Cl0p Strikes Against with MOVEit
In one of the largest data breaches of all time, the Cl0p Ransomware Group stole the private data of an estimated fifteen-million people from public and private entities worldwide. For those asking “how” this occurred, the answer is a simple combination of a ransomware group, a third-party software trusted by many government and private entities, and finally, another zero-day vulnerability.
Based out of Russia and well-known to cyber law enforcement agencies across the U.S., Cl0p is notorious for exploiting file-transfer services, setting a new precedent for these types of attacks. Rather than going through the effort to encrypt any of the breached system’s data and demanding a ransom to break the encryption, Cl0p is simply stealing the user data from these entities and inviting the victim to initiate the extortion conversation. Just this past February, Cl0p breached GoAnyWhere, another large scale file transfer service, abusing a similar zero-day vulnerability.
A zero-day vulnerability refers to a software vulnerability of which the developer of the software is unaware and that bad actors discover before anyone else (including the manufacturer). Cl0p (or one of its affiliates) analyzes a particular software product, finds, and then exploits this weakness before the software developer can distribute a patch to cure this weakness. Once the developer suspects abnormal activity and eventually detects the zero-day vulnerability and exploitation, the developer must swiftly act and distribute a “patch” to protect the companies that employ their services and the data transferred on this service.
There is a reason Cl0p continues to try and exploit these file transfer services. When they are successful, Cl0p gains access to the private data of hundreds (and sometimes thousands) of public and private entities that use MOVEit. MOVEit allows public and private entities to transfer files in extremely large batches without substantial delays or operational interruptions. MOVEit encrypts the files before a transfer for protection, but the same credentials used to encrypt the data are used to decrypt the same data. Accordingly, once Cl0p infiltrated the MOVEit platform, they were able to decrypt MOVEit’s customer files.
Customers of MOVEit, and other zero-day exploited software programs, are left generally helpless against the efforts of bad actors, as the software manufacturer exclusively owns the duty and ability create and issue a patch based on its internal software source code. In the recent MOVEit exploitation, notification of the zero-day exploitation was sent on May 31, 2023, to its customers, but the initial patch was unavailable until June 2, 2023. While 48hours is an impressive turnaround, in theory, for amending software code and reverse engineering the vulnerability, it also gave Cl0p as additional two days to steal data from MOVEit customers.
As with GoAnyWhere, Ccl0p hit the proverbial “hacker’s gold mine”, with MOVEit as companies like Shell, British Airways, the BBC, Aer Lingus, as well as the many public entities from Missouri, Illinois, Oregon, and Louisiana all used MOVEit, including the U.S. Department of Energy, to transfer large batches of files between various elements of the respective organization. Since the initial news of the exploitation surfaced, Cl0p claims it deleted all data held by state and local entities. However, even if true, such an act was likely unimpactful as the private organizations impacted by Cl0p via MOVEit housed an abundance of personal data on citizens across the globe, thereby rendering the data gleaned from state and local institutions superfluous.
For example, anyone who ever flew on British Airways provided their name and passport information, as well as certain financial information pending the method of ticket purchase, to the airline. Shell Oil Company employs more than 80,000 people globally and boasts thousands of customers across various types of industry.
Individuals and businesses with concerns about the sanctity of their data are implored to freeze their credit, change passwords for online accounts (including banking and social media), and remain vigilant for signs of abnormal activity involving financial matters and potential phishing through social media and email. As for the legal fallout from this attack, there are already three class action lawsuits filed on behalf of Louisiana citizens alone against MOVEit’s manufacturer, Progress Software Corporation. More such suits are expected to arise as more organizations confirm data breaches to private citizens and businesses.