Cl0p ransomware gang exploits MOVEit transfer SQL injection flaw
In a collaborative effort, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint advisory exposing an ongoing exploitation of a critical vulnerability in Progress Software’s MOVEit Transfer application by the notorious Cl0p ransomware gang, also known as TA505. This cybercriminal group has capitalized on an SQL injection flaw present in Progress Software’s managed file transfer (MFT) solution, MOVEit Transfer, to launch their malicious attacks.
The advisory provides insight into the Cl0p Ransomware Gang’s utilization of a critical vulnerability within Progress Software’s MOVEit Transfer application, exploiting an SQL injection flaw to target internet-facing web applications of MOVEit Transfer. Alarming the cybersecurity community, this gang has further threatened to publicly release the stolen data unless targeted businesses comply with their demands before June 14, 2023.
Microsoft, operating under the codename Lace Tempest (aka Storm-0950), has been actively monitoring the cyber activities of the Cl0p Ransomware Gang. They have confirmed that this group is responsible for the exploitation of a critical security vulnerability in PaperCut servers. For over four years, starting from February 2019, this criminal organization has engaged in illicit operations such as running ransomware-as-a-service campaigns and acting as initial access brokers. Their modus operandi involves exploiting vulnerabilities like CVE-2023-34362, an SQL injection flaw found in MOVEit Transfer, to gain control over internet-facing applications and conduct ransomware attacks. By exploiting this vulnerability, they gain the ability to execute remote code, potentially leading to the deployment of ransomware or other destructive payloads.
In an analysis conducted by Kroll, it was uncovered that the Cl0p threat actors have been experimenting with a specific vulnerability since April 2022, with preliminary testing detected as far back as July 2021. Observations made by Censys also indicate a decline in the number of exposed MOVEit Transfer instances from over 3,000 hosts to slightly more than 2,600.
Kevin Beaumont weighed in on the situation, noting that the Cl0p ransomware group has now resorted to exploiting zero-day vulnerabilities in web applications for the third time within a span of three years. Their specific focus revolves around targeting products that prominently emphasize their security features, further underscoring the evolving tactics employed by these threat actors.
The sources for this piece include an article in TheHackerNews.