Cl0p's MOVEit Campaign Represents a New Era in Cyberattacks

vtqhtr413

Level 26
Thread author
Verified
Top Poster
Well-known
Aug 17, 2017
1,516
The MOVEit file transfer zero-day vulnerability, first discovered on June 1, was used to breach at least 160 confirmed victims by June 30. The successful mass extortion campaign represents an evolution of tactics by the Russian-backed Cl0p ransomware group, which experts say is likely to catch the attention of rival threat actors. Threat researchers note that the MOVEit campaign has some clues about how to respond to future supply chain cyberattacks for defenders as well.

So far, the breached organizations include a who's who of international brands, like Avast's parent company, British Airways, Siemens, UCLA, and more. Reports say the ransomware group pulled off the technically detailed mass exploitation after at least two years of careful development, patiently plotting and planning when and where to strike, armed with the secret flaw in the MOVEit file transfer software.

Researchers note a few innovations Cl0p has made between previous exploits and the MOVEit campaign, which are likely to influence other threat groups. For instance, Cl0p has streamlined the extortion business model by doing away with ransomware all together, John Hammond, Huntress security threat researcher explained to Dark Reading. "From what the industry has seen in [recent] Cl0p breaches (namely, GoAnywhere MFT and MOVEit Transfer), they haven't executed ransomware within the target environments," Hammond says. "The operations have strictly been exfiltrating data and using that stolen information for later blackmail and extortion.
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
The number of victims is now at 230 organizations, 17.5 million affected individuals and climbing.

MOVEIt has had three more revisions due to additional, various vulnerabilities.

Not surprisingly and won't be the last, I guess:

A class action lawsuit was filed in Massachusetts last week against both Progress Software and PBI for their “failure to properly secure and safeguard personally identifiable information.”


Twitter--a snip of my Twit source--no sign-in required.
twitter--moveit.PNG
Wowsers
 

vtqhtr413

Level 26
Thread author
Verified
Top Poster
Well-known
Aug 17, 2017
1,516
As of August 24, cybersecurity firm Emsisoft was aware of 988 victims and roughly 59,200,000 individuals. The number of impacted organizations is also confirmed by Resecurity, which on August 23 reported being aware of 963 public and private sector organizations worldwide hit by the MOVEit hack. Cl0p, which is estimated to earn as much as $100 million as a result of this campaign, has started leaking the data of victims that have refused to pay up.

On August 14 and 15, the cybercriminals leaked nearly 1 Tb of information allegedly stolen from 16 of the victims, Resecurity said. These victims include UCLA, Siemens Energy, Cognizant, and cybersecurity firms Norton LifeLock and Netscout. The list of organizations that may have exposed the information of more than one million individuals includes Maximus, Pôle Emploi, Louisiana Office of Motor Vehicles, Colorado Department of Health Care Policy and Financing, Oregon Department of Transportation, Teachers Insurance and Annuity Association of America, Genworth, PH Tech, Milliman Solutions, and Wilton Reassurance Company.
 

Digmor Crusher

Level 23
Verified
Top Poster
Well-known
Jan 27, 2018
1,266
This is why I keep saying that eventually everyone's information will be compromised. Your only protection against it will be the sheer volume of information that is out there, with billions of peoples info available the chances of yours being used for nefarious purposes is very slim.
 

vtqhtr413

Level 26
Thread author
Verified
Top Poster
Well-known
Aug 17, 2017
1,516

How did Clop get its hands on the MOVEit zero day?​

When the Russian-speaking cyber gang Clop began extorting companies en masse this summer, the headlines focused on impact: hundreds of companies breached, millions of peoples’ personal data stolen, terabytes of identifying information uploaded to the dark web. Clop exploited a bug in a widely used (but relatively unknown) file transfer software called MOVEit, gaining access to sensitive documents and exfiltrating data at scale for use in extortion campaigns. And even months after the initial breach, Clop continues to add to its list of victims every week.

What’s raised eyebrows in the cybersecurity community is not just the scale of Clop’s campaign, but the manner in which they compromised MOVEit in the first place.
Dustin Childs, the head of threat awareness for Trend Micro’s Zero Day Initiative, says criminals wielding zero-day bugs in extortion and ransomware campaigns is rare but not unheard of. Childs would know, his team is constantly finding bugs and buying them from security researchers around the world and in a conversation with the Click Here podcast, he talks about the zero-day market, Clop’s remarkable strategy, and whether other ransomware gangs will follow their lead.
Interview with Dustin Childs
CLICK HERE: Let’s start with your work with the Zero Day Initiative. You’re constantly purchasing bugs in all kinds of software programs. How do you work out what a bug costs?

