NOTE: The MOVEit Transfer vulnerability remains under active exploitation, and Kroll experts are investigating. Expect frequent updates to the Kroll Cyber Risk blog as our team uncovers more details.
On June 5, 2023, the Clop ransomware group publicly claimed responsibility for exploitation of a zero-day vulnerability in the MOVEit Transfer secure file transfer web application (CVE-2023-34362). Kroll previously provided guidance on steps to mitigate risks associated with this critical vulnerability, which allows attackers to gain unauthenticated access to MOVEit Transfer servers.
Subsequent Kroll analysis of this exploitation has confirmed that threat actors are using this vulnerability to upload a web shell and exfiltrate data. However, Kroll forensic review has also identified activity indicating that the Clop threat actors were likely experimenting with ways to exploit this particular vulnerability as far back as 2021.
This finding illustrates the sophisticated knowledge and planning that go into mass exploitation events such as the MOVEit Transfer cyberattack. According to these observations, the Clop threat actors potentially had an exploit for the MOVEit Transfer vulnerability prior to the GoAnywhere MFT secure file transfer tool exploitation in February 2023 but chose to execute the attacks sequentially instead of in parallel.
Timeline
Kroll’s initial analysis of clients impacted by the MOVEit Transfer vulnerability indicated a broad swath of activity associated with the vulnerability on or around May 27 and 28, 2023, just days prior to Progress Software’s public announcement of the vulnerability on May 31, 2023.
This time frame coincided with the observation of Memorial Day weekend in the U.S., reinfo ..
Support the originator by clicking the read the rest link below.
 | Kroll | #ransomware | #cybercrime){kind=link}