The threat actors behind the Clop (Cl0p in some variants) cyber crime gang currently holding the likes of British Airways (BA), Boots and the BBC to ransom may have discovered the MOVEit Transfer zero day used to steal their data almost two years ago.
This is according to threat researchers from Kroll, who published analysis on 8 June that shows that Clop may have been experimenting with ways to exploit the SQL injection in the MOVEit Transfer managed file transfer product for quite some time prior to the mass exfiltration event of the past week. Kroll believes the exploit was certainly available and being tested in April 2022, and likely as long ago as July 2021.
They also shared indicators that Clop had completed its development work on the MOVEit exploit – now tracked as CVE-2023-34362 – by the time it was exploiting the Fortra GoAnywhere file transfer exploit, which first came to light in February, and has been keeping it in its back pocket since then.
“From Kroll’s analysis, it appears that the Clop threat actors had the MOVEit Transfer exploit completed at the time of the GoAnywhere event and chose to execute the attacks sequentially instead of in parallel. These findings highlight the significant planning and preparation that likely precede mass exploitation events,” wrote the research team.
The team, which comprises Kroll global head of incident response Devon Ackerman, associate managing directors Lauria Iacono and Scott Downie, and associate Dan Cox, analysed exploitation activity associated with CVE-2023-34362 that took place on or around the weekend of 27 and 28 May – significantly, a long, holiday weekend in both the US and UK.
By and large, this activity comprised an automated exploitation chain that led to the deployment of a web shell. It centred around two legitimate components of MOVEit transfer but, when the team reviewed the Microsoft Internet Information Services (IIS) logs of affected customers, it found evidence of similar activity occurring in multiple environments from July 2021 onwards.
The most significant spikes in this activity occurred on 27 April 2022, and then later on 15 and 16 May 2023, likely the result of Clop trying to test their access to victim organisations, and pulling back information from MOVEit Transfer services to try to figure out who they had compromised.
On 22 May 2023, Clop appeared to begin to pull back organisation identifiers from MOVEit Transfer servers. Ackerman et al said the gang was probably trying to identify which organisations they had compromised and categorise and make an inventory of them. This spike occurred over 22 minutes and was associated with a single IP address across multiple victims.
Further analysis found more connections between spikes in activity over the two-year timeframe, which the team said showed how Clop started out by manually testing CVE-2023-34362 in July 2021 and slowly developed an automated solution.
New concerns
At the time of writing, the MOVEit vulnerability remains under aggressive exploitation, and Clop yesterday set the clock ticking on a seven-day deadline for victims to contact it to begin ransom negotiations. To date, only Clop is known to have exploited it, but this does not mean others will not. There are thought to be more than 2,000 instances of MOVEit Transfer accessible from the public internet, and according to The Record, around 130 of these are located in the UK.
Perhaps more worryingly, analysts at Huntress who conducted their own analysis of the exploit found that contrary to what was at first thought, it may be trivially easy to use CVE-2023-34362 to deploy and execute ransomware.
The Huntress team recreated the attack chain and found that the initial SQL injection phase opened the door for arbitrary code execution. In short order, they were able to use CVE-2023-34362 to receive shell access using Meterpreter, escalate their privileges, and detonate a Clop ransomware payload.
“This means that any unauthenticated adversary could trigger an exploit that instantly deploys ransomware or performs any other malicious action,” said Huntress senior security researcher John Hammond.
“Malicious code would run under the MOVEit service account user moveitsvc, which is in the local administrators group. The attacker could disable antivirus protections, or achieve any other arbitrary code execution.”
Hammond added that the behaviour thus far observed is not strictly necessary to compromise MOVEit Transfer, but rather an option that Clop likely chose to use for persistence.
“The recommended guidance is still to patch and enable logging. From our own testing, the patch does effectively thwart our recreated exploit,” he said.