MOVEit! CL0P Ransomware Extorts Hundreds of Companies in Massive Supply-Chain Attack

CL0P ransomware operators are extorting hundreds of companies after hacking into their servers to steal valuable data, in what is shaping up to be a massive supply-chain incident.

Criminals have been exploiting a critical flaw in Progress Software’s popular file transfer tool MOVEit since May, opening up those who use it to dangerous cyber intrusions.

In a June 1 advisory, the tool’s makers warned that the vulnerability, tracked as CVE-2023-34362, could lead to escalated privileges and unauthorized access to the environment of people who use it.

“If you are a MOVEit Transfer customer, it is extremely important that you take immediate action as noted below in order to help protect your MOVEit Transfer environment, while our team produces a patch,” the advisory said.

For many, the warning came too late, while others failed to take the actions needed to defend their systems from attacks.

The infamous CL0P ransomware crew took full advantage of the situation, hacking into hundreds of companies that relied on MOVEit to transfer files back and forth, according to reports across the infosec community

CL0P published an extortion note on Wednesday morning claiming to have pilfered valuable data from “hundreds” of companies. The note instructs those who know they have been hacked to contact the group and begin negotiating a ransom. Victim companies have until June 14 to comply. Once the negotiation starts, a victim has just three days to decide on the ransom sum. CL0P threatened to leak the stolen data if negotiations fail.

Several organizations have already confirmed falling victim to CL0P’s wrath, including UK payment service provider Zellis, the BBC, British Airways and Aer Lingus; the Canadian province of Nova Scotia (most notably, the Nova Scotia Health and the IWK Health Centre); and the University of Rochester in the US state of New York.

A software patch is available for system administrators to address the exploited flaw.

In a joint advisory, CISA and the FBI are urging IT administrators to review the MOVEit Transfer advisory and implement the mitigations to reduce the risk of compromise. The document also isseminates known CL0P ransomware indicators of compromise and common tactics of the hacking crew.

Considering the scale of the incident, many more organizations are likely to emerge as victims of this critical vulnerability.