The Cl0p Ransomware Gang, active since at least February 2019, has become a significant player in the cybercrime landscape. It operates as a ransomware-as-a-service (RaaS), participates in affiliate programs, brokers initial access to compromised networks, and collaborates with other actors in the ecosystem.
By exploiting the SQL injection vulnerability (CVE-2023-34362) in MOVEit Transfer, the Cl0p Ransomware Gang demonstrates its relentless pursuit of zero-day exploits in internet-facing applications to maximize their extortion capabilities.
It is not the first time Cl0p has targeted managed file transfer applications, as it has previously conducted mass exploitation attacks on Accellion FTA and GoAnywhere MFT. Recent observations by attack surface management firm Censys reveal a decrease in exposed MOVEit Transfer instances.
However, high-profile organizations, including Fortune 500 companies, state, and federal government agencies, remain at risk, particularly in the finance, technology, and healthcare sectors.
In its analysis, Kroll discovered evidence suggesting that Cl0p threat actors experimented with exploiting this specific flaw as early as July 2021, indicating their advanced technical expertise and meticulous planning.
It is alarming that this marks the third instance in three years where the Cl0p ransomware group has exploited zero-day vulnerabilities in web applications for extortion, targeting products that claim to prioritize security.
The joint advisory serves as a vital warning for organizations to address the vulnerability promptly and enhance their security measures to protect against such sophisticated attacks.
