On May 27, 2023, the CLOP ransomware and extortion group began exploiting software called MOVEit, which is used by organizations to transfer large files. CLOP used a structure query language-injection (SQLi) vulnerability (CVE-2023-34362) to place a web shell named LEMURLOOT on MOVEit instances. From there, the group used LEMURLOOT to download files stored within MOVEit (a full rundown of indicators of compromise from the U.S. Cybersecurity and Infrastructure Agency is here). Victims include organizations across verticals including education, manufacturing and government.
CLOP encouraged victims to reach out to the group, warning that it would list victims on its data leak site. On June 14, 2023, it began listing the names of organizations it compromised and finally began leaking files. CLOP demanded ransoms in exchange for deleting the data. Although CLOP has been associated with ransomware, this incident has not involved a file encrypting component. This means that victims are not operationally constrained due to inaccessible files. Rather, the public dumping of files poses risk of embarrassment, exposure of commercially confidential information and personally identifiable information (PII).
This blog post will explore some key observations Intel 471 has made through its analysis of CLOP (also linked to threat groups FIN11 and TA505) over several years and what enterprises should keep in mind.
Point #1: CLOP’s Capabilities
CLOP has been a persistent and damaging threat actor. CLOP’s latest mass exploitation event shows that the group has the capability and resources to acquire zero-day vulnerabilities in enterprise software. This should come as no surprise: ransoms paid by victims can be channeled into vulnerability hunting and exploit development. This is not a new tactic, as other ransomware groups such as the defunct REvil ransomware gang have used zero-day exploits to further their attacks.
CLOP targets file transfer software. In late 2020 and 2021, it exploited zero-day flaws in Accellion’s File Transfer Appliance (FTA). Those attacks achieved much the same outcome as the MOVEit attack. The CLOP group also was observed exploiting the CVE-2021-35211 remote code execution (RCE) vulnerability in Serv-U managed file transfer (MFT) and Serv-U Secure file transfer protocol (FTP) software. The same style of attack occurred as well in March 2023. CLOP exploited a vulnerability in Fortra’s GoAnywhere MFT servers, against stealing data and claiming as many as 130 victims. CLOP is focused, determined and will continue to target popular enterprise applications, as it allows the group to conduct high-impact attacks at scale.
Point #2: Patch but Evaluate Longer-Term Risks
After CLOP began exploiting CVE-2023-34362, MOVEit’s vendor, Progress Software, developed and released a patch. The publicity generated from CLOP’s disclosure of the initial vulnerability led researchers to further interrogate MOVEit’s code base, resulting in the discovery of two more vulnerabilities. Around June 9, 2023, the computer security consultancy Huntress found another flaw, which was different from CVE-2023-34362. On June 15, 2023, a security researcher publicly disclosed a third zero-day SQLi vulnerability (CVE-2023-35708) on Twitter without disclosing it first confidentially to Progress Software. It’s not uncommon for the discovery of one flaw to suddenly result in other vulnerabilities discovered in rapid succession. This pattern means that security situations could be unpredictable, and it’s worth considering in fast-moving incidents whether non-critical software should be kept online.
Point #3: Examine Data Retention in FTP Applications
CLOP’s repeated exploitation of FTP applications should serve as a warning. Exposed software applications can be discovered using search engines such as Shodan and Censys, making it easy for attackers to select targets. Initial searches after the MOVEit vulnerability became known showed as many as 2,500 internet-facing instances of it running, a large potential victim pool. Internet-exposed applications for transferring files satisfy an important use case, but clearly the risks are too high now. Additionally, the volume of data stolen from organizations suggests that data that could be deleted after a transfer is complete is not being deleted. Data governance practices generally advise deleting data no longer needed. This minimizes the amount that could be stolen and leaked, including that of partners and third-party suppliers. As an example with MOVEit, the exploitation of U.K. payroll provider Zellis by CLOP has affected its downstream customers, including the BBC, pharmacy chain Boots, British Airways and Aer Lingus. CLOP has been known in the past to contact partners affected by one of its breaches, pressuring them to pay a ransom to stop publication of data.
Point #4: No Operational Impediment
Although John Hammond, a senior security researcher with Huntress, discovered that it would have been possible for CLOP to launch encryption attacks, the group opted to only exfiltrate data. Ransomware groups usually exfiltrate and then encrypt data to subject victims to what’s known as double extortion. Victims can be ransomed both for a decryption key to unlock data and also for the attack group to not publish data on a leak site.
CLOP’s publishing of stolen data is damaging but not an operational impediment, which is an aspect to take into consideration when evaluating a ransom demand. CLOP has previously provided victims with videos purportedly showing their data is being deleted. While Intel 471 takes no stance on the decision of whether to pay a ransom, it is virtually impossible to verify that a threat group has indeed deleted data after a ransom is paid. It’s a point that should be considered by those in this unfortunate position.
CLOP said it would delete all government data, a move perhaps intended to avoid tangling with offensive-focused intelligence agencies fighting ransomware and cybercrime. Affected government entities that have come forward include the U.S. Department of Energy, and other federal agencies are known to have used MOVEit. In another example, the U.S.-based state of Oregon says CLOP’s attack impacted 90% of its driver's licenses and state IDs, affecting some 3.5 million people.
But despite the pledge to delete, CLOP’s latest mass exploitation event has attracted attention. Since the attacks, the U.S. Justice Department announced a US $10 million reward for information leading to the identification of CLOP members. In June 2021, law enforcement agencies charged six Ukrainian nationals as alleged members of the CLOP ransomware group. However, the action had limited impact since those apprehended engaged solely in money laundering, while the core group members were not impacted. CISA says it has no indications that CLOP, believed to be based in Russia, is acting in coordination with the Russian government. CISA Director Jen Easterly also said the agency views CLOP’s data smash-and-grab as “opportunistic” and that it – unlike the SolarWinds supply chain compromise – does not represent a systemic risk to U.S. national security.
Nonetheless, mass extortion events are damaging. Hopefully this incident will trigger an earnest review of the necessity, security controls and data retention policies around FTP software.