Although much of the initial panic surrounding the late-May breach of Progress Software’s MOVEit file transfer tool has subsided, Clop – the ransomware operation behind the attack – continues to leak victims’ details. Pertinently for security teams on the frontline, Progress itself continues to disclose more vulnerabilities in the product, some of which appear to be under active exploitation.
On 6 July, Progress released the first in a planned series of service packs for MOVEit Transfer and MOVEit Automation, designed to provide a “predictable, simple and transparent process for product and security fixes.”
The pack contains fixes for three newly-disclosed CVEs. In numerical order, these are:
- CVE-2023-36932, multiple SQL injection vulnerabilities in the MOVEit Transfer web app that could allow an authenticated attacker access to the MOVEit Transfer database, credited to cchav3z of HackerOne, Nicolas Zillo of CrowdStrike, and hoangha2, hoangnx and duongdpt (Q5Ca) of Viettel Cyber Security’s VCSLAB;
- CVE-2023-36933, a vulnerability that enables an attacker to invoke a method that results in an unhandled exception, causing MOVEit Transfer to quit unexpectedly, credited to jameshorseman of HackerOne;
- CVE-2023-36934, another SQL injection vulnerability with a similar impact to the first, credited to Guy Lederfein of Trend Micro via the Zero Day Initiative.
Christopher Budd, Sophos X-Ops director of threat research, said that Sophos released detections for intrusion prevention system (IPS) signatures for its products earlier this week, and for at least one of the flaws, has seen “some very limited evidence” of exploitation.
“What this means is if you’re a MOVEit customer and you haven’t applied that service pack, even if you deployed the previously released patches, you need to get that service pack deployed as well,” he told Computer Weekly.
Budd added that he has observed before how, when one high-profile vulnerability is disclosed, attacked and fixed, people think they are now protected and their attention starts to wane, even if other vulnerability disclosures follow, which they often do.
“They think, okay, well, I applied the patch a month and a half ago so I’m done, it’s fine. And that’s not the case,” he said.
“The good news is there’s no indication that this new [flaw] that we’ve seen evidence of attacks against is widespread, but the fact that people are apparently starting to target it means that’s the next wave.
“It’s important for people to try to get ahead of that wave and be sure they apply not just the patches that have been released, but the service pack that brings them fully up to date. If you haven’t applied that service pack, today is a good day to do so.”
Budd said there was not yet enough evidence to attribute this latest malicious activity to Clop or any other threat actor, but noted that the mere fact that there is any evidence of exploitation at all suggests there may be more to come.
He also advised users of any file transfer product – not just MOVEit – to adopt a state of heightened alert, Clop having historically favoured vulnerabilities in such tools. He noted that in many organisations, file transfer utilities are often used on an ad hoc basis by people who have not cleared it with the IT or security teams – so-called shadow IT – so even if security professionals do not believe their organisations are exposed, they should still look into the matter as they may find something surprising.
Intense times
The initial MOVEit incident has now claimed close to 300 victims and has likely affected the data of at least 17 million people. Victims are to be found all over the world, although the highest numbers are now in the US, with over 190 confirmed, Germany with 28, Canada with 21 and the UK with 17 – notably the BBC, Boots and British Airways, which were some of the first named victims in June.
Some of the most recent organisations “named and shamed” by the Clop ransomware operation include real estate firm Jones Lang LaSalle, hotel chain Radisson, and GPS specialist TomTom.
Charles Carmakal, Mandiant
Charles Carmakal, CTO at the consulting business of Google Cloud-owned Mandiant, who has been deeply involved in incident response following the MOVEit attacks, said: “There are so many victims that are impacted by MOVEit, either directly or indirectly, that it’s been really impactful and it’s keeping a lot of people busy. Candidly, a lot of people are just overwhelmed – victims, law enforcement, response companies. It’s been pretty intense.”
The MOVEit incident has been particularly notable for the fact that Clop never deployed actual ransomware and no victims appear to have been affected by data encryption – merely data theft and extortion.
