The cybersecurity landscape has been rocked by a series of attacks exploiting a critical vulnerability in the MOVEit managed file transfer (MFT) software. The attacks, attributed to the Cl0p ransomware group, have targeted a wide range of organizations. 

For over two decades, large organizations have relied on MOVEit, a product of Progress Software. However, the recent discovery of a severe SQL injection vulnerability, known as CVE-2023-35708, has turned this trusted ally into a potential threat. 

The Cl0p group has been exploiting this loophole since mid-May, but there are signs that they’ve been aware of this flaw since as early as 2021. Using the vulnerability as a hidden backdoor, they’ve infiltrated organizations, seized control of their systems, and exfiltrated sensitive data. 

Growing List of MOVEit Vulnerability Victims 

Federal and state government agencies, major banks, investment firms, and universities have all fallen prey to the Cl0p group. The state of Louisiana’s Office of Motor Vehicles, for instance, confirmed a cyberattack that exposed the records of all the state’s drivers, including license and registration information and possibly Social Security numbers. 

 One of the high-profile victims of the Cl0p group’s MOVEit breach is the British oil and gas multinational Shell. This marks the second time that Shell, which employs more than 80,000 people globally and reported revenues in excess of $381 billion last year, has been hit by the Cl0p gang targeting a file transfer service. A spokesperson for Shell confirmed the incident, stating, “We are aware of a cybersecurity incident that has impacted a third-party tool from Progress Software called MOVEit Transfer, which is used by a small number of Shell employees and customers.” Shell’s representatives emphasized that their core IT systems appeared to be unaffected, and their IT teams were persistently probing the incident. 

 This is far from the first time Cl0p breached a file-transfer program to gain access to data it could then use to extort companies. Other instances include GoAnywhere servers in early 2023 and Accellion File Transfer Application devices in 2020 and 2021. 

Cl0p Group’s Exploitation Strategy and Impact on MOVEit Victims 

In a span of roughly three weeks, Progress Software had to patch its MOVEit products for the third time due to a critical SQL injection flaw, CVE-2023-35708. This came after the disclosure of a zero-day vulnerability in late May and the patching of a second critical bug a week later. 

SQL injection is a code injection technique attackers use to exploit vulnerabilities in a web application’s database layer. With this method, attackers can execute malicious SQL statements, which control a web application’s database server. 

 In the case of the Cl0p group, after successfully exploiting the SQL injection vulnerability, they authenticate as the highest privileged user on the system. This allows them to gain full control over the compromised system. Following this, they deploy a web shell, a script that enables remote administration of the machine, to collect all the data. The shell, known as LEMURLOOT, is specifically designed to interact with the MOVEit platform. 

Notably, the Cl0p group has focused on data exfiltration rather than deploying ransomware, which would encrypt the victim’s data and demand a ransom for its decryption. By not doing so, they can potentially avoid detection and continue their data exfiltration activities unnoticed. 

The scale of the attack is still being processed around the world. The Cl0p group has warned all the business victims of the MOVEit attack to email them before a specified date or else the stolen data will be published. This suggests that the group is not only interested in stealing data but also in exerting pressure on the victims, possibly to extort money.  

Progress Software has been quick to respond to the attacks, urging its customers to apply patches for the vulnerability and providing instructions on how to do so. However, the rapid and widespread nature of the attacks have left many organizations in a scramble to assess and mitigate the damage.   

CISA Director’s Insights: MOVEit Attacks  – An Opportunistic Threat 

In a recent press call, CISA Director Jen Easterly confirmed that “several federal agencies” had been impacted through their MOVEit Transfer instances. She clarified, “Specifically, as far as we know, these actors are only stealing information that is being stored on the file transfer application at the precise time that the intrusion occurs.”  

Easterly went on to explain, based on discussions with industry partners in the Joint Cyber Defense Collaborative, that “These intrusions are not being leveraged to gain broader access, to gain persistence into targeted systems or to steal specific high-value information.” She summed up the nature of the attacks as being “largely opportunistic.”  

Easterly also noted that the agency was “not aware of Cl0p actors threatening to extort or release any data stolen from US government agencies.” Despite the agency’s “very concern” about the campaign, she stated that it did not present a systemic risk to US national security or networks.  

OT/ICS Cybersecurity Measures in Response to Rising MOVEit Victims 

The MOVEit attacks have led to a significant increase in the number of victims. The Cl0p ransomware group has begun to publicly name some of the victims, specifically those who did not contact them to negotiate a ransom. This suggests that the scale of the attack is much larger than initially thought.  

Importantly, the critical vulnerability in MOVEit software has significant implications for Operational Technology (OT) and Industrial Control Systems (ICS). These systems, integral to critical infrastructure sectors like energy, transportation, oil and gas, often rely on file transfer applications like MOVEit. An exploited vulnerability could potentially grant attackers access to sensitive operational data, disrupt system functioning, or even cause physical damage.  

In conclusion, the MOVEit attacks have underscored the urgent need for organizations to maintain a robust cybersecurity posture. Key takeaways include:  

• Keeping software up to date is crucial. Even trusted software like MOVEit can become a vector for cyber attacks if vulnerabilities are not addressed promptly. 
• Identifying and prioritizing vulnerabilities is a must. As the MOVEit attacks demonstrate, cybercriminals are quick to exploit any weaknesses they can find. 
• Remediation of vulnerabilities should be a priority. Delayed action can lead to significant damage and data loss. 
• Transparency and collaboration in the cybersecurity community are vital. The MOVEit attacks have highlighted the importance of disclosing vulnerabilities and sharing threat intelligence. 
• Staying one step ahead of cybercriminals is essential. As the cybersecurity landscape continues to evolve, the need for proactive and collaborative defense strategies has never been greater.