Turns out the Cl0p ransomware group sat on a zero-day vulnerability it discovered in Progress Software's MOVEit Transfer file transfer app for nearly two years before starting to exploit it — which it did with devastating effect earlier this month.

Over that holding period, members of the group periodically launched waves of malicious activity against vulnerable systems to test their access to organizations and to identity the ones to target.

"The analogy I have been using is turning the doorknob, seeing it turn, then walking away knowing I can come back later, open the door, and walk through it," says Scott Downie, associate managing director at Kroll's Cyber Risk Business. "It can also be interpreted as them identifying potential targets," he says.

Experimenting With a MOVEit Exploit for Nearly 2 Years

Researchers at Kroll Threat Intelligence, who investigated the recent attacks, found evidence showing Cl0P actors experimenting with ways to exploit the MOVEit Transfer vulnerability as far back as July 2021. Kroll's review of Microsoft Internet Information Services (IIS) logs belonging to clients impacted in the attacks unearthed evidence of the threat actors conducting similar activity in April 2022 and twice last month, just days before the attacks.

The telemetry suggests the threat actors were testing access to vulnerable MOVEit Transfer clients and attempting to retrieve information that could help them identity the organizations where it was installed. Much of the malicious reconnaissance and testing activity in the early stages — in July 2021 — appears to have been manual in nature. But starting April 2022, Cl0p actors began using an automated mechanism for probing multiple organizations at the same time and collecting information from them. 

The last of the testing activity — before mass exploitation began — was in May and appeared designed to extract the unique "Org ID" identifier associated with each MOVEit Transfer user. The information could have helped the attackers categorize the organizations they could access, Kroll said. The company's analysis of the IP addresses associated with the malicious activity showed them to be located in Russia and the Netherlands, Downie says.

"CVE-2023-34362 is a multi-stage process of exploitation" Downie notes. "This activity is consistent with the first stage of CVE-2023-34362."

CVE-2023-34362: Why Not Pull the Zero-Day Trigger?

Kroll has concluded with a high degree of confidence that Cl0P actors had a working exploit for the MOVEit vulnerability back in July 2021. But the group likely chose to sit on it for two years for a few reasons, theorizes Laurie Iacono, associate managing director, Cyber Risk Business at Kroll.

In 2021, the same threat actor exploited yet another file-transfer zero-day it discovered, this time in Accellion's File Transfer Appliance. For the rest of 2021 and early 2022, Cl0p was very active in connection with the Accelion FTA breach. So, it likely had its hands full already. 

The threat actor site was then fairly inactive during much of 2022 and may even have diverted activities away from extortion for a period, possibly in relation to arrests of Cl0p members in 2021, Iacono says. The Ukraine/Russia conflict which slowed down overall ransomware activity in early to mid 2022, may also have been a factor, she says.

"Cl0p was originally classified as FIN11 [and was] known for POS malware attacks, etc.," Iacono says. "They entered the ransomware game during the 'boom' of 2020/2021. But it stands to reason their group has a diversified portfolio of cybercrime services it leverages, not just ransomware extortion."

What We Know About the MOVEit Attacks

By way of background, vendor reports of attack activity targeting a SQL injection vulnerability in MOVEit Transfer began surfacing on June 1. Researchers at Mandiant and other vendors who investigated the attacks found the threat actor exploiting the flaw to steal data from customers of Progress Software's app. Some surmised — correctly — that the attacks and data theft were a precursor to ransom demands.

On June 4, Microsoft attributed the attacks to the Cl0P ransomware group (which the company tracks as "Lace Tempest," and which is known to be related to the TA505 threat group) as the first reports of organizations victimized by the attacks began to roll in. So far, the list has included BBC, British Airways, and the government of Nova Scotia. Cl0p itself has claimed hundreds of victims. The US Cybersecurity and Information Security Agency on June 7 warned of potentially widespread impact: "Due to the speed and ease with which TA505 has exploited this vulnerability, and based on their past campaigns, FBI and CISA expect to see widespread exploitation of unpatched software services in both private and public networks."

MOVEit is a managed file transfer app that thousands of organizations, including giants like Disney, Chase, GEICO, and US federal agencies use to transfer sensitive data and large files. Such apps have become a popular target for attackers because of the access they provide to the kind of data that organizations are likely willing to pay for, to prevent it from getting leaked or locked up in a ransomware attack. 

File transfer attacks are hot for this group: In addition to MOVEit and Accelion, Cl0p threat actors in February exploited a zero-day flaw in Fortra's GoAnywhere MFT to extort customers of the managed file transfer product.