Vulnerability Alerts | 3 mins

Clop Ransomware Group Likely Using MOVEit Vulnerability

Olivier Beg
Olivier Beg
Head of Hacking

Prominent British companies including British Airways, Boots, and the BBC have fallen victim to a cybercrime group known as Clop. The group has recently issued an ultimatum, demanding ransom negotiations after successfully stealing personal information belonging to over 100,000 employees across these organizations. The gravity of the situation has prompted fears that sensitive data such as names, addresses, national insurance numbers, and bank details could be exposed if the companies fail to comply.

Clop's attack targeted a crucial business infrastructure component called MOVEit, a secure file transfer software utilized for internal network communication. This vulnerability enabled the cybercriminals to breach multiple victims in a single, large-scale hacking operation. 

How to identify if you are vulnerable?

To empower organizations in securing their systems, proactive identification of vulnerabilities is essential. Organizations can start by verifying their MOVEit version. If their version predates 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), or 2023.0.1 (15.0.1), they may be vulnerable. Additionally, leveraging open-source YARA rules or searching for specific indicators of compromise (IOCs) can aid in identifying potentially malicious activity.

Hadrian’s Recommendations

Organizations should prioritize updating their MOVEit Transfer to the latest patched versions. In situations where immediate updates are not feasible, implementing firewall rules to disable HTTP(s) traffic on ports 80 and 443 can provide temporary relief.

How significant is the threat?

The MOVEit vulnerability is concerning since attackers can remotely execute the exploit, potentially gaining unauthorized access to vulnerable systems.

To assess the potential impact, we identified approximately 2,500 publicly available servers, with around 800 organizations primarily in the United States. However, it is important to note that not all these organizations are necessarily vulnerable to this specific exploit.

Olivier Beg, 2023

The identified vulnerability is classified as a critical zero-day vulnerability, exploiting a SQL injection (SQLi) flaw. This allows remote unauthenticated attackers to access MOVEit Transfer's database. The exploitation of this vulnerability could lead to severe consequences such as privilege escalation, data exfiltration, malware deployment, and potential theft of Azure system settings, associated keys, and containers.

Our analysis revealed the utilization of the LEMULROOT web shell, masquerading as the legitimate "human.aspx" component within MOVEit. This deceptive tactic enables attackers to maintain persistence and continue their unauthorized activities.

Furthermore, it is important to note that file-transfer tools, including MOVEit, have become attractive targets for cybercriminals due to the potential to exploit vulnerabilities in enterprise solutions. Similar attacks have been observed, such as the exploitation of GoAnywhere MFT, emphasizing the prevalence of these types of threats.

Olivier Beg, 2023

To proactively address potential risks and prevent exploitation, organizations are encouraged to adopt an external exposure management solution. Such a solution enables the identification of vulnerabilities before they can be exploited. Reach out to our team of experts to gain further insights and explore the benefits of implementing this proactive approach. And check out our most recent vulnerability alert.

Newsletter sign up

Get insights directly to your inbox

Subscribe to our newsletter for blog recaps, fresh tips, insights, and resource downloads.

Newsletter Example