CISA and the FBI released a joint Cybersecurity Advisory (CSA) CL0P Ransomware Gang Exploits MOVEit Vulnerability in response to the recent vulnerability exploitation attributed to the CL0P Ransomware Gang. The CSA provides indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) identified through FBI investigations as recently as May this year. Additionally, it provides immediate actions to help reduce the impact of CL0P ransomware.

The CL0P Ransomware Gang, also known as TA505, reportedly began exploiting a previously unknown SQL injection vulnerability in Progress Software's managed file transfer (MFT) solution known as MOVEit Transfer. Internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases. CISA and FBI encourage information technology (IT) network defenders to review the MOVEit Transfer Advisory (AA23-158A) and implement the recommended mitigations to reduce the risk of compromise.

To report suspicious or criminal activity related to information found in advisory, contact your local FBI field office, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937, or by e-mail at CyWatch@fbi.gov. If you have any further questions, or to request incident response resources or technical assistance related to these threats, contact CISA at CISAServiceDesk@cisa.dhs.gov. Access the full advisory at CISA.