www.kroll.com
Open in
urlscan Pro
2606:4700::6812:1243
Public Scan
URL:
https://www.kroll.com/en/insights/publications/cyber/clop-ransomware-moveit-transfer-vulnerability-cve-2023-34362
Submission: On June 12 via api from TR — Scanned from DE
Submission: On June 12 via api from TR — Scanned from DE
Form analysis 3 forms found in the DOM
GET /en/search
<form method="GET" action="/en/search" target="" data-form="" id="globalSearch">
<input class="SearchInput SearchInput-custom u-pl-42 u-pr-12 u-resetInput p-6 u-blue-1" placeholder="Find solutions, experts or insights" type="search" name="query" autocomplete="off" data-input="">
<!-- <button class="SearchInput-label p-6 u-absolute u-center-y u-blue-1 " type="submit" value="Search">Search</button> -->
<a href="javascript:$('#globalSearch').submit();">
<svg class="Icon Icon--search Search__icon Icon--search-custom u-absolute " data-app-tmpl="Icon">
<title>Search</title>
<use xlink:href="#search"></use>
</svg>
</a>
</form>GET /en/search
<form action="/en/search" target="" id="globalSearch_mob" method="GET" class="searchBox-form" data-form="">
<input type="text" class="SearchInput SearchInput-custom" placeholder="Search" name="query" autocomplete="off" data-input="">
<a class="inPage_a" href="javascript:$('#globalSearch_mob').submit();">
<svg class="Icon Icon--search Icon--search-people u-absolute" data-app-tmpl="Icon">
<title>Search</title>
<use xlink:href="#search"></use>
</svg>
</a>
</form>POST
<form id="newsletter-subscription" action="" data-sandbox-url="" method="post">
<div class="NewsletterWrapper u-mt-6">
<input type="hidden" name="elqFormName" value="Newsletter-Subscription-Form-Kroll_">
<input type="hidden" name="elqSiteId" value="615419487">
<input type="hidden" name="elqCampaignId">
<input id="sitecoreContactID1" type="hidden" name="sitecoreContactID1" value="">
<label for="emailAddress" class="p-5 u-fw-400 u-ff-roboto-mono">Enter your email</label>
<input class="Newsletter-input p-6 u-pl-18 u-resetInput u-w-100" type="email" name="emailAddress" required="" style="height: 40px;border-bottom: 1px dotted #001424;">
<div class="newsletter-footer">
<button class="newsletter-button ButtonDark" data-lead-score-form=""> Sign up </button>
<div class="signup__description">
<p class="p-6 u-m-0">Sign up to receive periodic news, reports, and invitations from Kroll. Our <a href="/en/privacy-policy" class="u-td-none white-to-grey">privacy policy</a> describes how your data will be processed.</p>
</div>
</div>
</div>
</form>Text Content
Arrow Left Arrow Right Calendar (Dark) Close Send Message Download vCard Google
Podcast Amazon Music Apple Podcast Spotify Stitcher iHeartRadio RSS Feed
Facebook WeChat Filter Linkedin Duff And Phelps, A Kroll Bussiness Duff And
Phelps, A Kroll Bussiness Kroll My account Kroll Kroll Kroll Phone My account
Play Print Sub-services Tick Twitter Play Audio Youtube Pagemill Partners, A
Kroll Bussiness Pagemill Partners, A Kroll Bussiness Prime Clerk, A Kroll
Bussiness Prime Clerk, A Kroll Bussiness Kroll Business Services Kroll Business
Services Kroll lens Instagram
* Our Capabilities Solutions
* Phone Hotlines
* Contact Contact Us
Kroll Kroll Kroll Kroll
Global
Global
Global
* Global
* Brazil
* Canada
* China
* France
* Germany
* Ireland
* Italy
* Japan
* Mexico
* Singapore
* Spain
* United Kingdom
Search
* SOLUTIONS
* ABOUT
* OUR EXPERTS
* INSIGHTS
* CAREERS
RISK AND FINANCIAL ADVISORY SOLUTIONS
--------------------------------------------------------------------------------
* Valuation
* Compliance and Regulation
* Investigations and Disputes
* Business Services
See All Solutons
* Cyber Risk
* Corporate Finance and Restructuring
* Digital Technology Solutions
* Environmental, Social and Governance
WHO WE ARE
--------------------------------------------------------------------------------
* Overview
* Leadership
* History
* Locations
OUR WORK
--------------------------------------------------------------------------------
* Client Stories
* Transactions
* Restructuring Administration Cases
* Settlement Administration Cases
OUR EXPERTS
--------------------------------------------------------------------------------
* Find an Expert
* Leadership
* Board of Directors
INSIGHTS
--------------------------------------------------------------------------------
* Anti-Money Laundering
* Cost of Capital
* Cryptocurrency
* Cyber Risk
* Environmental, Social and Governance
* Regulatory Updates
See All Insights
* Financial Crime
* M&A Updates
* Economic Outlook
* Supply Chain
* Valuation Outlook
CAREERS
--------------------------------------------------------------------------------
* Why Kroll?
