Clop Starts MOVEit Extortion as New Bug is Discovered

Written by

The Clop ransomware gang has begun publishing names of the organizations impacted by its recent data theft campaign, as MOVEit developer Progress Software warned customers of yet another newly discovered vulnerability.

Yet to receive a CVE, the new bug is rated critical and “could lead to escalated privileges and potential unauthorized access to the environment,” Progress warned in an update yesterday.

Read more on the original MOVEit flaw: Critical Zero-Day Flaw Exploited in MOVEit Transfer.

Although the vendor has patched MOVEit Cloud and fully restored all clusters, MOVEit Transfer customers are being asked to immediately disable all HTTP and HTTPS traffic in order to mitigate the risk of a breach, while Progress releases an official update.

This is the third vulnerability discovered in recent weeks in the popular managed file transfer software, following SQLi bug CVE-2023-34362, which was exploited by the Clop gang to compromise what it claims to be hundreds of global customers.

That vulnerability was patched by Progress on May 31, while a second SQLi vulnerability, CVE-2023-35036, was fixed on June 9.

True to its promise, Clop began releasing the names of its victims on a dedicated leak site yesterday, as the deadline expired for them to pay a ransom.

Emsisoft threat analyst, Brett Callow, claimed there were 47 confirmed victims as of late Thursday, plus an unspecified number of US government agencies.

Among the new names revealed by Clop are energy giant Shell and the University of Georgia. They join household names like BA, Boots, the BBC and Ireland’s health service (HSE).

Charl Van Der Walt, head of security research at Orange Cyberdefense, argued that the extortionists will probably try to ramp up the tension by drip feeding details of their victims.

“With this hack, it’s very likely that we don’t see all the data brought to light in one go; instead, we may see something eye-catching that will make industry and regulatory bodies stand up and take notice especially as most threat actors want to drag these out for as long as they can, partly to maintain the attention and build notoriety,” he explained.

“These actors often try to build a narrative about what they leak, doing their best to justify their actions or get a reaction from their victims.”

The US Cybersecurity and Infrastructure Security Agency (CISA) is thought to be assisting government victims of the attacks.

What’s hot on Infosecurity Magazine?