Full Report
BackgroundFor the last couple of years, the threat actors associated with the CL0P ransomware group have occasionally ditched encryption in favour of exploiting file transfer applications in mass data-theft-extortion campaigns. This includes attacking Accellion FTA servers (December 2020), SolarWinds Serv-U FTP servers (November 2021), GoAnywhere MFT servers (February 2023), and PaperCut MF/NG servers (April 2023).The operators of CL0P are a financially motivated, Russian-speaking cybercrime group. They are tracked, with varying degrees of connections, under multiple threat actor monikers by CTI vendors. This includes TA505 (Proofpoint), Lace Tempest (Microsoft), Graceful Spider (CrowdStrike), FIN11 (Mandiant), and GOLD TAHOE (Secureworks).The main thing to remember about CL0P is that it is the name of the ransomware family as well as the organized cybercrime group. Plus, the ransomware family has more recently been used by other threat actors, such as FIN7, in targeted intrusions according to both Microsoft and Secureworks.What are CL0P are doing now?On or around 27 May 2023, the CL0P operators exploited another file transfer server. This time they targeted the MOVEit Transfer application by Progress Software using an SQLi vulnerability tracked as CVE-2023-34362.Much like the last set of campaigns against file transfer applications, the threat actors have stolen the files stored by companies on these servers. The CL0P operators will then try to ransom the victims for cryptocurrency in exchange for not leaking the files publicly. No ransomware has been deployed.So What?The reason many organizations are concerned about this is that many high profile victims (e.g., British Airways and the BBC, etc) are impacted, largely due to their vendors and suppliers using MOVEit Transfer to store their files, containing sensitive data. A Shodan query for the Favicon of the application also revealed that up to 2,500 systems may be exposed to the internet vulnerable to the attack. It is unclear, however, to tell exactly how many organizations were impacted, but it is anticipated to be in the three or four digits realm.This incident has gained headline news around the world and many CTI analysts have been, or will inevitably be, questioned about it by their stakeholders.New ResourceCurated Intelligence is here to help. Our trust group is tracking all the developments of CL0P's MOVEit Transfer hacking campaign in our GitHub repository here: Campaign Brief Summary (as of 8 June 2023):Rapid7 and Mandiant reportedly began observing exploitation on 27 May 2023GreyNoise reportedly observed scanning for the "human.aspx" files in March 2023It is suspected that CL0P waited until it was a long bank holiday weekend (Sat, Sun, Mon), both in the US and UK to launch their attackKroll also claimed they believe CL0P has been trying exploit MOVEit since 2021CISA and the FBI released an advisory, tying CL0P to TA505 campaignsOne of the main victims (that we know about so far) is an HR and Payroll solution called Zellis, whose impacted customers include British Airways, the BBC, Aer Lingus, and Boots, among others.CL0P has made an announcement on their Tor data leak site "CL0P ^_- Leaks" claiming responsibility and providing instructions for how victims can pay the ransom to stop their data from being published
Analysis Summary
# Incident Report: CL0P Exploitation of Progress MOVEit Transfer Application
## Executive Summary
The financially motivated, Russian-speaking cybercrime group CL0P (also known as TA505/FIN11) initiated a widespread data-theft campaign targeting the Progress MOVEit Transfer application starting around late May 2023. The attackers exploited a critical SQL Injection vulnerability (CVE-2023-34362) to steal sensitive data from many organizations utilizing the platform. The primary impact is mass data exfiltration leveraged for extortion, with no immediate deployment of ransomware observed.
## Incident Details
- Discovery Date: On or around 27 May 2023 (when exploitation reports surfaced)
- Incident Date: On or around 27 May 2023 (attack launch)
- Affected Organization: Numerous organizations globally relying on MOVEit Transfer (including clients of vendors like Zellis, impacting entities like British Airways, BBC, Aer Lingus, and Boots).
- Sector: Varied (Data involved suggests Finance, HR/Payroll, Aviation, Media)
- Geography: Global (Attack recognized across US and UK)
## Timeline of Events
### Initial Access
- Date/Time: On or around 27 May 2023 (Launch of mass exploitation). GreyNoise observed scanning for related artifacts ("human.aspx") as early as March 2023. Attack launch coincided with US/UK bank holidays.
- Vector: Exploitation of SQL Injection vulnerability in the MOVEit Transfer application, tracked as **CVE-2023-34362**.