* Testimonials
* Students
Explore Job Opportunities
Search
* SOLUTIONS
* ABOUT
* OUR EXPERTS
* INSIGHTS
* CAREERS
MAIN MENU
RISK AND FINANCIAL ADVISORY SOLUTIONS
* Valuation
* Compliance and Regulation
* Investigations and Disputes
* Business Services
* Cyber Risk
* Corporate Finance and Restructuring
* Digital Technology Solutions
* Environmental, Social and Governance
* See All Solutons
MAIN MENU
WHO WE ARE
* Overview
* Leadership
* History
* Locations
OUR WORK
* Client Stories
* Transactions
* Restructuring Administration Cases
* Settlement Administration Cases
MAIN MENU
OUR EXPERTS
* Find an Expert
* Leadership
* Board of Directors
MAIN MENU
INSIGHTS
* Anti-Money Laundering
* Cost of Capital
* Cryptocurrency
* Cyber Risk
* Environmental, Social and Governance
* Regulatory Updates
* Financial Crime
* M&A Updates
* Economic Outlook
* Supply Chain
* Valuation Outlook
* See All Insights
MAIN MENU
CAREERS
* Why Kroll?
* Testimonials
* Students
* Explore Job Opportunities
Our Capabilities Solutions
Phone Hotlines
Contact Contact Us
CYBER RISK
Thu, Jun 8, 2023
CLOP RANSOMWARE LIKELY SITTING ON MOVEIT TRANSFER VULNERABILITY (CVE-2023-34362)
SINCE 2021
Scott Downie
Devon Ackerman
Laurie Iacono
Dan Cox
NOTE: The MOVEit Transfer vulnerability remains under active exploitation, and
Kroll experts are investigating. Expect frequent updates to the Kroll Cyber Risk
blog as our team uncovers more details.
On June 5, 2023, the Clop ransomware group publicly claimed responsibility for
exploitation of a zero-day vulnerability in the MOVEit Transfer secure file
transfer web application (CVE-2023-34362). Kroll previously provided guidance on
steps to mitigate risks associated with this critical vulnerability, which
allows attackers to gain unauthenticated access to MOVEit Transfer servers.
Subsequent Kroll analysis of this exploitation has confirmed that threat actors
are using this vulnerability to upload a web shell and exfiltrate data. However,
Kroll forensic review has also identified activity indicating that the Clop
threat actors were likely experimenting with ways to exploit this particular
vulnerability as far back as 2021.
This finding illustrates the sophisticated knowledge and planning that go into
mass exploitation events such as the MOVEit Transfer cyberattack. According to
these observations, the Clop threat actors potentially had an exploit for the
MOVEit Transfer vulnerability prior to the GoAnywhere MFT secure file transfer
tool exploitation in February 2023 but chose to execute the attacks sequentially
instead of in parallel.
TIMELINE
Kroll’s initial analysis of clients impacted by the MOVEit Transfer
vulnerability indicated a broad swath of activity associated with the
vulnerability on or around May 27 and 28, 2023, just days prior to Progress
Software’s public announcement of the vulnerability on May 31, 2023.
This time frame coincided with the observation of Memorial Day weekend in the
U.S., reinforcing threat actors’ preference to launch major cyber exploitations
during holiday weekends (e.g., the Kaseya supply chain attack on July 3, 2021).
Activity during the May 27–28 period appeared to be an automated exploitation
attack chain that ultimately resulted in the deployment of the human2.aspx web
shell. The exploit centered around interaction between two legitimate components
of MOVEit Transfer: moveitisapi/moveitisapi.dll and guestaccess.aspx.
