Supply chain, Application security

MOVEit hackers may have found simpler business model beyond ransomware

Hackers from the Cl0p extortion group have consistently targeted file transfer software, and experts worry their latest success could breed copycats in the ransomware world. (Image Credit: Sean Gladwell via Getty Images)

A notorious cyber extortion gang's latest plot is fueling concern that ransomware actors may have hit upon a simpler and just-as-lucrative business model than their traditional methods of demanding payment from victims in exchange for the release of their computer systems.

The Russian-speaking hacker group Cl0p confirmed it exploited a zero-day vulnerability in the popular MOVEit file transfer program and stole data from a growing number of victims, exposing the personal information of many millions of people worldwide.

It's Cl0p's third and largest hack of file-transfer software, which is designed to securely facilitate an organization's transmission of sensitive data. More alarmingly, it's also the third time it has simply demanded payment not to release data rather than demanding a ransom to decrypt a victim's system.

"It's sort of a new business model for them," said Huntress senior researcher John Hammond, who helped find the backdoor zero-day exploit Cl0p used to trick MOVEit's database to execute the gang's commands. Hammond said the latest extortion method is easier to implement.

"You don't need to encrypt the hard drive," he said. 

Hammond and others warn that we should expect to see additional attacks in the future targeting file-transfer software in particular, as well as other data-rich tools such as document management programs.

"It's been quite productive," said Bert Kondruss, founder of cybersecurity firm Kon Briefing. "I'm pretty sure they will concentrate on this." 

Scouring regulatory filings, public statements and other sources, Kondruss has compiled an unofficial list of 128 victims so far. Hammond, Kondruss and others expect many more. 

Analysts say the bulk of the attacks occurred over the Memorial Day weekend in the United States when staffing was minimal.  

The hacking group began publishing the names of its victims earlier this month after demanding payments from them, including the University of California, Los Angeles, Siemens Energy and three others reported on Monday. Cl0p continues to post updates that claim to detail new victims on a daily basis.

"The company doesn't care about its customers, it ignored their security!!!" the hackers wrote on their dark Web "leak site." 

That's in addition to other government agencies, corporations and university systems and others previously identified as Cl0p victims. 

Data indicates MOVEit likely to be Cl0p’s most successful file transfer application hack

Cl0p had previously exploited zero-day vulnerabilities in two other file-transfer programs, Accellion and GoAnywhere, but the evidence so far indicates the MOVEit compromise may well dwarf the impact of both previous campaigns, both in terms of scope and the sheer number of large, well-known companies and government agencies that were swept up.  

According to open-source intelligence examined by cybersecurity company Tenable, Cl0p compromised about 50 organizations during the Accellion breach in 2020 and 2021 and about 130 during the GoAnywhere hack earlier this year.

"Vulnerabilities in file transfer tools and security products have had serious consequences for several of our customers, and concerns that the trend is snowballing are growing," wrote Sandra Joyce, vice president of intelligence at Mandiant and Google Cloud, on July 3.

Kondruss ultimately expect "hundreds" of MOVEit victims will emerge. At least 2,500 MOVEit servers exposed on the public internet are all potential targets, said Caitlyn Condan of Rapid7.

According to Brett Callow, a ransomware researcher with Emsisoft who has been tracking the fallout from the campaign, the MOVEit hack has at least 138 known victims as of June 29 and has affected the personal data of more than 15 million individuals.

Threat intelligence company Censys examined 1,400 MOVEit servers visible on the public internet and found 31% of hosts were entities in the financial services sector, 16% in healthcare, 9% in information technology and 8% in government. Nearly a third of the servers were with companies that employed more than 10,000 workers each, while a whopping 69% were located in the United States. 

"While the quantity of these particular hosts may appear modest when considering the vast expanse of the internet, the troubling aspect lies in the large size of the companies involved and the highly sensitive data they handle," Censys said in research published on its website earlier this month.

"Multiple organizations have fallen victim to data theft through the exploitation of this zero-day over the past few weeks, and based on the current level of exposure, the number of affected organizations will likely continue to rise," Censys concluded.

Since the initial MOVEIt zero-day disclosure, researchers have found two others, raising the possibility that other groups may have stolen data from customers using MOVEit's file transfer software. 

MOVEit's owner Progress Software said it has issued patches for the exploits and said in a statement that it is working with investigators and industry experts to find the culprits and prevent further attacks. The U.S. government has offered a $10 million reward for information leading to arrests. 

Progress declined to discuss its customers or disclose the number of customers using MOVEit. According to the MOVEit site, "thousands" of organizations worldwide use it. The company was hit with a class action lawsuit over the breach last week.

An In-Depth Guide to Application Security

Get essential knowledge and practical strategies to fortify your applications.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds