Before Cl0p ransomware begins releasing its supposed avalanche of MOVEit zero-day bug victims, we asked experts what should be expected from the gang’s second “grand show” of 2023. Spoiler alert: it might be the biggest we’ve seen for some time.
Russia-linked ransomware syndicate Cl0p posted a warning to MOVEit customers last week, threatening to expose the names of organizations which the gang claims to have stolen data from. The crooks’ deadline, June 14th, ends today.
Until the gang starts releasing victim names, it’s impossible to predict the impact of the attack. However, Cl0p claims hundreds of companies have fallen victim to it.
If confirmed, the attack could overshadow the fallout from another zero-day bug that the gang exploited earlier this year. Fortra’s GoAnywhere managed file transfer bug led to Procter & Gamble (P&G), Shell, Hitachi, Hatch Bank, Rubrik, Virgin, and many others getting breached.
“It could be one of the biggest ones we’ve seen recently – perhaps three times the size of GoAnywhere. There are around 3,000 deployments of the MOVEit application, compared with 1,000 of GoAnywhere,” JP Castellanos, the director of threat intelligence at Binary Defense, told Cybernews.
Why is the MOVEit zero-day important?
MOVEit Transfer is a managed file transfer software, and the now-patched zero-day bug affected MOVEit Transfer’s servers, allowing attackers to access and download the data stored there.
The flaw is a Structured Query Language (SQL) injection vulnerability, a type of bug that attackers use to insert malicious code. This code is then used to manipulate the behavior of a database.
“What makes it especially dangerous is that the initial SQL injection can be followed up by secondary attacks using code execution,” Mackenzie Marsocci, Cyber Threat Analysis Center (CTAC) team lead at NuHarbor Security, explained.
Organizations use the MOVEit service to send and receive files from their clients using secure channels, which means attackers could access sensitive data. According to Tyler Hudak, incident response practice lead at TrustedSec, organizations that did not use the MOVEit service are not immune to the fallout.
“Even if a company doesn’t use MOVEit Transfer, a trusted third party (supplier, partner, etc.) of theirs might. If this trusted third party’s MOVEit system was breached, this could mean a breach of the original company’s sensitive data may have occurred,” Hudak said.
A prime example of that is Zellis, a popular third-party payroll service provider, which was hacked by exploiting the MOVEit zero-day flaw. BBC, British Airways, and retailer Boots were affected by the Zellis breach.
“It could be one of the biggest ones we’ve seen recently – perhaps three times the size of GoAnywhere. There are around 3,000 deployments of the MOVEit application, compared with 1,000 of GoAnywhere.”Castellanos told Cybernews.
What kind of data might Cl0p have?
Simply put – all of it. After the news about MOVEit zero-day broke, cybersecurity analyst Kroll noted there are indications that hackers were likely experimenting on how to exploit this particular vulnerability since 2021. Even if the timeframe was narrower, breaching a file transfer service allows attackers to take anything stored there.
According to Lior Mazor, chief information security officer (CISO) and global head of information and physical security at Perimeter 81, the stolen data would differ from company to company, but Cl0p likely has a trove of sensitive files.
“If clients’ customers utilize the MFT software for file transfers, their customer account information could be at risk. This may include customer names, contact details, account credentials, purchase histories, or transaction records,” Mazor said.
Data that the attackers obtained might include employee information which could be used for data theft, business data that could expose confidential documents, and intellectual property that could expose unpublished media or copyrighted content.
“If software is used to transfer sensitive compliance documentation, legal contracts, or customer data subject to privacy regulations (e.g., GDPR), the exposure or loss of such data could result in legal and regulatory repercussions for your clients,” Mazor explained.
Is the Cl0p gang special?
Not really. Cl0p hardly differs from any other ransomware syndicate. The gang’s leaders prowl the cyber realm for flaws that could be turned into ransom payments. Zero-day bugs are particularly juicy for cybercriminals as there are no immediate countermeasures.
“In most cases, hackers prefer zero-day exploits, which target vulnerabilities unknown to software vendors and have no patches or fixes available. Hackers can exploit zero-day exploits to gain unauthorized access to systems and carry out malicious activities without detection,” Mazor said.
“If clients’ customers utilize the MFT software for file transfers, their customer account information could be at risk. This may include customer names, contact details, account credentials, purchase histories, or transaction records.”Mazor said.
What’s novel about Cl0p and its methods during this saga is the gang’s communication. Instead of contacting affected companies, the gang posted a message on its dark web blog, urging the victims to make the first move.
“It’s unusual for them to ask victims to reach out to them first. Ransomware groups typically make initial contact, especially considering that potential targets might not be actively monitoring a group’s leak site,” Marsocci said.
One reason why the gang chose this unorthodox manner to communicate about the hack could be that it’s overwhelmed by the number of victims at hand. However, other forces could be at play.
Who is the Cl0p ransomware gang?
The Russia-linked gang goes by different names. Castellanos says that people in the cyber industry know the syndicate as TA505, Lace Tempest, Dungeon Spider, and FIN11. The reason behind the many names is simple – the gang is quite old. It was first observed in 2019 — a long time in the ever-changing ransomware landscape.
Like many other established players, Cl0p operates under the Ransomware-as-a-Service (RaaS) mode, which means it rents the software to affiliates for a pre-agreed cut of the ransom payment.
“Cl0p is known to use what is called the “double-extortion” technique of stealing and encrypting victim data, refusing to restore access and publishing exfiltrated data into its data leak site if the ransom is not paid,” Castellanos explained.
In 2021, Ukrainian law enforcement dealt the gang a major blow, leading to several arrests and the dismantling of the gang’s server IT infrastructure. The arrests eventually forced it to shut down operations from November 2021 to February 2022. However, the gang has been steadily recovering since then.
More from Cybernews:
Subscribe to our newsletter