- Details: Attackers leveraged the flaw to access and potentially manipulate the database environment hosting sensitive files.
### Lateral Movement
- Details: Not explicitly detailed, but the campaign focused on accessing and exfiltrating data stored within the exploited MOVEit servers. CL0P has a history of focusing on exploitation rather than deep internal lateral movement in these specific file transfer campaigns.
### Data Exfiltration/Impact
- Details: Theft of files stored by victim organizations on their MOVEit Transfer servers. The files likely contain sensitive customer, employee, or proprietary data. CL0P demanded ransom payments in exchange for non-disclosure/non-release of the stolen data.
### Detection & Response
- Date/Time: Rapid response initiated around 27 May 2023, with CTI vendors (Rapid7, Mandiant) observing and analyzing exploitation.
- Details: CISA and the FBI released joint advisories. CTI groups tracked the campaign (e.g., Curated Intelligence GitHub repository). Organizations whose vendors were compromised began active incident response and notification processes.
## Attack Methodology
- Initial Access: SQL Injection (CVE-2023-34362) on the MOVEit Transfer application.
- Persistence: Not explicitly detailed, but likely relied on maintaining access mechanisms established via the SQLi (such as backdoors or web shells, common in previous CL0P campaigns).
- Privilege Escalation: Not explicitly detailed; leverage of the SQLi likely provided database access capable of staging or extracting data.
- Defense Evasion: Exploitation targets an unpatched, internet-facing vulnerability during periods favorable to attackers (holiday weekends).
- Credential Access: Not explicitly detailed as the primary method; data access was achieved via vulnerability exploitation.
- Discovery: Likely targeted discovery of files stored within the compromised MOVEit environment.
- Lateral Movement: Focus appears to be data volume collection from the compromised application server, not network-wide traversal.
- Collection: Staging and harvesting of files stored on the MOVEit Transfer appliance.
- Exfiltration: Data was stolen for subsequent extortion.
- Impact: Extortion via public data leak threats. No ransomware encryption observed in this campaign variant.
## Impact Assessment
- Financial: Costs associated with incident response, remediation, regulatory fines, and potential ransom payments (if paid). Direct financial data not disclosed.
- Data Breach: **Sensitive data** stored by numerous global entities, including customers of companies like Zellis (e.g., British Airways, BBC employee/client data). Volume unknown but anticipated to be substantial across hundreds of victims.
- Operational: Direct operational impact centers on the compromised MOVEit servers; potential disruption for vendors managing the transfer of sensitive data.
- Reputational: Significant negative press coverage due to high-profile victims like the BBC and significant supply chain compromise concerns.
## Indicators of Compromise
*Note: As an analyst summarizing an article, specific IoCs must be defanged/generalized based on the threat profile.*
- Network indicators: Scanning activity targeting known MOVEit endpoints or payloads related to the human.aspx endpoint (general observation).
- File indicators: Artifacts related to SQL injection exploitation, file staging, or potential web shells deployed post-exploitation (specific hashes not provided).
- Behavioral indicators: Excessive database queries or data retrieval operations occurring through the MOVEit web application interface leading to large file downloads.
## Response Actions
- Containment measures: Patching or isolating internet-facing MOVEit Transfer instances immediately upon disclosure of CVE-2023-34362.
- Eradication steps: Forensic examination of affected servers to identify backdoors or lingering persistent mechanisms left by CL0P.
- Recovery actions: Restoration of affected systems and data, if integrity was compromised beyond exfiltration. Coordination with CISA/FBI advisories.
## Lessons Learned
- CL0P continues to pivot focus from pure ransomware deployment to mass data-theft leverage using zero-day or N-day vulnerabilities in widely deployed MFT solutions (Accellion, Serv-U, GoAnywhere, MOVEit).
- Organizations relying on third-party vendors for data transfer are inherently at risk due to the supply chain compromise vector.
- Exploitation often occurs immediately following vulnerability disclosure or during times when security teams are less active (holiday weekends).
## Recommendations
- Immediately apply vendor-supplied patches for CVE-2023-34362 across all MOVEit Transfer instances.
- Isolate or restrict external access to any MFT solution that handles sensitive data, limiting access only to necessary enterprise addresses if immediate patching is impossible.
- Enhance monitoring for anomalous database activity, especially SQL errors or high-volume outbound data transfers originating from application servers.
- Review vendor contracts and security posture, ensuring third parties handling sensitive data are regularly audited for critical vulnerability management adherence.