Microsoft Researchers Link Clop Group to Moveit Transfer Attack

Microsoft Corporation connected the CLOP extortion to the gang with a recent attack that uses zero vulnerability in the Moveit Transfer platform to steal data from organizations.

“Microsoft, attributes attacks using a 0-day vulnerability cve-2023-34362 moveit transfer , the Lace Tempest cybercressor group, known for its robbers and launch the CLOP leakage site, ” – wrote last night on Twitter on Twitter Teams Microsoft Threat Intelligence.

“Lace Tempest” – a new name, in accordance with the updated Microsoft classification, for a group, better known as TA505, Fin11 or DEV -0950.

“Attackers in the past used similar vulnerability to steal data and extortion from the victims,” the experts added.

Moveit Transfer – this is a solution for managed file transfer (MFT), which allows enterprises to safely transfer files between business partners and clients using downloads based on SFTP, SCP and HTTP.

It is believed that the attack on the service began on May 27, during a long holiday “Day of memory” in the USA, when it became known about numerous organizations whose data were stolen.

The attackers used the vulnerability of the zero Moveit day to remove specially created web-shells on the servers, which allowed them to extract a list of files stored on the server, upload files and stealing accounts / secrets for configured containers of storage of large binary objects Azure.

Although at that time it was not clear who stood behind the attacks, it was widely spread that the Clop program-carrier program was responsible for the attack due to similarity with previous attacks held by the group. After all, it was this grouping that held the two largest cyber attacks in the history of MFT platforms. The first occurred in 2020, when Clop took advantage of the vulnerability of the zero day of the Accellion FTA. And the second happened in January of this year, also thanks to the vulnerability of the zero day, but already in Fortra Goanywhere MFT. As a result of both attacks, Clop hackers took possession of the data of hundreds of organizations.

At present, the extortion stage has not yet begun, and the victims have not yet received the requirements of the ransom. However, it is known that the Clop gang, if Microsoft has not mistaken in his judgments, waits several weeks after theft. Perhaps hackers structure stolen data and determine their value. And only when they are ready, they will send their requirements to the leaders of the affected companies by e -mail.

After the attack on Goanywhere, it took a little more than a month before the hackers published a list of victims on their leakage website. This time, quite likely, you also need to wait a bit. We will keep up with events.

* The social network is prohibited in the Russian Federation.

/Reports, release notes, official announcements.