Cashing in on the global attack that tapped the MOVEit Transfer SQL injection vulnerability, the Cl0p ransomware group has started listing victims on its leak site. The group earlier gave June 14 as the ransom payment deadline.
The latest list includes the University of Georgia, global fossil fuel business Shell, and US-based investment management firm Putnam Investments.
MOVEit Transfer SQL injection vulnerability and the Cl0p ransomware group list
The data-leak website of the Cl0p ransomware group has become the center of attention ever since it took credit for exploiting the MOVEit Transfer SQL injection vulnerability (CVE-2023-34362).
On June 6, 2023, the group issued a warning, stating that victims of MOVEit Transfer had one week to initiate negotiations or face public exposure and data leakage on their data-leak site, CL0P LEAKS.
“On June 14, 2023, Clop named its first batch of 12 victims. No victim data has been leaked at the time of writing, said a ReliaQuest report on the situation.
The majority of the named victims are from the US, while others come from Switzerland, Canada, Belgium, and Germany.
The Cyber Express analysis of the previous attacks of the Cl0p ransomware group shows that it has primarily targeted organizations in the US, followed by Canada, the UK, and Germany. The victims of the MOVEit Transfer exploit align with Cl0p’s previous targets.
“Before the MOVEit Transfer leaks, most victims named on its data-leak website were involved in manufacturing (66 entities named), followed by technology (41) and healthcare (33) providers,” said the ReliaQuest.
Cl0p ransomware group and the affinity for MFTs
MOVEit Transfer SQL injection vulnerability was the latest enterprise managed file transfer (MFT) software weakness that Cl0p ransomware group used to target unsuspecting victims.
The previous instances of such exploitation occurred as follows:
In February 2023, the group acknowledged its responsibility for over 130 attacks, leveraging a zero-day vulnerability in Fortra GoAnywhere MFT (CVE-2023-0669).
In December 2020, Clop exploited zero-day vulnerabilities in Accellion’s outdated file-transfer application software, resulting in data theft from over 100 companies.
Interestingly, in all three campaigns, Clop refrained from deploying its namesake ransomware. Instead, the group opted for data extortion tactics.
They refrained from encrypting victim systems but rather resorted to threatening to publicly disclose sensitive data stolen from MFT software.
These supply-chain attacks have proven to be ruthlessly efficient, allowing Clop to simultaneously target a multitude of victims. Despite the change in victim notification, Cl0p is expected to continue its standard practices.
Negotiations will occur through private chat rooms on the dark web, victims will be named on their data-leak website if negotiations fail, and data will be leaked in stages, noted the ReliaQuest report.
The long list of MOVEit Transfer SQL injection vulnerability victims
According to researchers, further organizations are anticipated to be named on CL0P LEAKS in the near future. For those refusing to pay the ransom, data leaks will likely occur gradually.
The release of additional MOVEit Transfer vulnerabilities (CVE-2023-35036) suggests future attacks Cl0p and other groups. Cl0p’s expansion into supply-chain attacks targeting MFT software indicates similar attacks can be expected in the coming months.
Meanwhile, the FBI has solicited any available information, such as boundary logs indicating communication with foreign IP addresses, a ransom note sample, exchanges with CL0P group members, Bitcoin wallet details, decryptor files, or a harmless encrypted file sample.
It has warned the MOVEit Transfer SQL injection vulnerability victims against paying ransom.
“The FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered,” said a joint alert.
“Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.”
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