DUSTIN CHILDS:
So depending on the type of bug, it could be worth $150. And depending on where it's sold, it could be worth up to $15 million. So we look at the bug, we look at how severe it is, we look at how widespread the product is. If it's a very niche product, it's not gonna be as much. If it's something like Microsoft Office or Google Chrome, it's obviously gonna be [worth] much more, since that's gonna be a greater impact to a lot more people. There’s a wide range in value of these bugs. And we do look at each bug that is sent to us and sometimes we say, We're just not interested in this bug. It's just too niche. [Maybe] we offer a price and they either accept it or reject it, and then we take the bug and do our thing with it.

CH: And what do you do with the bug?

DC:
So let's say it’s a Microsoft bug. We purchase a Microsoft bug and then we take it and we build filters for [Trend Micro] products to protect our customers upfront. That's the big thing about the bug bounty marketplace is we're purchasing bugs with the end goal of getting the bugs fixed. And then we send the bug to Microsoft. They don't actually pay us.

CH: So how do you make money?

DC:
That's the neat part. We don't make money at all. We make money by making our products better and selling more products.

CH: So give me an idea of what your shop is like. Is it a bunch of people in a room? Are they remote? What happens if one of your guys suddenly finds a zero day?

DC:
We have a remote team. We're all over the world, and we've got about 12 to 15 researchers at any given time. They're doing their own research, reporting their own bugs. But different people have different specialties. So an Apple bug will go to one person or a Windows bug will go to another person and they look at it and they verify it. They make sure that it's real, and they'll make the suggestion whether or not we purchase it. Then we decide on a price.

CH: And if somebody finds a zero day, are they punching the air? Or is it a little more sedate than that?

DC:
I guess it depends on the person. There are some people who definitely punch the air. There's people around the world where finding a zero day is life-changing for them, and we really do have people around the world. We have one researcher in Ethiopia, and he was punching the air because we essentially made him the richest man in his village. But then there are some people who might find 10 zero days, but they're all just gonna be worth $150. That's great, but you know, I'm not punching the air yet.

CH: I always thought of zero days as being something that only nation-states bought because they were so expensive.

DC:
Right.

CH: So disabuse me of that.

DC:
Well, there's two ways to think of zero days. There's zero-day vulnerabilities and there's zero-day exploits. Zero-day vulnerabilities are much more common than people think. They're out there everywhere, but they're not being exploited. I purchase zero-day vulnerabilities.

Zero-day exploits are relatively rare and they tend to be very expensive. Those are the ones people think of when we’re talking about nation-state attacks and advanced persistent threats. And if you look at the world I live in, that's where the exploit brokers come in. They're purchasing zero-day exploits. They're paying a lot more for it, too. One of the biggest companies is offering, I think, $2.5 million for a zero-day exploit in Android phones. I'm holding a contest and offering $250,000. But they have a different business model as well. Whereas we get the bugs fixed, they resell the bugs to — most likely — nation-states. They don't disclose their customer list, of course, but when you're buying bugs for $2.5 million, who are you reselling them to? You're reselling them to the people who print the money. And that's gonna be the nation-states.

CH: Can you explain the difference between a zero-day vulnerability and an exploit?
 

vtqhtr413

Level 26
Thread author
Verified
Top Poster
Well-known
Aug 17, 2017
1,516
According to cybersecurity firm Emsisoft, which has been keeping track of the organizations that were directly and indirectly impacted by the MOVEit hack, the total number of victims reached 2,053 on September 22. The total number of impacted individuals exceeds 57 million.

The latest impacted organization is the National Student Clearinghouse, which last week informed the California attorney general’s office that nearly 900 colleges and universities that use its services are impacted by the MOVEit hack. The National Student Clearinghouse informed Maine’s attorney general in late August that more than 51,000 individuals are affected by the incident.

In data breach notifications sent out to impacted individuals, the organization said its MOVEit server was hacked in late May, but it only determined on June 20 that certain files storing information from the student record database had been stolen.

The National Student Clearinghouse said the compromised information includes name, date of birth, contact information, social security number, student ID number, and school-related records, including degree and enrollment records and course-level data. “The data that was affected by this issue varies by individual,” the organization clarified.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top