Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021

Newly uncovered evidence suggests that cybercriminals have known about the recently patched MOVEit Transfer zero-day vulnerability since mid-2021.

The zero-day affecting the managed file transfer (MFT) software, tracked as CVE-2023-34362, started being widely exploited on or around May 27. The product’s developer, Progress Software, alerted customers on May 31, but at least 100 organizations have reportedly been compromised as part of the malicious campaign.

Shortly after the attacks came to light, threat intelligence company GreyNoise reported seeing scanning activity possibly related to CVE-2023-34362 in early March.

However, security researchers at risk and financial advisory services firm Kroll have found evidence suggesting that exploitation — or at least testing of the vulnerability — may have started much earlier.

Kroll has looked at the Microsoft IIS logs of customers impacted by the recent attacks and discovered similar activity occurring in other client environments in April 2022 and July 2021. 

“Kroll observed activity consistent with MOVEit Transfer exploitation that collectively occurred on April 27, 2022; May 15–16, 2023; and May 22, 2023, indicating that actors were testing access to organizations via likely automated means and pulling back information from the MOVEit Transfer servers to identify which organization they were accessing,” the company said. 

In the attacks from July 2021, it appeared that the attackers were conducting manual testing, based on how long the activity lasted. The attackers seemed to switch to automated tools in subsequent activity, which lasted minutes and even seconds.

An analysis of the IP addresses involved in the older attacks pointed to the Cl0p ransomware group. Microsoft attributed the recent MOVEit exploitation to Cl0p and the threat actor took credit for the attacks shortly after.

In a message posted on its website, the ransomware gang claimed to have exploited the MOVEit zero-day to steal files from “hundreds of companies”, instructing victims to get in touch by June 14 to avoid their data getting leaked. The hackers claim they are not targeting government organizations.

Victims have started coming forward. The list includes the Nova Scotia government and UK payroll company Zellis, through which the hackers gained access to data belonging to some of its customers, including British Airways and BBC.

This is not the first time Cl0p has exploited a zero-day vulnerability in an MFT product to hit multiple organizations in a short time interval. Earlier this year, the cybercriminals exploited a GoAnywhere flaw to exfiltrate data from companies that had been using the product. 

“From Kroll’s analysis, it appears that the Clop threat actors had the MOVEit Transfer exploit completed at the time of the GoAnywhere event and chose to execute the attacks sequentially instead of in parallel. These findings highlight the significant planning and preparation that likely precede mass exploitation events,” Kroll said.

Related: Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery