CL0P Ransomware: ExtraHop Identifies MOVEit Vulnerabilities

On Tuesday, June 20, ExtraHop released a Threat Briefing for MOVEit Transfer Critical Vulnerabilities in the Reveal(x) network detection and response (NDR) platform. The new Threat Briefing alerts users to three critical vulnerabilities in the MOVEit Transfer managed file transfer software package: CVE-2023-34362, CVE-2023-35036, and CVE-2023-35708.

The CL0P ransomware group has been exploiting the first vulnerability, CVE-2023-34362, to allegedly steal data from many organizations.

The new Threat Briefing shows ExtraHop customers whether they have devices on their networks running MOVEit Transfer, and therefore, whether they are at risk for CL0P ransomware or another threat actor exploiting MOVEit vulnerabilities.

ExtraHop recommends that customers review whether they have devices running MOVEit Transfer and also apply a patch released by MOVEit vendor Progress Software on June 16. Progress advises its customers to block all HTTP and HTTPS access to MOVEit Transfer to protect their environments.

Shortly after releasing the Threat Briefing, ExtraHop developed and rolled out a dashboard to help organizations track whether they’ve been affected by the MOVEit vulnerability.

While early reports noted that organizations using MOVEit were vulnerable, subsequent research on the vulnerability revealed that even organizations not running MOVEit in-house could still be exposed. Kurt Skowronek, a senior sales engineer at ExtraHop, notes that because employees can connect to MOVEit servers outside their organizations, to share files with third parties, organizations not running MOVEit internally could be exposed to malicious files that attackers placed on unpatched MOVEit servers.

The ExtraHop dashboard can tell an organization what internal systems had access to MOVEit, even if the MOVEit software was running in a third party’s environment, and when an employee tries to access a MOVEit server, he added.

“If one of your employees goes to a MOVEit server that’s not patched, regardless of whether you run that server in-house or a third party runs it, there is a risk,” Skowronek said. “We want our clients to easily and comprehensively assess the risk to their users and data by allowing them to go back in time, hunt for threats and see if any employee connected to a MOVEit server while it was vulnerable.”

Recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert about the MOVEit vulnerability. CISA and the FBI warned that CL0P began exploiting a previously unknown SQL injection vulnerability in MOVEit Transfer. Internet-connected MOVEit applications were injected with a web shell called LEMURLOOT, which hackers then used to steal data from MOVEit Transfer databases.

The CISA advisory noted that CL0P has used other zero-day vulnerabilities recently to target file transfer devices and servers from other companies.

CL0P, also known as TA505, has claimed several victims with the MOVEit-based attacks in recent weeks, including U.S. Department of Energy contractor Oak Ridge Associated Universities and nuclear waste disposal facility, the Waste Isolation Pilot Plant.

CL0P, an active ransomware group since 2014, had given breached organizations a deadline of June 14 to contact the hacking group before having their data released publicly. The hackers claimed to breach hundreds of organizations and named more than two dozen on its website, including some in the finance, healthcare, IT, manufacturing, education, and pharmaceutical sectors. Many of the named victims are based in the U.S.