Carmakal explained that in their perfect scenario, a gang like Clop would prefer to be able to use encryption to exert so much pressure that their victims feel there is no alternative but to pay. However, thinking about the MOVEit attack from Clop’s perspective, given the number of vulnerable organisations and the need to hit as many as possible before the initial zero-day was made public, it likely made more sense to just conduct smash-and-grab raids.
“The [previous] campaign against Forta GoAnywhere was very lucrative for [Clop],” he said. “I know a lot of victim organisations paid. I think they felt that to be stealing data and only stealing data they would make a lot of money.”
Carmakal said a lot of MOVEit victims have paid, but equally a great many have not, although Budd said that Sophos has observed no payments among victims it has worked with.
Clop is also facing challenges itself. “They’re a small team,” said Carmakal. “It’s hard for a big team to handle this much data, so for a small team to handle this much data, many victims and all the infrastructure they have had to set up to host the volume of data that they’ve stolen – it’s got to be tough.
“They are making some mistakes and will likely make more. One of the things we are advising our clients is there are certain rules that this group abides by – they do things in a certain way – but the caveat is that this time things may be a little different because the threat actors overwhelmed themselves. There could be a number of reasons for the actor to do things that may not be intended or might be accidental, but that’s just a byproduct of them being overwhelmed by the sheer volume of data they have and the number of victims they have.”
One very notable difference observed is the fact that instead of reaching out directly to their victims, Clop asked victims to reach out to it, something that has not really been seen before and may be read as an indication that someone, somewhere, is trying to lighten their workload. The fact that English is not the gang’s first language is also likely complicating things.
“The proactive outreach could well reflect the fact that in this series of attacks Clop has been more successful than they had anticipated,” said Budd. “We often talk about cyber crime as a business – they may be facing a genuine business problem, which is that they have more victims than they have the infrastructure to support. I don’t mean this flippantly by any means, but this may well be the cyber crime equivalent of the helpdesk getting swamped over the holidays.”
Trouble for Clop?
A little over two years ago, the DarkSide ransomware attack on Colonial Pipeline, which wrought havoc across a swathe of US states and elevated cyber security to respectable dinner party conversation, so incensed the US authorities that it spelled doom for the gang that poked the hornets’ nest.
While ordinary people have not felt the impact of the MOVEit attack at the petrol pumps like they did with Colonial Pipeline, the sheer scale and breadth of the incident has brought Clop global government and media attention, and in the security research community a suggestion that the crew has taken a step too far is gaining traction.
“There are a lot of eyes on them right now. There are a lot of people that are upset and some of those people have the authority to take action, whether it’s to seize infrastructure or put people on a no-fly list or pick people up when they travel to certain countries. They’ve definitely attracted a lot of attention, much more than probably what they were hoping to pick up,” said Carmakal.
Budd took a similar view: “There is a certain top of the bell curve that threat actors in the ransomware space want to try to aim for. You want to maximise success but if you are too successful you gain the bad kind of attention, you make yourself so much of a nuisance and so much of a threat that you end up marshalling more forces in response to you than you might want. This could well be one of those moments.”
Will the gang face any repercussions? Carmakal said that even though the US and Russia are barely on speaking terms right now, there are still things that can be done to interfere with Clop’s infrastructure, and law enforcement agencies such as the FBI have set a precedent for offensive “hacking back” operations against cyber criminals.
Don’t forget, he added, that in 2021 when multiple Clop operatives were arrested, they were caught in Ukraine, not Russia.
So Clop’s members should be looking over their shoulders, but as their links to other cyber criminal operations so aptly demonstrate, even if MOVEit proves a step too far for the gang and it becomes impossible to carry on, it can almost certainly be guaranteed that the same people behind the operation will eventually resurface in a different guise. The Biblical adage that there is “nothing new under the sun” has never been applied so aptly as to the cyber security world.