Huntress posted a blog discussing its research into the recent spate of MOVEit vulnerabilities, including a previous zero day (CVE-2023-34362) and how criminal groups have been utilizing it in their operations. One of the key observations notes that while the Cl0p ransomware group has been widely exploiting the vulnerability, its primary activity has been to install a webshell for backdoor access and hasn’t yet deployed ransomware in any attack exploiting the vulnerability.

Upon gaining initial access to networks, as of this writing researchers are not aware of any known instances where Cl0p attempted to gain full network compromise. This activity, combined with a “steady drumbeat” of new MOVEit-related victims on Cl0p’s data breach victim website, suggests that Cl0p has compromised so many organizations that the group is using simpler tactics to monetize as many of those opportunities as possible before organizations address the vulnerability. As stated by Huntress, this notably follows the same observed behavior from a similar Cl0p-led campaign against managed file transfer (MFT) services: exploitation of the GoAnywhere MFT leading to data exfiltration, but no public evidence of network encryption. Read more at SC Magazine.

Analyst Comment (Jennifer Lyn Walker): Exploiting vulnerabilities on devices left unpatched is nothing new for ransomware groups. This current behavior by Cl0p has not (yet) resulted in full network encryption, thus omitting the hassle for victims of having to decrypt data to restore it. However, this should not be viewed as a reduced risk, as Cl0p is still demonstrating a high level of successful exploitation and data exposure, according to its leak site. Cl0p’s recent behavior is a reminder that a successful ransomware incident does not have to involve an encryption component and emphasizes the importance of timely patching.