cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

More details of Clop’s MOVEit Transfer campaign emerge, as CISA and FBI release advisory

Details continue to emerge after Progress Software announced it had found a vulnerability in its MOVEit Transfer file transfer platform — a vulnerability that an infamous ransomware gang had already taken full advantage of days before the announcement.

user icon David Hollingworth
Thu, 08 Jun 2023
crime software
expand image

Progress shared the news on 31 May, but a then-unknown threat actor had already been exfiltrating data from MOVEit users for days beforehand. As it turns out, the Clop ransomware gang was behind the very likely opportunistic campaign and has already contacted many of its victims to begin negotiations.

“Clop is one of top organization offer penetration testing service after the fact,” Clop’s ransom notice read, complete with poorly written English. “This is announcement to educate companies who use progress MOVE1t [sic] product that chance is that we download alot of your data as part of exception, exploit we are the only one who perform such attack and relax because your data is safe.”

The notice goes on to say how victims can contact Clop and the process to have their data securely erased. The gang claims that it will absolutely erase data, as well as provide proof of the data they have. The note also states what will happen if payment is not arranged.

“You have 3 day to discuss price and if no agreement you custom page will be created … after 7 days all you data will start to be publication,” the note read.

“You chat will close after 10 not productive day and data will be publish.”

While a number of companies have reported they have fallen victim, including the BBC, the Boots chemist chain, and British Airways, security researchers at SentinelOne have observed over 20 organisations that have been affected by the hack. The affected organisations come from a range of sectors — including aviation and transport, financial services, healthcare, manufacturing, and publishing.

It is believed the vulnerability was found using port scanning or the Shodan indexing service.

In the meantime, both the FBI and CISA have released a range of advisories on the vulnerability and how to mitigate against it. Here are the key actions to take:

  • Perform an inventory of assets and data, as well as any unauthorised devices.
  • Grant admin privileges only where needed; establish an allowed software list.
  • Monitor network ports and protocols; activate security configurations on network infrastructure devices.
  • Patch and update software regularly; conduct regular vulnerability assessments.

“FBI and CISA encourage organisations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of Clop ransomware and other ransomware incidents,” the CISA advisory read.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.