Security experts have uncovered a hole in Cl0p’s data exfiltration tool that could potentially leave the cybercrime group vulnerable to attack.

The vulnerability in the Python-based software, which was used in the 2023-2024 MOVEit mass data raids, was discovered by Italian researcher Lorenzo N and published by the Computer Incident Response Center Luxembourg (CIRCL).

Classed as an improper input validation (CWE-20) bug, the flaw with an 8.9 severity score is underpinned by a lack of input sanitization, which results in the tool constructing OS commands by concatenating attacker-supplied strings.

According to CIRCL’s summary: “An authenticated endpoint on the Cl0p operators’ staging/collection host passes file-or directory-names received from compromised machines straight into a shell-escape sequence.”

Alexandre Dulaunoy, head of CIRCL, said he doesn’t expect the team that developed the data exfiltration tool to take any corrective action to fix the vulnerability.

Cl0p’s rivals, or other attackers, could feasibly exploit this vulnerability to disrupt the cybercrime group’s operations or even steal its data, all while using its own bespoke tool for stealing files from its targets.

The vulnerability is essentially a remote command execution (RCE) issue, which can be exploited if a maliciously named folder is loaded by Cl0p itself.

MOVEit… again?

Cl0p is arguably most famous for being the band of extortionists that orchestrated the supply chain attack on Progress Software’s MOVEit file transfer solution in 2023.

Security biz Emsisoft tracked the number of MOVEit victims from the outset and did so until June 28, 2024, at which point the final count stood at 2,773 organizations and more than 95 million individuals.

However, the actual figures may be materially worse, since major organizations such as Xerox, Nokia, Bank of America, Morgan Stanley, Amazon, and more were all allegedly affected months after Emsisoft stopped the count.

No further data grabs have been claimed since late last year, meaning the attacks were still causing issues using the same MOVEit bugs for around a year and a half.

The story may not be over, though, because security outfit Greynoise reported last week a sustained surge in scanning activity for publicly exposed systems that remained vulnerable to the two previously disclosed MOVEit bugs: CVE-2023-34362 and CVE-2023-36934.

Changes came on May 27, Greynoise said. Before then, vulnerable MOVEit scans were being executed by fewer than ten IPs per day, but by May 28, these had risen to 319 daily IPs and have remained in the 200-300 range ever since.

On June 12, the company also detected in-the-wild exploit attempts using the two previously disclosed MOVEit bugs, although these were low in volume.

Greynoise did not attribute the scanning to any one group or nation, but said the most common targets were the UK, US, Germany, France, and Mexico.

It added that 44 percent of the 682 unique IPs executing scans within the past 90 days (as of June 25) came from Tencent Cloud, with the others coming from Amazon, Cloudflare, and Google.

“This level of infrastructure concentration – particularly within a single ASN – suggests that the scanning is deliberate and programmatically managed, rather than random or distributed probing,” said Greynoise. ®