Authored by: Abhishek Karnik and Oliver Devane
You may have heard recently in the news that several organizations, including banks, federal agencies, and corporate entities, have suffered data breaches due to a series of ransomware attacks initiated by the Clop hacker group (aka CLOP, CL0p), that leveraged a vulnerability in MOVEit software.
Three critical vulnerabilities (CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708) have been reported in the software. However, the group is only known to have leveraged one, CVE-2023-34362 to obtain unauthorized access to sensitive data. The vulnerabilities, if exploited, result from a structured query language (SQL) injection attack, that allows attackers access to databases hosted by the MOVEit application.
SQL injection is a technique by which attackers exploit vulnerabilities that allows the injection of malicious code into an application to view or modify a database (in this case MOVEit)
Ransomware is a certain class of malware that tries to extort money as a ransom payment. The typical tactics for such malware are:
- Encrypt files on a machine and demand payment for file decryption.
- Siphon important business, confidential or sensitive data, and then demand a payment to prevent public disclosure of such data.
While there were no reports of file encryption in this wave, the malicious actors stole files from the impacted companies and are now extorting them by demanding payment to prevent the hackers from releasing the files to the public. It should be noted that this is not the first time Clop has used these tactics.
How did this attack occur and how does this impact you?
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) first warned of this attack via a press release on June 7, 2023. The attackers exploited a zero-day threat in MOVEIt software. Internet-facing MOVEit transfer web applications were compromised through the vulnerabilities listed above and infected with malware that then subsequently stole data from underlying MOVEit databases. The result was that any file that was transferred using MOVEit could also have been stolen by malicious actors. Once the data was siphoned, the attackers contacted the organizations to inform them that they were victims of an attack and that the files would be published publicly if a ransom wasn’t paid on time.
The impact of this is that potentially sensitive files that may have contained intellectual property or personally identifiable customer data could be made available on the Internet. This, of course, would have severe ramifications for not only the impacted organizations, but also for customers or users who had provided information to them.
What can you do?
If you operate a business that utilizes the MOVEit software, it is imperative that you follow guidance provided by Progress Software and CISA.
It’s unlikely that individual consumers will be directly impacted by the CLOP malware. However, there is a possibility that you may have been indirectly impacted if an organization you have previously subscribed to or provided information to is a victim. This FAQ and blog by McAfee contains great details on what steps you should follow if your data is part of a data breach.
Such breaches can also have a ripple effect where malicious actors who weren’t directly involved with the ransomware attack may take advantage of the event, to target potential victims with scams. Be cautious of emails or other correspondence claiming to be from a company that has been impacted by this Ransomware attack. Double-check the email address and verify any links that are present in the emails. Read more about how to recognize and protect yourself from phishing.