Figure 1 illustrates commonly observed commands during the attack time frame.
Figure 1: Threat Actor Commands Leading to Exploitation
Kroll’s review of Microsoft Internet Information Services (IIS) logs of impacted
clients found evidence of similar activity occurring in multiple client
environments last year (April 2022) and in some cases as early as July 2021.
Kroll observed activity consistent with MOVEit Transfer exploitation that
collectively occurred on April 27, 2022; May 15–16, 2023; and May 22, 2023,
indicating that actors were testing access to organizations via likely automated
means and pulling back information from the MOVEit Transfer servers to identify
which organization they were accessing.
Figure 2 highlights malicious activity that occurred on May 22, 2023. Such
activity appeared to be aimed at pulling back an Organization ID (“Org ID”), a
unique identifier that correlates with only one MOVEit Transfer user, helping
the threat actors to categorize which entities they could access. This activity,
which Kroll observed happening for less than 22 minutes, was associated with one
IP address across multiple organizations: 92.51.2.10. This collection of the Org
ID would allow for victim categorization and data inventorying by Clop on a
per-exfiltration operation.
Figure 2: Threat Actor Pulls Back Organizational Information, May 22, 2023
Similar activity, but on a much larger scale, occurred from May 15, 2023, at
17:55:25 (UTC) to May 16, 2023, at 13:59:06 (UTC) coming from IP address
92.118.36.112. In fact, the traffic that occurred during this time frame
(immediately preceding the mass exploitation event) replicated activity that
occurred more than a year earlier in April 2022.
Kroll’s historical log review identified identical activity coming from IP
address 92.118.36.233 for approximately two hours on April 27, 2022, from
10:50:54 (UTC) to 12:42:58 (UTC).
Figure 3 shows commands across two different clients, revealing that the
commands were run against the organizations in less than 24 seconds, pointing to
the likelihood of an automated tool running such activity.
Figure 3: Automated Commands Hitting Multiple Organizations on April 27, 2022
Kroll observed similar activity on MOVEit Transfer servers occurring nearly two
years ago, between July 6 and 18, 2021, again pulling back the Org ID, and this
time coming from IP address 45.129.137.232 (Figure 4).
Figure 4: MOVEit Activity in July 2021
Commands during the July 2021 time frame appeared to be run over a longer amount
of time, suggesting that testing may have been a manual process at that point
before the group created an automated solution that it began testing in April
2022.
CLOP CONNECTIONS: IP ADDRESS ANALYSIS
92.118.36.112/92.118.36.233
* Kroll observed these IP addresses in connection with malicious MOVEit
Transfer activity that occurred on April 27, 2022, and May 15–16, 2023.
Reporting on the Clop GoAnywhere activity in February 2023 identified the IP
addresses 92.118.36.123, 92.118.36.210, 92.118.36.213, and 92.118.36.249 as
indicators of compromise.
45.129.137.232
* Kroll observed that this IP address targeted MOVEit Transfer servers in July
2021. Of note, this IP address was previously attributed to Clop ransomware
group (aka GRACEFUL SPIDER) trying to exploit the SolarWinds Serv-U product
that same month and year.
CLOP EXTORTION TACTICS
Since its public statement claiming responsibility for the MOVEit Transfer
attacks, the Clop ransomware group has updated its threat actor website,
instructing users of MOVEit Transfer products to contact them via email.
According to the post shown in Figure 5, Clop will provide proof of data
exfiltration and discuss pricing with victims to avoid the public publication of
data.
Clop indicates that companies who do not contact them will be published by name
on their actor-controlled website. Kroll’s Threat Intelligence team regularly
reviews the actor-controlled website and can confirm that in the wake of the
GoAnywhere exploitation, nearly 100 victim organizations were listed on the Clop
website. Clop typically posts data in a series of posts rather than one large
data leak. Presently, over 100 victims have at least one post containing stolen
data, and nearly 75% of victims have had more than one post exposing data.
Figure 5: Clop Group Publishes Mass Notification to MOVEit Customers
CONCLUSION
It appears that the Clop threat actors may have been experimenting with ways to
exploit the MOVEit Transfer vulnerability for quite some time prior to the
recent mass exfiltration event. Kroll observed a similar fact pattern across
multiple MOVEit Transfer cases, and in some instances, the activity occurred
across multiple organizations within seconds or minutes of each other.
