CL0P Ransomware Gang Exploits MOVEit Vulnerability

CVE-2023-34362 MoveIT Transfer Vulnerability

According to CISA, The CL0P ransomware gang has exploited a SQL injection, identified as CVE-2023-34362, in the popular MOVEit managed file transfer tool by Progres Software. The internet-facing MOVEit application was infected with a web shell which was then used to exfliltrate data from various MOVEit databases.

FBI and CISA are advising that the risk can be mitigated by performing the following basic best practices:

  • Inventory all assets in your enterprise and produce an inventory of authorized and unauthorized applications.
  • Only grant administrative privileges when absolutely necessary
  • Perform regular and routine monitoring of network traffic
  • Perform regular patching and software updates as part of a patching policy.

The CL0P ransom note, courtesy of CISA:

Hello, this is the CL0P hacker group. As you may know, we recently carried
out a hack, which was reported in the news on site [redacted].
We want to inform you that we have stolen important information from your
GoAnywhere MFT resource and have attached a full list of files as evidence.
We deliberately did not disclose your organization and wanted to negotiate
with you and your leadership first. If you ignore us, we will sell your
information on the black market and publish it on our blog, which receives
30-50 thousand unique visitors per day. You can read about us on [redacted]
by searching for CLOP hacker group.
You can contact us using the following contact information:
unlock@rsv-box[.]com
and
unlock@support-mult[.]com