CVE-2023-34362: Signs of Clop & MOVEit Dates Back to 2021

Analysis of the MOVEit vulnerability, CVE-2023-34362 appears to have been primed since 2021 for exploitation. Researchers from Kroll correlated activity across compromised client environments noticing patterns the Clop operators had meticulously planned for the mass exploitation of the vulnerability in an automated fashion. "Kroll’s review of Microsoft Internet Information Services (IIS) logs of impacted clients found evidence of similar activity occurring in multiple client environments last year (April 2022) and in some cases as early as July 2021." A key indication of the organized attack was network traffic in which GET requests were made for the target's org_id. "This collection of the Org ID would allow for victim categorization and data inventorying by Clop on a per-exfiltration operation," said Kroll.

From a historical review of logs, several IP addresses 92.51.2.10, 92.118.36.112 and 92.118.36.233 had initiated GET requests for the value of a organization ID. Kroll explains the "observed activity consistent with MOVEit Transfer exploitation that collectively occurred on April 27, 2022, May 15–16, 2023, and May 22, 2023, indicating actors were testing access to organizations via likely automated means and pulling back information from the MOVEit Transfer servers to identify which organization they were accessing." A significant increase in the scale of requests was observed by Kroll on May 15th, 2023, leading up to the commencement of exploitation attacks on May 15th, 2023. This pattern aligned with previous instances of manually executed commands targeting MOVEit Transfer servers in July 2021, suggesting the ransomware gang waited until they possessed the necessary tools to execute the final attack in late May 2023.

BleepingComputer has confirmed with a Clop representative the ransomware gang has been actively abusing the MOVEit vulnerability, CVE-2023-34362, targeting organizations for data theft and extortion. The Clop representative confirmed they've been exploiting MOVEit since May 27th, 2023, taking advantage of the long US holiday weekend. In Clop's email communication to BleepingComputer, the ransomware gang claims to have deleted data belonging to government agencies, the military, and children’s hospitals. The Clop ransomware gang had notified victims through extortion notices, they are expecting communication from them by June 14th, 2023. Claiming to have breached "hundreds of companies," the ransomware gang may begin posting and showing proof of their exploits in the coming days.