MOVEit Exploit-CLOP Ransomware Threat Vector Identification | WhoisXML API

Threat Reports

MOVEit Exploit-CLOP Ransomware Threat Vector Identification Aided by DNS Intelligence

Several threat actor groups have joined in on exploiting the zero-day MOVEit vulnerability to launch their own brands of mayhem—and the CLOP ransomware group is just one of them.1 The MOVEit vulnerability gave the CLOP ransomware operators access to connected databases, enabling them to infer information about their structure and content.

A total of 139 indicators of compromise (IoCs) related to the MOVEit-enabled CLOP ransomware attacks have been made public since the start of June.

To uncover yet-unidentified more connected artifacts, we at WhoisXML API dove deep into the threat aided by our comprehensive DNS intelligence.

Our in-depth analysis found that:

  • Seventeen of the IP addresses identified as IoCs were dedicated hosts. Four of them were detected as malicious by a malware check tool.
  • Five of the 10 IP addresses that served as hosts to some of the domains identified as IoCs were dedicated. Four of them were classified by a malware check tool as malicious.
  • More than 6,600 domains contained the string zoom akin to two of the domains identified as IoCs. Close to 60 of them may have already figured in malicious campaigns based on a malware check.

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

  • [1] https://www.centripetal.ai/blog/cleaninternet-protects-customers-from-moveit-vulnerability/
  • [2] https://otx.alienvault.com/pulse/6486ab4376446c17e1cdc618
  • [3] https://otx.alienvault.com/pulse/6480db093f4a3abcd042e873
Try our WhoisXML API for free
Get started