Connect with us

Hi, what are you looking for?



Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021

Evidence suggests that the Cl0p ransomware group has known about and conducted tests with the recently patched MOVEit zero-day since mid-2021.

Newly uncovered evidence suggests that cybercriminals have known about the recently patched MOVEit Transfer zero-day vulnerability since mid-2021.

The zero-day affecting the managed file transfer (MFT) software, tracked as CVE-2023-34362, started being widely exploited on or around May 27. The product’s developer, Progress Software, alerted customers on May 31, but at least 100 organizations have reportedly been compromised as part of the malicious campaign.

Shortly after the attacks came to light, threat intelligence company GreyNoise reported seeing scanning activity possibly related to CVE-2023-34362 in early March.

However, security researchers at risk and financial advisory services firm Kroll have found evidence suggesting that exploitation — or at least testing of the vulnerability — may have started much earlier.

Kroll has looked at the Microsoft IIS logs of customers impacted by the recent attacks and discovered similar activity occurring in other client environments in April 2022 and July 2021. 

“Kroll observed activity consistent with MOVEit Transfer exploitation that collectively occurred on April 27, 2022; May 15–16, 2023; and May 22, 2023, indicating that actors were testing access to organizations via likely automated means and pulling back information from the MOVEit Transfer servers to identify which organization they were accessing,” the company said. 

In the attacks from July 2021, it appeared that the attackers were conducting manual testing, based on how long the activity lasted. The attackers seemed to switch to automated tools in subsequent activity, which lasted minutes and even seconds.

Advertisement. Scroll to continue reading.

An analysis of the IP addresses involved in the older attacks pointed to the Cl0p ransomware group. Microsoft attributed the recent MOVEit exploitation to Cl0p and the threat actor took credit for the attacks shortly after.

In a message posted on its website, the ransomware gang claimed to have exploited the MOVEit zero-day to steal files from “hundreds of companies”, instructing victims to get in touch by June 14 to avoid their data getting leaked. The hackers claim they are not targeting government organizations.

Victims have started coming forward. The list includes the Nova Scotia government and UK payroll company Zellis, through which the hackers gained access to data belonging to some of its customers, including British Airways and BBC.

This is not the first time Cl0p has exploited a zero-day vulnerability in an MFT product to hit multiple organizations in a short time interval. Earlier this year, the cybercriminals exploited a GoAnywhere flaw to exfiltrate data from companies that had been using the product. 

“From Kroll’s analysis, it appears that the Clop threat actors had the MOVEit Transfer exploit completed at the time of the GoAnywhere event and chose to execute the attacks sequentially instead of in parallel. These findings highlight the significant planning and preparation that likely precede mass exploitation events,” Kroll said.

Related: Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.