Cl0p cybercrime gang's data exfiltration tool found vulnerable to RCE attacks

Security experts have uncovered a hole in Cl0p's data exfiltration tool that could potentially leave the cybercrime group vulnerable to attack.

The vulnerability in the Python-based software, which was used in the 2023-2024 MOVEit mass data raids, was discovered by Italian researcher Lorenzo N and published by the Computer Incident Response Center Luxembourg (CIRCL).

Classed as an improper input validation (CWE-20) bug, the flaw with an 8.9 severity score is underpinned by a lack of input sanitization, which results in the tool constructing OS commands by concatenating attacker-supplied strings.

According to CIRCL's summary: "An authenticated endpoint on the Cl0p operators' staging/collection host passes file-or directory-names received from compromised machines straight into a shell-escape sequence."

Alexandre Dulaunoy, head of CIRCL, said he doesn't expect the team that developed the data exfiltration tool to take any corrective action to fix the vulnerability.

Cl0p's rivals, or other ...