The full scope of the MOVEit breach is still coming to light. On May 31, software company Progress discovered a vulnerability (CVE-2023-34362) in its MOVEit Transfer and MOVEit Cloud file transfer tools. Payroll provider Zellis was a victim of the breach, as well as some of its customers, including pharmacy chain Boots, broadcaster BBC, airline British Airways, and airline Aer Lingus. Since the vulnerability was discovered, Progress has moved to investigate and patch the vulnerability. But the number of victims swept up in the breach is growing.
The Clop Ransomware Gang
The Clop Ransomware Gang has been linked to the MOVEit attack. The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation released an advisory to address the group’s exploitation of the MOVEit vulnerability.
Clop, also referred to as TA505, was able to exploit CVE-2023-34362, a structured query language (SQL) vulnerability, infecting MOVEit Transfer applications with malware and stealing data from its underlying databases, according to the advisory.
File transfer systems are ubiquitous. Organizations need these internet-facing tools to move data. And these tools have been around since the inception of the internet. “These older services don’t get a lot of attention. They just work, and there can be a ‘set it and forget it’ mentality within IT operations,” Timothy Morris, chief security advisor at cybersecurity management company Tanium, points out.
That mentality opens the doors to opportunistic threat actors, like Clop. “It’s clear there has been a repeated failure to modernize remote access and data transfer tools — and Clop knows this,” says Duncan Greatwood, CEO of zero trust identity and access management company Xage Security.
This is not the first time Clop has targeted file transfer systems. The ransomware gang exploited a zero-day vulnerability in the Accellion file transfer appliance in 2021. Earlier this year, they hit Fortra’s managed file transfer solution GoAnywhere.
“Why attack file transfer services? That’s where the data is. Data is the lifeblood of most organizations, and file transfers are moving data from one place to the other. Attackers know this,” says Morris.
The Growing List of Victims
Headlines declaring the latest victims from the MOVEIt breach are popping up like weeds. The breach has swept through multiple industries. It has impacted Shell, Johns Hopkins University, Schneider Electric, Siemens Energy, and many more. CNN reported that several federal agencies, including the Department of Energy, are among those impacted by the breach.
“So far, the ‘known’ list for Clop is about 121 organizations that are basically all different verticals and company types,” says Chase Cunningham, cybersecurity firm Lumu advisor. “However, most of them are larger businesses, and this is most likely due to the ransomware actors wanting to show their clout.” Given the scope of the breach, he expects more victims, including smaller organizations, will be added to the still-growing list.
And as that list gets longer, organizations will need to be vigilant. In addition to following recommendations and applying the security patches from Progress, potential victims will need to be prepared for incident response. Are there signs of a breach, and has any data theft occurred?
“Organizations using MOVEit should also conduct a thorough review of what data is accessible using MOVEit and make determinations of whether additional safeguards must be put in place to mitigate risk associated with potential data loss,” says Drew Schmitt, the GuidePoint research and intelligence team lead analyst at cybersecurity consulting services company GuidePoint Security.
Steve Povolny, director of security research at cybersecurity company Exabeam, encourages security teams to monitor their organizations’ databases for abnormal behavior. “Examples include an abnormal user logging into the database for the first time or a strange amount of data being transferred in or out,” he says.
But the work doesn’t end there. This significant breach stems from one vulnerability, but a similar vulnerability could be discovered and exploited again.
“As the dust settles, organizations need to review the tools used for remote access and remote data or file transfer, both for themselves and for their suppliers. As CISA has pointed out, there is a whole class of inherently vulnerable utilities still commonly in use today,” says Greatwood.
A $10 Million Reward
The US Department of State’s Rewards for Justice Program offers rewards for information that supports national security objectives. This program is offering a reward of up to $10 million for the identification or location of individuals participating in malicious cyber activity sponsored by foreign governments. Rewards for Justice tweeted the reward offer with a query specifically about the Clop Ransomware Gang.
“With two high profile mass-exploitation events occurring in the first half of 2023, they have attracted the attention of government and law enforcement, which is likely to mean either a rebrand from Clop to try to reduce government and law enforcement attention, or that law enforcement action will be successful, and they will no longer be able to victimize additional organizations,” says Schmitt.
A reward this high does call attention to how seriously the US government is taking Clop as a threat actor, but it is important to remember that holding the individuals behind the attack accountable is a difficult task. “The threat actors for this one are located in non-extradition countries … so, the likelihood of getting them arrested or even picked up with a reward offering are slim to none,” says Cunningham.
Greatwood points out that a reward of this size could sway some of the financially motivated people involved with Clop, but it will mean little to the nation state actors using the data and system access obtained by the ransomware gang. “Some of the damage will linger even if CLOP itself can be shut down,” he says.
Preparing for Future Threats
The MOVEit attack is another reminder of the difficult task of managing third-party risk. “One of the biggest implications coming out of the MOVEit attack is how many organizations are being publicly named as being impacted and what that means for organizations they have relationships with,” says Schmitt.
Third-party risk is one of many reasons that necessitate hardened cyber defenses. Organizations need the resources to maintain robust threat intelligence and incident response plans.
Morris emphasizes the importance of knowledge. What devices are on your network? What is running on those devices? What is going in and out of your network? What do you look like to a potential attacker? Are your security controls in place and effective? Where is your data stored, and is it safe? Are your users educated on cyber threats? “Mastering these seven items will put any organization way ahead of the game,” he says.
Cunningham also reiterates the importance of cybersecurity basics. “Be really good at the basics that we know work and be able to know what is taking place and respond with full context in as close to real time as possible,” he says. “Start with that and you are in a better place than the next piece of low-hanging fruit and the bad guys will likely pass you by.”