According to Ofcom, the UK Communications Authority, confidential information regarding companies under their regulation and data of over 400 employees were stolen by the Clop ransomware gang exploiting a vulnerability in MOVEit Transfer.
Ofcom, the approved regulator of communications services in the UK, is primarily responsible for overseeing broadcasting, telecommunications, and postal industries.
The vulnerability in MOVEit Transfer is related to SQL injection, enabling unauthorized attackers to gain access to the MOVEit Transfer database and execute arbitrary code on the server.
MOVEit Transfer, a widely used file transfer management product for secure file exchange between organizations and partners, has been actively targeted by the Clop group, known for stealing data from prominent government, financial, media, aviation, and medical entities.
Notable companies such as Chase, Disney, GEICO, and MLB are among the customers utilizing MOVEit Transfer, which is employed by 1,700 software companies and serves 3.5 million developers.
Clop Ransomware Gang: Targeting MOVEit Transfer and Exploiting Zero-Day Vulnerabilities
The exploitation of the zero-day vulnerability in MOVEit Transfer resembles the previous large-scale attacks on file transfer platforms like Fortra GoAnywhere MFT in January 2023 and Accellion FTA in December 2020. These platforms, including MOVEit Transfer, have fallen victim to the Clop ransomware gang, indicating their inclination toward targeting MFT services.
Experts point out that Clop hackers are constantly seeking vulnerabilities, exploits, and alternative methods. It is even known that Clop often acts as an initial access broker (IAB) for other hacker groups, albeit not without compensation. This further demonstrates the extensive experience cybercriminals possess in compromising systems.
The attack on the MOVEit Transfer service commenced on May 27, coinciding with the extended Memorial Day holiday in the US. The incident exposed numerous organizations that had fallen victim to data theft. Microsoft Threat Intelligence experts initially suggested the involvement of Clop in the attack, and later the perpetrators themselves claimed responsibility through popular media outlets.