CL0P Ransomware Gang Exploits MOVEit Vulnerability
CVE-2023-34362 MoveIT Transfer Vulnerability
According to CISA, The CL0P ransomware gang has exploited a SQL injection, identified as CVE-2023-34362, in the popular MOVEit managed file transfer tool by Progres Software. The internet-facing MOVEit application was infected with a web shell which was then used to exfliltrate data from various MOVEit databases.
FBI and CISA are advising that the risk can be mitigated by performing the following basic best practices:
- Inventory all assets in your enterprise and produce an inventory of authorized and unauthorized applications.
- Only grant administrative privileges when absolutely necessary
- Perform regular and routine monitoring of network traffic
- Perform regular patching and software updates as part of a patching policy.
The CL0P ransom note, courtesy of CISA:
Hello, this is the CL0P hacker group. As you may know, we recently carried out a hack, which was reported in the news on site [redacted]. We want to inform you that we have stolen important information from your GoAnywhere MFT resource and have attached a full list of files as evidence. We deliberately did not disclose your organization and wanted to negotiate with you and your leadership first. If you ignore us, we will sell your information on the black market and publish it on our blog, which receives 30-50 thousand unique visitors per day. You can read about us on [redacted] by searching for CLOP hacker group. You can contact us using the following contact information: unlock@rsv-box[.]com and unlock@support-mult[.]com