Kroll assesses with high confidence that the MOVEit Transfer exploit as it
exists today:
* Was available and being used/tested in April 2022
* Was available and being used/tested in July 2021
From Kroll’s analysis, it appears that the Clop threat actors had the MOVEit
Transfer exploit completed at the time of the GoAnywhere event and chose to
execute the attacks sequentially instead of in parallel. These findings
highlight the significant planning and preparation that likely precede mass
exploitation events.
LET’S NOT FORGET
Even though immediate action is needed and the MOVEit vulnerability is under
aggressive exploitation, it’s important to keep a level head. Yes, patch as soon
as possible but also consider existing detections and your ability to respond
should something suspicious happen. For internal teams burdened with a host of
other priorities and a remote workforce, support from dedicated experts who have
the frontline expertise, resources and technical skills to assess your exposure
can greatly reduce your risk profile. Talk to a Kroll expert today via our 24x7
hotlines or contact form.
--------------------------------------------------------------------------------
STAY AHEAD WITH KROLL
Cyber Risk
CYBER RISK
Incident response, digital forensics, breach notification, managed detection
services, penetration testing, cyber assessments and advisory.
Kroll
KROLL IS HEADQUARTERED IN NEW YORK WITH OFFICES AROUND THE WORLD.
55 East 52nd Street 17 Fl
New York NY 10055
+1 212 593 1000
* LinkedIn
* Twitter
* Facebook
* Instagram
* YouTube
Subscribe to Kroll Reports
Thank you! A confirmation email has been sent to you.
Sorry, something went wrong. Please try again later!
Enter your email
Sign up
Sign up to receive periodic news, reports, and invitations from Kroll. Our
privacy policy describes how your data will be processed.
MORE ABOUT KROLL
* ABOUT
* SOLUTIONS
* TRENDING TOPICS
* CLIENT STORIES
* CAREERS
* OUR VALUES
* FIND AN EXPERT
* LOCATIONS
* Global
Global
Global Global
* Global
* Brazil
* Canada
* China
* France
* Germany
* Ireland
* Italy
* Japan
* Mexico
* Singapore
* Spain
* United Kingdom
* Privacy Policy
* Code of Conduct
* Cookies
* Disclosure
* Licensing
* Modern Slavery Statement
* Accessibility
* Media Inquiry
© 2023 Kroll, LLC. All rights reserved. Kroll is not affiliated with Kroll Bond
Rating Agency, Kroll OnTrack Inc. or their affiliated businesses. Read more.
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_~
x
We use cookies to remember users and provide the best possible experience. Some
cookies are essential, others help us improve your experience through insights
on how the site is used. Please visit ourcookie notice for more information.
Manage Preferences Decline Accept All
COOKIES PREFERENCE CENTER
* YOUR PRIVACY
* ESSENTIAL COOKIES
* FUNCTIONAL COOKIES
* ANALYTICS COOKIES
* ADVERTISING COOKIES
YOUR PRIVACY
We use cookies to remember users and give you the best possible experience. Some
cookies are essential, others help us improve your experience through insights
on how the site is used. Please visit our cookie notice for more information.
ESSENTIAL COOKIES
Always Active
These cookies are essential in order to enable you to move around the site and
use its features. Without these cookies, services you have asked for cannot be
provided.
Cookies Details
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to function. Certain functional cookies also
allow us to respond to service or other inquiries received through a form.
Cookies Details
ANALYTICS COOKIES
Analytics Cookies
Analytics cookies track aggregate site performance, web speed, traffic sources,
video plays and other aggregate data across the site. These cookies allow us to
personalize web experience by type of visitor and, upon certain circumstances,
by individual user. Individual user information is recognized through form
completions or response to other marketing campaigns.
Cookies Details
ADVERTISING COOKIES
Advertising Cookies
Upon occasion, our firm advertises on certain media sites and these cookies
track campaign performance. Cookies may be set by our firm or by our advertising
partners. The cookies may be used by those companies to build a profile of your
interests and show you relevant adverts on other sites. They do not store
directly personal information, but are based on uniquely identifying your
browser and internet device. If you do not allow these cookies, you will
experience less targeted advertising.
Cookies Details
Back Button
BACK
Filter Button
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
* View Third Party Cookies
* Name
cookie name
Clear
checkbox label label
Apply Cancel
Confirm
Allow All