In 2023, Emerson, a multinational technology and engineering company based in the USA, fell victim to a targeted cyberattack by the **CL0P Ransomware Gang**. The attackers exploited a critical **vulnerability in Progress Software’s MOVEit Transfer**, a widely used file transfer tool. By deploying a malicious **web shell named LEMURLOOT**, the threat actors infiltrated MOVEit Transfer databases and **exfiltrated sensitive corporate data**. The breach prompted a joint **Cybersecurity Advisory from CISA and the FBI**, which detailed the **indicators of compromise (IOCs)** and **tactics, techniques, and procedures (TTPs)** used in the attack. While the advisory did not specify the exact nature of the stolen data, the involvement of a **ransomware group** and the **theft of corporate information** suggest severe operational and financial risks. Emerson was urged to implement **mitigation measures** to prevent further compromise, aligning with the broader **#StopRansomware initiative** aimed at combating such threats. The incident underscores the growing sophistication of ransomware attacks leveraging **zero-day vulnerabilities** in third-party software to target high-profile organizations.
TPRM report: https://www.rankiteo.com/company/emerson
"id": "eme435091925",
"linkid": "emerson",
"type": "Ransomware",
"date": "1/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'location': 'USA',
'name': 'Emerson',
'type': 'corporation'}],
'attack_vector': ['exploitation of vulnerability (MOVEit Transfer)',
'web shell (LEMURLOOT)'],
'data_breach': {'data_exfiltration': True},
'date_publicly_disclosed': '2023',
'description': 'In 2023, Emerson in the USA was targeted by the CL0P '
'Ransomware Gang. The attackers exploited a vulnerability in '
"Progress Software's MOVEit Transfer, using a web shell named "
'LEMURLOOT to steal data from MOVEit Transfer databases. The '
'CISA and FBI released a joint Cybersecurity Advisory '
'providing indicators of compromise and tactics identified '
'through FBI investigations. IT network defenders are '
'encouraged to review the advisory and implement recommended '
'mitigations to reduce the risk of compromise. This advisory '
'is part of the ongoing #StopRansomware effort to help '
'organizations protect against ransomware threats.',
'impact': {'data_compromised': True,
'systems_affected': ['MOVEit Transfer databases']},
'initial_access_broker': {'backdoors_established': ['LEMURLOOT web shell'],
'entry_point': 'MOVEit Transfer vulnerability',
'high_value_targets': ['MOVEit Transfer databases']},
'investigation_status': 'ongoing (part of #StopRansomware effort)',
'motivation': 'financial gain (ransomware)',
'post_incident_analysis': {'root_causes': ['exploitation of unpatched MOVEit '
'Transfer vulnerability']},
'ransomware': {'data_exfiltration': True, 'ransomware_strain': 'CL0P'},
'recommendations': ['review CISA/FBI joint Cybersecurity Advisory',
'implement mitigations to reduce risk of compromise'],
'references': [{'source': 'CISA and FBI Joint Cybersecurity Advisory'}],
'response': {'law_enforcement_notified': True,
'remediation_measures': ['review CISA/FBI advisory',
'implement recommended mitigations']},
'threat_actor': 'CL0P Ransomware Gang',
'title': 'Emerson Targeted by CL0P Ransomware Gang via MOVEit Transfer '
'Vulnerability',
'type': ['ransomware', 'data breach'],
'vulnerability_exploited': "Progress Software's MOVEit Transfer vulnerability"}