On June 5, 2023, the infamous Clop ransomware group pulled back the curtain on its latest exploit, openly admitting to the exploitation of a zero-day vulnerability in the MOVEit Transfer secure file transfer web application (CVE-2023-34362). Kroll, the cybersecurity firm, had previously issued mitigation guidance related to this vulnerability, as it facilitates unauthenticated access to MOVEit Transfer servers.
The Forensics of the Exploit
A deep dive by Kroll into the Clop group’s exploit revealed not just data exfiltration through the uploaded web shell, but signs of a methodically planned exploit. Evidence suggests that the Clop actors had been investigating ways to exploit this specific vulnerability possibly as far back as 2021.
This revelation underscores the calculated precision of mass exploitation events like the MOVEit Transfer cyberattack. Kroll’s findings hint that the Clop group might have been sitting on the MOVEit Transfer exploit before launching the February 2023 attack on the GoAnywhere MFT secure file transfer tool, executing the attacks in a sequenced manner rather than concurrently.
You might want to read how Landal Greenparks got hit by the MOVEit vulnerability.
The Timeline of the Attack
An initial sweep by Kroll of the damage inflicted by the MOVEit Transfer vulnerability exposed a surge of activity associated with the vulnerability around May 27 and 28, 2023. This was just days before Progress Software, the developer of MOVEit, announced the vulnerability publicly on May 31, 2023.
Interestingly, this timing corresponded with the U.S. Memorial Day weekend, reflecting the hackers’ preference for orchestrating major cyber exploits during holiday periods, much like the Kaseya supply chain attack that took place on July 3, 2021.
The observed activity from May 27-28 seemed to be an automated attack sequence that eventually led to the deployment of the human2.aspx web shell. The exploit involved interactions between two legitimate MOVEit Transfer components: moveitisapi/moveitisapi.dll and guestaccess.aspx.
Clop’s Prolonged Experimentation
Analysing Microsoft’s Internet Information Services (IIS) logs of affected clients, Kroll discovered traces of similar activity in numerous client environments dating back to April 2022, and in some cases, even July 2021.
The evidence suggests a timeline of events showing Clop’s systematic exploration of the MOVEit Transfer exploit. Activity consistent with the exploitation was noted on April 27, 2022; May 15–16, 2023; and May 22, 2023. It seems the actors were testing access to organizations through automated means and retrieving information from MOVEit Transfer servers to identify which organization they were infiltrating.