The recent attacks that targeted organisations and involved the theft of data were linked by Microsoft to the Clop ransomware gang. These attacks exploited a zero-day vulnerability in the MOVEit Transfer platform.
The Microsoft Threat Intelligence team tweeted on Sunday night that Lace Tempest, known for their ransomware operations and operation of the Clop extortion site, is responsible for these attacks. They stated that the threat actor has previously used similar vulnerabilities to steal data and coerce victims.
MOVEit Transfer is a proficient managed file transfer (MFT) solution designed to enable secure file transfers between business partners and customers. It supports various secure protocols such as SFTP, SCP, and HTTP-based uploads.
The attacks are suspected to have commenced on May 27th. There have been reports received of multiple organisations experiencing data theft during these attacks.
The malicious actors leveraged the zero-day vulnerability in MOVEit to deploy customised webshells on servers, granting them access to retrieve a list of stored files, download files, and pilfer credentials or secrets for Azure Blob Storage containers that were configured.
The perpetrators behind the attacks
There has been a widespread belief that the Clop ransomware operation was responsible due to resemblances to previous attacks conducted by the same group.
The Clop ransomware operation are notoriously known for targeting managed file transfer software. They were previously involved in data theft attacks utilising a GoAnywhere MFT zero-day in January 2023 and exploiting zero-day vulnerabilities in Accellion FTA servers in 2020.
According to Microsoft, they have established a connection between the attacks and a group called 'Lace Tempest,' which is part of a new threat actor naming convention introduced in April. Lace Tempest is also recognised by other aliases such as TA505, FIN11, or DEV-0950.
Currently, the Clop ransomware operation has not initiated any extortion attempts. However, the gang is known for their practice of waiting several weeks following data theft before contacting company executives to make their demands.
During the GoAnywhere extortion attacks, a Clop ransom note was sent stating, "We deliberately did not disclose your organisation, we wanted to negotiate with you and your leadership first."
The note further warned, "If you choose to ignore us, we will sell your information on the black market and publish it on our blog, which receives 30-50 thousand unique visitors per day. You can find information about us on Google by searching for the CLOP hacker group."
In their modus operandi, once Clop begins extorting victims, they typically add a wave of new victims to their data leak site, accompanied by threats of imminent publication of stolen files. This tactic aims to apply additional pressure in their extortion schemes.
For the GoAnywhere attacks, it took slightly over a month before it was highlighted that victims were being listed on the gang's extortion sites.
In conclusion
The recent attacks linked to the Clop ransomware gang and attributed to Lace Tempest have brought attention to the exploitation of zero-day vulnerabilities in the MOVEit Transfer platform. Microsoft's identification of the threat actors sheds light on their past activities, such as targeting managed file transfer software and conducting data theft attacks.
While the Clop gang has not yet initiated extortion demands, their history suggests they may wait a few weeks before contacting victims and applying pressure through threats of publishing stolen files.
These developments highlight the persistent and evolving nature of cyber threats, emphasising the need for organisations to remain vigilant, regularly update their security measures, and proactively respond to emerging vulnerabilities.
In addition to maintaining vigilance and updating security measures, organisations can also benefit from conducting web application Penetration Testing as part of their proactive defence against such threats. By thoroughly assessing the security of their web applications, organisations can identify vulnerabilities and weaknesses that could be exploited by threat actors like the Clop ransomware gang.
Performing regular Penetration Tests helps in uncovering potential entry points and allows for the implementation of necessary safeguards to prevent unauthorised access and data breaches.
