Cl0p data exfiltration tool found vulnerable to RCE attacks The Register

pSecurity experts have uncovered a hole in Cl0ps data exfiltration tool that could potentially leave the cybercrime group vulnerable to attackppThe vulnerability in the Pythonbased software which was used in the 20232024 MOVEit mass data raids was discovered by Italian researcher Lorenzo N and published by the Computer Incident Response Center Luxembourg CIRCLppClassed as an improper input validation CWE20 bug the flaw with an 89 severity score is underpinned by a lack of input sanitization which results in the tool constructing OS commands by concatenating attackersupplied stringsppAccording to CIRCLs summary An authenticated endpoint on the Cl0p operators stagingcollection host passes fileor directorynames received from compromised machines straight into a shellescape sequenceppAlexandre Dulaunoy head of CIRCL said he doesnt expect the team that developed the data exfiltration tool to take any corrective action to fix the vulnerabilityppCl0ps rivals or other attackers could feasibly exploit this vulnerability to disrupt the cybercrime groups operations or even steal its data all while using its own bespoke tool for stealing files from its targetsppThe vulnerability is essentially a remote command execution RCE issue which can be exploited if a maliciously named folder is loaded by Cl0p itselfppCl0p is arguably most famous for being the band of extortionists that orchestrated the supply chain attack on Progress Softwares MOVEit file transfer solution in 2023ppSecurity biz Emsisoft tracked the number of MOVEit victims from the outset and did so until June 28 2024 at which point the final count stood at 2773 organizations and more than 95 million individualsppHowever the actual figures may be materially worse since major organizations such as Xerox Nokia Bank of America Morgan Stanley Amazon and more were all allegedly affected months after Emsisoft stopped the countppNo further data grabs have been claimed since late last year meaning the attacks were still causing issues using the same MOVEit bugs for around a year and a halfppThe story may not be over though because security outfit Greynoise reported last week a sustained surge in scanning activity for publicly exposed systems that remained vulnerable to the two previously disclosed MOVEit bugs CVE202334362 and CVE202336934ppChanges came on May 27 Greynoise said Before then vulnerable MOVEit scans were being executed by fewer than ten IPs per day but by May 28 these had risen to 319 daily IPs and have remained in the 200300 range ever sinceppOn June 12 the company also detected inthewild exploit attempts using the two previously disclosed MOVEit bugs although these were low in volumeppGreynoise did not attribute the scanning to any one group or nation but said the most common targets were the UK US Germany France and MexicoppIt added that 44 percent of the 682 unique IPs executing scans within the past 90 days as of June 25 came from Tencent Cloud with the others coming from Amazon Cloudflare and GoogleppThis level of infrastructure concentration particularly within a single ASN suggests that the scanning is deliberate and programmatically managed rather than random or distributed probing said Greynoise ppSend us newsppThe Register Biting the hand that feeds ITpp
Copyright All rights reserved 19982025

p