 and twice last month, just days before the attacks.
The telemetry suggests the threat actors were testing access to vulnerable MOVEit Transfer clients and attempting to retrieve information that could help them identity the organizations where it was installed. Much of the malicious reconnaissance and testing activity in the early stages — in July 2021 — appears to have been manual in nature. But starting April 2022, Cl0p actors began using an automated mechanism for probing multiple organizations at the same time and collecting information from them.
The last of the testing activity — before mass exploitation began — was in May and appeared designed to extract the unique “Org ID” identifier associated with each MOVEit Transfer user. The information could have helped the attackers categorize the organizations they could access, Kroll said. The company’s analysis of the IP addresses associated with the malicious activity showed them to be located in Russia and the Netherlands, Downie says.
“CVE-2023-34362 is a multi-stage process of exploitation” Downie notes. “This activity is consistent with the first stage of CVE-2023-34362.”
CVE-2023-34362: Why Not Pull the Zero-Day Trigger?
Kroll has concluded with a high degree of confidence that Cl0P actors had a working exploit for the MOVEit vulnerability back in July 2021. But the group likely chose to sit on it for two years for a few reasons, theorizes Laurie Iacono, associate managing director, Cyber Risk Business at Kroll.
To read the complete article, visit Dark Reading.