{"id":1409,"date":"2023-06-07T20:00:00","date_gmt":"2023-06-07T20:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=74666"},"modified":"2023-06-07T20:00:00","modified_gmt":"2023-06-07T20:00:00","slug":"us-cyber-officials-offer-technical-details-associated-with-cl0p-ransomware-attacks","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2023\/06\/07\/us-cyber-officials-offer-technical-details-associated-with-cl0p-ransomware-attacks\/","title":{"rendered":"US cyber officials offer technical details associated with CL0P ransomware attacks"},"content":{"rendered":"<p><head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"> <meta name=\"robots\" content=\"index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1\"> <!-- This site is optimized with the Yoast SEO Premium plugin v20.5 (Yoast SEO v20.5) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ --> <title>US cyber officials offer technical details associated with CL0P ransomware attacks | CyberScoop<\/title> <meta name=\"description\" content=\"CISA and the FBI offered details to help organizations protect themselves against the group that has claimed hundreds of victims.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/cisa-cl0p-ransomwarae-moveit-transfer-attack\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"US cyber officials offer technical details associated with CL0P ransomware attacks\"> <meta property=\"og:description\" content=\"CISA and the FBI offered details to help organizations protect themselves against the group that has claimed hundreds of victims.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/cisa-cl0p-ransomwarae-moveit-transfer-attack\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2023-06-07T20:00:00+00:00\"> <meta property=\"article:modified_time\" content=\"2023-06-07T20:12:19+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/us-cyber-officials-offer-technical-details-associated-with-cl0p-ransomware-attacks-1.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1280\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"AJ Vicens\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@AJVicens\"> <!-- \/ Yoast SEO Premium plugin. --> <link rel=\"dns-prefetch\" href=\"\/\/cdn.parsely.com\">\n<link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-0\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1684764845g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1685979298g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-4\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1685981853g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=172264176d4de0f97962\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/74666\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<link rel=\"wlwmanifest\" type=\"application\/wlwmanifest+xml\" href=\"https:\/\/cyberscoop.com\/wp-includes\/wlwmanifest.xml\">\n<meta name=\"generator\" content=\"WordPress 6.2.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=74666\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisa-cl0p-ransomwarae-moveit-transfer-attack%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisa-cl0p-ransomwarae-moveit-transfer-attack%2F&amp;format=xml\">\n<meta name=\"parsely-title\" content=\"US cyber officials offer technical details associated with CL0P ransomware attacks\"><br \/>\n<meta name=\"parsely-link\" content=\"http:\/\/cyberscoop.com\/cisa-cl0p-ransomwarae-moveit-transfer-attack\/\"><br \/>\n<meta name=\"parsely-type\" content=\"post\"><br \/>\n<meta name=\"parsely-image-url\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/us-cyber-officials-offer-technical-details-associated-with-cl0p-ransomware-attacks-1.jpg?w=150&amp;h=150&amp;crop=1\"><br \/>\n<meta name=\"parsely-pub-date\" content=\"2023-06-07T20:00:00Z\"><br \/>\n<meta name=\"parsely-section\" content=\"Threats\"><br \/>\n<meta name=\"parsely-tags\" content=\"clop,extortion,moveit transfer,ransomware\"><br \/>\n<meta name=\"parsely-author\" content=\"AJ Vicens\"> <!-- Google Tag Manager --> <!-- End Google Tag Manager --> <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-74666 single-format-standard\" id=\"readabilityBody\"> <svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-dark-grayscale\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0 0.49803921568627\" \/><feFuncG type=\"table\" tableValues=\"0 0.49803921568627\" \/><feFuncB type=\"table\" tableValues=\"0 0.49803921568627\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg><svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-grayscale\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0 1\" \/><feFuncG type=\"table\" tableValues=\"0 1\" \/><feFuncB type=\"table\" tableValues=\"0 1\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg><svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-purple-yellow\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0.54901960784314 0.98823529411765\" \/><feFuncG type=\"table\" tableValues=\"0 1\" \/><feFuncB type=\"table\" tableValues=\"0.71764705882353 0.25490196078431\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg><svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-blue-red\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0 1\" \/><feFuncG type=\"table\" tableValues=\"0 0.27843137254902\" \/><feFuncB type=\"table\" tableValues=\"0.5921568627451 0.27843137254902\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg><svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-midnight\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0 0\" \/><feFuncG type=\"table\" tableValues=\"0 0.64705882352941\" \/><feFuncB type=\"table\" tableValues=\"0 1\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg><svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-magenta-yellow\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0.78039215686275 1\" \/><feFuncG type=\"table\" tableValues=\"0 0.94901960784314\" \/><feFuncB type=\"table\" tableValues=\"0.35294117647059 0.47058823529412\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg><svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-purple-green\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0.65098039215686 0.40392156862745\" \/><feFuncG type=\"table\" tableValues=\"0 1\" \/><feFuncB type=\"table\" tableValues=\"0.44705882352941 0.4\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg><svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-blue-orange\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0.098039215686275 1\" \/><feFuncG type=\"table\" tableValues=\"0 0.66274509803922\" \/><feFuncB type=\"table\" tableValues=\"0.84705882352941 0.41960784313725\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg> <a href=\"https:\/\/cyberscoop.com\/cisa-cl0p-ransomwarae-moveit-transfer-attack\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.893939393939\">\n<div class=\"single-article__header-content\" readability=\"30.853658536585\">\n<p> CISA and the FBI offered details to help organizations protect themselves against the group that has claimed hundreds of victims. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/us-cyber-officials-offer-technical-details-associated-with-cl0p-ransomware-attacks.jpg?resize=640%2C426&#038;ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/us-cyber-officials-offer-technical-details-associated-with-cl0p-ransomware-attacks-1.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/us-cyber-officials-offer-technical-details-associated-with-cl0p-ransomware-attacks-1.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/us-cyber-officials-offer-technical-details-associated-with-cl0p-ransomware-attacks-1.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/us-cyber-officials-offer-technical-details-associated-with-cl0p-ransomware-attacks-1.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/us-cyber-officials-offer-technical-details-associated-with-cl0p-ransomware-attacks-1.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/us-cyber-officials-offer-technical-details-associated-with-cl0p-ransomware-attacks-1.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/us-cyber-officials-offer-technical-details-associated-with-cl0p-ransomware-attacks-1.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/us-cyber-officials-offer-technical-details-associated-with-cl0p-ransomware-attacks-1.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/us-cyber-officials-offer-technical-details-associated-with-cl0p-ransomware-attacks-1.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/us-cyber-officials-offer-technical-details-associated-with-cl0p-ransomware-attacks-1.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> spectrum abstract <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"48.869493498933\"><body readability=\"98.15021285222\"><\/p>\n<p>The U.S. government\u2019s top cybersecurity agency and the FBI on Wednesday shared technical details associated with CL0P ransomware group after the group claimed responsibility for infiltrating a popular file sharing service, exposing companies globally to further attacks.<\/p>\n<p>Hackers with the group exploited <a href=\"https:\/\/www.mandiant.com\/resources\/blog\/zero-day-moveit-data-theft\" target=\"_blank\" rel=\"noreferrer noopener\">a previously undetected vulnerability<\/a> in the MOVEit Transfer file transfer software, which the group said used to attack \u201chundreds of companies\u201d as \u201cpart of exceptional exploit.\u201d CL0P said this week it would give affected companies until June 14 to contact them and begin negotiating a price for their data. If a deal can\u2019t be reached within three days, or the company does not get in touch, the group said it will publish the data.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" loading=\"lazy\" width=\"640\" height=\"256\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/us-cyber-officials-offer-technical-details-associated-with-cl0p-ransomware-attacks.png?resize=640%2C256&#038;ssl=1\" alt class=\"wp-image-74676\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/us-cyber-officials-offer-technical-details-associated-with-cl0p-ransomware-attacks-1.png 1754w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/us-cyber-officials-offer-technical-details-associated-with-cl0p-ransomware-attacks-1.png?resize=300,120 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/us-cyber-officials-offer-technical-details-associated-with-cl0p-ransomware-attacks-1.png?resize=768,307 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/us-cyber-officials-offer-technical-details-associated-with-cl0p-ransomware-attacks-1.png?resize=1024,410 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/us-cyber-officials-offer-technical-details-associated-with-cl0p-ransomware-attacks-1.png?resize=1536,615 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/us-cyber-officials-offer-technical-details-associated-with-cl0p-ransomware-attacks-1.png?resize=600,240 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/us-cyber-officials-offer-technical-details-associated-with-cl0p-ransomware-attacks-1.png?resize=1200,480 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/us-cyber-officials-offer-technical-details-associated-with-cl0p-ransomware-attacks-1.png?resize=1500,600 1500w\" sizes=\"auto, (max-width: 1754px) 100vw, 1754px\"><figcaption class=\"wp-element-caption\">Screenshot from the CL0P leaks website (CyberScoop).<\/figcaption><\/figure>\n<p>The CL0P ransomware variant evolved from CryptoMix ransomware, according to the <a href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa23-158a\" target=\"_blank\" rel=\"noreferrer noopener\">FBI and the Cybersecurity and Infrastructure Security Agency\u2019s Wednesday advisory<\/a>. It started as a typical ransomware as a service platform \u2014&nbsp;where a core group of developers lease access to the malware and other infrastructure to \u201caffiliates\u201d and split any profits \u2014&nbsp;and was known for its double extortion method of stealing and encrypting data and then publishing that data on its leak website. The group is also known to sell access to compromised networks to others \u2014&nbsp;known as an initial access broker \u2014&nbsp;as well as operating a large botnet spcecializing in financial fraud and phishing attacks, the advisory said.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The group has been tied to compromises of more than 3,000 U.S. organizations and 8,000 worldwide, Wednesday\u2019s advisory said. CL0P <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/clop-ransomware-claims-responsibility-for-moveit-extortion-attacks\/\">told Bleeping Computer<\/a> that it was moving away from encryption and preferred data theft encryption, the news site reported Tuesday.<\/p>\n<p>CL0P first emerged in 2015 and has been associated with deploying other group\u2019s malware, but has in recent years been developing custom code, <a href=\"https:\/\/www.secureworks.com\/research\/threat-profiles\/gold-tahoe\" target=\"_blank\" rel=\"noreferrer noopener\">according to cybersecurity firm Secureworks<\/a>. The group, which Secureworks tracks as GOLD TAHOE, attacked the Accellion File Transfer Appliance in a pair of attacks in December 2020 and January 2021, affecting a range of downstream targets including <a href=\"https:\/\/cyberscoop.com\/accellion-breach-exposed-data-from-patients-at-major-michigan-hospital-system\/\" target=\"_blank\" rel=\"noreferrer noopener\">hospital records<\/a>, universities, insurance firms and others.<\/p>\n<p>\u201cThe majority of MOVEit Transfer servers are located in the U.S. and the Secureworks Counter Threat Unit is aware of victims in the U.S.,\u201d said Rafe Pilling, director of threat research for the Secureworks CTU. Known victims include several British companies such as <a href=\"https:\/\/www.bbc.com\/news\/technology-65829726\" target=\"_blank\" rel=\"noreferrer noopener\">British Airways, Boots and the BBC<\/a>, who all shared a payroll provider that was a victim of the MOVEit attack, Pilling added. \u201cThis is likely just the tip of the iceberg in terms of potential future data disclosures.\u201d<\/p>\n<p>Censys, a company that tracks internet-connected devices, <a href=\"https:\/\/censys.io\/moveit-transfer\/\" target=\"_blank\" rel=\"noreferrer noopener\">reported June 2 seeing nearly 3,800 MOVEit Transfer<\/a> hosts online across nearly a dozen countries, primarily the U.S., spanning industries including the financial sector, education, U.S. federal agencies and state governments. <\/p>\n<p>\u201cAlthough the exact version of the software cannot be determined with scans, it is highly improbable that all of these hosts have been patched against the newly discovered vulnerability,\u201d the company said in a blog post. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>More recently, in January 2023, CL0P targeted the GoAnywhere file transfer service, claiming more than 130 downstream victims in that attack, <a href=\"https:\/\/techcrunch.com\/2023\/03\/22\/fortra-goanywhere-ransomware-attack\/?guccounter=1&amp;guce_referrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&amp;guce_referrer_sig=AQAAAJHwWYNjRrgpETnQT_rIeqtwCxhPziTYz5EdOVP4-8Obij6fqbgi_Kvnt7DeNAP0TeNG_MMW6btpqQp8LHF3eDM4cC70zsXOvl8a_i-7o3zL8Z0-B0QCqGsXFQLEPEii0pidxaCI9tFsrqxhOMldU_PC1-H9EuSEyX3USzGi1v6g\" target=\"_blank\" rel=\"noreferrer noopener\">according to TechCrunch<\/a>. In that case, the group sent ransom notes to executives, pressuring them to negotiate directly with the group or have their data leaked, Wednesday\u2019s government advisory noted.<\/p>\n<p>The earliest MOVEit exploitations were detected on May 27, resulting in the deployment of web shells and data theft, according to <a href=\"https:\/\/www.mandiant.com\/resources\/blog\/zero-day-moveit-data-theft\" target=\"_blank\" rel=\"noreferrer noopener\">Google Cloud\u2019s Mandiant<\/a>, with data theft occurring \u201cwithin minutes\u201d in some cases. Another company, <a href=\"https:\/\/www.greynoise.io\/blog\/progress-moveit-transfer-critical-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\">GreyNoise, reported scanning activit<\/a>y involving the login page for MOVEit Transfer and the particular file associated with this attack as far back as March 3.<\/p>\n<p>On May 31, Progress Software Corporation, the company that owns MOVEit, <a href=\"https:\/\/community.progress.com\/s\/article\/MOVEit-Transfer-Critical-Vulnerability-31May2023\" target=\"_blank\" rel=\"noreferrer noopener\">posted its first notice<\/a> of the situation and began posting patches. The vulnerability exploited by CL0P, CVE-2023-3462, affected all MOVEit Transfer versions, the company said. <\/p>\n<p>\u201cCISA remains in close contact with Progress Software and our partners at the FBI to understand prevalence within federal agencies and critical infrastructure,\u201d CISA Executive Director for Cybersecurity Eric Goldstein said in a statement. \u201cToday\u2019s joint advisory provides timely steps that organizations can take to protect against and reduce the impact of CL0P ransomware or other ransomware threat. CISA continues to work diligently to notify vulnerable organizations, urge swift remediation, and offer technical support where applicable. Potentially impacted organizations should reach out to CISA via&nbsp;<a href=\"http:\/\/cisa.gov\/report\" target=\"_blank\" rel=\"noreferrer noopener\">cisa.gov\/report<\/a>&nbsp;or your regional cybersecurity representative.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.2397260273973\">\n<div class=\"author-card\" readability=\"8\">\n<p><h4 class=\"author-card__name\">Written by AJ Vicens<\/h4>\n<p> AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal\/WhatsApp: (810-206-9411). <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p> <!-- .popular-stories__stories --> <\/div>\n<p><!-- .popular-stories__inner -->\n<\/div>\n<p><!-- .popular-stories --> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p> <!-- Start of HubSpot Embed Code --> <!-- End of HubSpot Embed Code --> <\/body> <a href=\"https:\/\/cyberscoop.com\/cisa-cl0p-ransomwarae-moveit-transfer-attack\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>US cyber officials offer technical details associated with CL0P ransomware<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[322,323,324,46,288,1],"tags":[326,327,328,54,294,325],"class_list":["post-1409","post","type-post","status-publish","format-standard","hentry","category-clop","category-extortion","category-moveit-transfer","category-ransomware","category-threats","category-uncategorized","tag-clop","tag-extortion","tag-moveit-transfer","tag-ransomware","tag-threats","tag-uncategorized"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/clop\/\" rel=\"category tag\">Clop<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/extortion\/\" rel=\"category tag\">extortion<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/moveit-transfer\/\" rel=\"category tag\">MOVEit Transfer<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ransomware\/\" rel=\"category tag\">ransomware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1409","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=1409"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1409\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=1409"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=1409"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=1409"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}