Hack Group Clop Began to Extort Money from Companies Hacked through MOVEit Transfer

Clop and MOVEit Transfer
Written by Emma Davis

The Clop ransomware group began to extort money from companies affected by a mass attack on a 0-day vulnerability in MOVEit Transfer. The hackers have already started listing the names of the affected companies on their site for leaks.

In the meantime, the hack was confirmed by oil and gas company Shell and several US federal agencies.

Let me remind you that it all started with a 0-day vulnerability (CVE-2023-34362) in the MOVEit Transfer file transfer management solution, which was discovered in early June 2023. All versions of MOVEit Transfer were affected by the problem, and it was reported that attacks on them began as early as May 27, 2023.

Attackers used this vulnerability to deploy custom web shells on affected servers, allowing them to list files stored on the server, download files, and steal Azure Blob Storage account credentials and secrets, including the AzureBlobStorageAccount, AzureBlobKey, and AzureBlobContainer settings.

As a result, Microsoft analysts linked these attacks to the Clop ransomware hack group (aka Lace Tempest, TA505, FIN11 or DEV-0950).

Let me remind you that we also wrote that Clop ransomware operators leaked data from two universities, and also that The Clop ransomware attacked the German Software AG company.

In total, hundreds of companies were compromised during attacks on MOVEit Transfer. Over the past weeks, the break-in has been confirmed by many victims. Among them: Zellis, a UK-based payroll and HR solution provider whose customers include Sky, Harrods, Jaguar, Land Rover, Dyson and Credit Suisse. Due to the Zellis hack, the data of the Irish airline Aer Lingus, British Airways, the BBC, and the British pharmacy chain Boots were compromised.

It also became known that data leaks affected the University of Rochester, the government of Nova Scotia, the authorities of the US states of Missouri and Illinois, BORN Ontario, Ofcam, Extreme Networks and the American Therapeutic Society.

Moreover, it emerged this week that the attacks also affected the US Cybersecurity and Infrastructure Security Agency (CISA), which works with various federal agencies, and according to the Federal News Network, two divisions of the US Department of Energy were also hacked.

At the same time, it should be noted that earlier in conversations with journalists, Clop participants emphasized that they automatically delete all data stolen from government organizations. According to them, they try to prevent such attacks, and if they happen, then the data is immediately deleted for the military, children’s hospitals, and government information is erased.

As Bleeping Computer now reports, the hackers have already begun posting lists of affected companies on their website and are promising to start leaking data on June 21 if ransoms are not paid.

Five of the companies listed by the hackers, British oil and gas company Shell, UnitedHealthcare Student Resources (UHSR), the University of Georgia and the University System of Georgia, Heidelberger Druck and Landal Greenparks, confirmed to reporters that they were affected to varying degrees by attacks on the vulnerability in MOVEit Transfer.

So, representatives of Shell said that only a small number of employees and customers suffered. Landal Greenparks said the attackers gained access to the names and contact information of approximately 12,000 guests.

The University System of Georgia, the University of Georgia and UnitedHealthcare Student Resources say they are still investigating the attacks and will report any violations if found later.

The German printing company Heidelberger Druck reports that although it does use MOVEit Transfer, an investigation into the incident showed that the attack did not lead to a data leak.

Putnam Investments did not comment on the statements of the hackers, saying that they are still studying this issue.

Although the other companies listed on the ransomware site did not respond to journalists’ inquiries, security researcher Yutaka Sejiyama confirmed to the publication that they use the MOVEit Transfer platform or have used it in the past.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply