Campaigns
MOVEit Strikes With All Its Power

MOVEit Strikes With All Its Power

win.clopTA505ClopRansomwareMOVEitMOVEit Transfer
A new wave of mass attacks targeting popular file transfer tool MOVEit Transfer has been linked by security researchers to the Clop ransomware gang. The vulnerability exploited by hackers allows them to gain unauthorized access to the database of the affected MOVEit server.

Indicators of Compromise

dojustit.mooo.com

APT Groups1

TA505Russian Federation
Gold EvergreenChimborazoATK 103Gold TahoeGraceful SpiderSpandex TempestSectorJ04TA505Hive0065TEMP.Warlock

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

Remediations:
To ensure the security of MOVEit Transfer servers and prevent exploitation, Progress Software recommends administrators implement the following measures:

Whitelist traffic on ports 80 and 443 to the MOVEit Transfer server. This action will prevent external access to the web user interface (UI), as well as prevent the functioning of some MOVEit Automation tasks, APIs, and the Outlook MOVEit Transfer plugin. You can still utilize the SFTP and FTP/s protocols for file transfers.

Inspect the C:\MOVEit Transfer\wwwroot\ folder for suspicious files, such as backups or large file downloads. The presence of such files could potentially indicate data theft.

There is no further information on the zero-day vulnerability. It is likely a web-facing vulnerability based on the blocked ports and the specific folder highlighted for unusual file detection.

Reports & References2

Observed Countries28

AR (840)
BE (196)
BO (892)
BR (992)
CA (523)
CH (902)
CL (736)
CO (623)
CR (106)
CU (840)
DE (174)
DK (746)
DO (260)
EC (446)
GB (735)
GT (866)
GY (277)
IE (875)
MX (739)
NL (746)
PR (89)
PY (744)
RU (635)
SV (677)
TR (925)
US (758)
UY (789)
VE (315)