Share this article on:
Details continue to emerge after Progress Software announced it had found a vulnerability in its MOVEit Transfer file transfer platform — a vulnerability that an infamous ransomware gang had already taken full advantage of days before the announcement.
Progress shared the news on 31 May, but a then-unknown threat actor had already been exfiltrating data from MOVEit users for days beforehand. As it turns out, the Clop ransomware gang was behind the very likely opportunistic campaign and has already contacted many of its victims to begin negotiations.
“Clop is one of top organization offer penetration testing service after the fact,” Clop’s ransom notice read, complete with poorly written English. “This is announcement to educate companies who use progress MOVE1t [sic] product that chance is that we download alot of your data as part of exception, exploit we are the only one who perform such attack and relax because your data is safe.”
The notice goes on to say how victims can contact Clop and the process to have their data securely erased. The gang claims that it will absolutely erase data, as well as provide proof of the data they have. The note also states what will happen if payment is not arranged.
“You have 3 day to discuss price and if no agreement you custom page will be created … after 7 days all you data will start to be publication,” the note read.
“You chat will close after 10 not productive day and data will be publish.”
While a number of companies have reported they have fallen victim, including the BBC, the Boots chemist chain, and British Airways, security researchers at SentinelOne have observed over 20 organisations that have been affected by the hack. The affected organisations come from a range of sectors — including aviation and transport, financial services, healthcare, manufacturing, and publishing.
It is believed the vulnerability was found using port scanning or the Shodan indexing service.
In the meantime, both the FBI and CISA have released a range of advisories on the vulnerability and how to mitigate against it. Here are the key actions to take:
“FBI and CISA encourage organisations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of Clop ransomware and other ransomware incidents,” the CISA advisory read.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.