Microsoft pins MOVEit Transfer vulnerability on Cl0p

Microsoft said the recent attack that exploited the MOVEit Transfer 0-day vulnerability was likely carried out by the Cl0p ransomware group.

The researchers said, "Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site," the researchers said.

MOVEit Transfer is hosted file transfer software developed by U.S. developer Ipswitch. The 0-day vulnerability affects MOVEit Transfer's servers, allowing an attacker to access and download data stored there.

The vulnerability has already affected major companies through third-party attacks. For example, British Airways (BA) said an attack on its payroll service provider, Zellis, affected the company's employees.

BA said in a statement that they had learned that they were one of the companies affected by the Zellis cybersecurity incident, which occurred through one of their third-party vendors, MOVEit.

Cl0p, a ransomware group presumably linked to Russia, confirmed Microsoft's attribution of the exploit to Reuters' Raphael Satter and said more victims would appear on the group's blog.

Earlier this year, Cl0p made headlines after successfully exploiting Fortra's GoAnywhere vulnerability, a zero-day exploit. The group compromised a number of companies, including Shell, Hatch Bank, Bombardier, Stanford University, Rubrik, Saks Fifth Avenue and more.

"Microsoft strongly urges organizations affected by the CVE-2023-34362 MOVEit Transfer vulnerability to apply security patches and perform mitigation actions provided by Progress in their security advisory," the Microsoft team said.

Cl0p ransomware has been around since 2019 - a long time in the ever-changing ransomware landscape. The group has also been at the forefront of the ransomware world, with estimated spending reaching $500 million in November 2021.

That same year, Ukrainian law enforcement conducted a major crackdown on the group, arresting several individuals and dismantling the group's server IT infrastructure. The arrests ultimately forced the group to cease operations between November 2021 and February 2022. However, the group has been steadily recovering since then.