The MOVEit Cyberattack: Cl0p Ransomware Group

Introduction

Cybersecurity firm KonBriefing & Emsisoft's latest report reveals that over 500+ organizations now appear to have been affected by the attack campaign called MOVEit, resulting in the exposure of personal data for a staggering 34.5 million individuals. The magnitude of the damage caused by the data breach underscores the seriousness of the incident and the large number of people who are impacted.

The MOVEit cyberattack unfolded as a highly sophisticated breach targeting the popular managed file transfer service, MOVEit. This attack exploited a critical zero-day vulnerability, allowing the cybercriminals, believed to be linked to the Cl0p ransomware group, to gain unauthorized access to sensitive data. The incident sparked widespread concern and led to urgent security measures to safeguard affected organizations.

Timeline of the MOVEit attack

• May 28, 2023: Progress Software is alerted to a zero-day vulnerability in MOVEit.
• May 31, 2023: Progress Software discloses the zero-day vulnerability and releases a patch.
• June 1, 2023: Security researchers begin to report evidence of active exploitation of the vulnerability.
• June 4, 2023: Microsoft attributes the attacks to the Clop ransomware gang.
• June 5, 2023: Initial victims of the attack begin to come forward, including British Airways, the BBC, and the government of Nova Scotia.
• June 6, 2023: Clop publishes a statement on its dark web site claiming to have stolen data from hundreds of organizations.
• June 14, 2023: Clop sets a deadline for victims to contact the group and begin negotiations.
• June 15, 2023: Progress Software discloses and releases a patch for a new privilege escalation vulnerability in MOVEit.
• June 16, 2023: The U.S. State Department offers a $10 million bounty related to information on the Clop ransomware group.
• June 19, 2023: Clop simultaneously leaks data and publicly names an organization, marking the second instance of a data leak related to the MOVEit exploits.
• June 22, 2023: The California Public Employees’ Retirement System confirms that the personal data of about 769,000 members was exposed and downloaded in connection to the PBI breach.
• June 26, 2023: Clop claims to have leaked data stolen from 17 of its alleged victims to date.
• July 5, 2023: Progress Software releases another update, including security fixes, and says it will consistently release MOVEit product updates every two months going forward.
• July 6, 2023: Progress Software discloses three new vulnerabilities in an advisory that details the security fixes it released in the service pack the day prior.
• July 7, 2023: CISA issues an alert, advising MOVEit customers to apply the product updates.
• July 12, 2023: Progress claims only one of the six vulnerabilities, the initially discovered zero-day, have been exploited.
• July 14, 2023: More than 300 victim organizations have been identified. major organizations are joining the long list of victims every day.
• July 26, 2023: Nearly 500 organizations and almost 35 million individuals have been exposed by mass exploit.

The Exploitation and Extortion: Cl0p Ransomware

The attack commenced on May 27, 2023, when the hackers leveraged the zero-day vulnerability to inject SQL commands, granting them access to the databases of various MOVEit customers. Companies across multiple sectors fell prey to this malicious campaign, with notable victims including the BBC, British Airways, Boots, and Aer Lingus. Staff data, including national insurance numbers and bank details, were potentially compromised, posing significant risks to these organizations and their employees.

According to a report from security firm Emsisoft, attackers have stolen the personal details of at least 23 million individuals and are holding the data for ransom. Surprisingly, only about one-fifth of victim organizations have disclosed the total number of affected individuals publicly, indicating that the actual number of victims is likely much higher. The situation highlights the alarming scale of the data breach and the potential risk faced by countless individuals whose personal information may have been compromised.

Cl0p Ransomware Group

The cybercriminals responsible for the attack are believed to be affiliated with the notorious Cl0p ransomware group, known for its extortion tactics. The group typically demands a ransom from victims in exchange for secure data deletion. Failure to comply results in the public release of stolen data on an extortion website, exposing sensitive information to the world.

Evolving Extortion Tactics

Ransomware gangs are constantly evolving their extortion tactics in an attempt to pressure victims into paying a ransom. In the past, ransomware gangs typically encrypted victims' files and demanded a ransom payment in exchange for the decryption key. However, in recent months, ransomware gangs have begun to adopt new extortion tactics, such as threatening to leak stolen data or publish it on the dark web.

One of the most recent examples of this trend is the MOVEit cyberattack, which exploited a zero-day vulnerability in the MOVEit managed file transfer service. The attackers were able to steal data from a number of organizations, including the BBC, British Airways, and Boots. The attackers then threatened to leak the stolen data if the organizations did not pay a ransom.

Another example of this trend is the ALPHV ransomware gang, which has begun to create clearweb sites to leak data stolen from victims. These sites make it easier for victims to access the stolen data, and they can also be indexed by search engines, which further increases the pressure on victims to pay a ransom

Response and Mitigation

Following the discovery of the vulnerability, the software vendor, Progress Software, promptly released a security update to patch the flaw. MOVEit clients were urgently notified to apply the update to safeguard their data. However, concerns remain as many firms have not installed the patch, leaving thousands of databases potentially vulnerable. While WAF provides essential protection at the network, it’s important to recognize that many MOVEit customers deploy MOVEit into environments without network security solutions. Threat Research could be a better option, constantly understanding and updating signatures Cloud WAF (CWAF) and WAF Gateway (WAF GW). If we can't stop exploitation, post-exploitation and exfiltration can still be limited.

Negotiation and Data Deletion

In a bid to avoid unwanted attention, the attackers threatened to erase data stolen from government websites. They offered victims the option to negotiate for the secure deletion of their data by contacting the Clop gang. A price was presented, and samples of random files were provided as verification. So far, no encryption ransomware has been observed.

Conclusion

The MOVEit cyberattack highlights the critical importance of swift and vigilant cybersecurity measures in the face of evolving threats. Organizations must remain proactive in patching vulnerabilities and implementing robust security protocols to safeguard against such malicious exploits. As the ransomware landscape continues to evolve, the need for unified and coordinated efforts to combat cybercrime becomes increasingly apparent.