Getty Images:
Organizations large and small are falling victim to a mass exploitation of a critical vulnerability in a widely used file transfer program. The exploit began over the Memorial Day holiday, while the critical vulnerability was still zero-day, and continues now, nearly nine days later.
As of Monday evening, payroll service Zellis, the Canadian province of Nova Scotia, British Airways, the BBC and British retailer Boots were all known to have had data stolen in attacks stemming from a recent vulnerability in MOVEit. file transfer provider that offers both cloud and on-premises services. Both Nova Scotia and Zellis have had their own instances or cloud services being breached. British Airways, the BBC and Boots were Zellis’ clients. All hacking activity has been attributed to the Russian-language Clop crime syndicate.
Widespread and quite substantial
Despite the relatively small number of confirmed breaches, researchers monitoring ongoing attacks describe the exploit as widespread. They compared the hacks to burglaries, in which a window is broken and thieves take what they can, and warned that high-speed robberies are hitting banks, government agencies and other targets in alarmingly high numbers.
“We have several customers who had MOVEit Transfer open to the Internet, and they were all compromised,” wrote Stephen Adair, president of security firm Volexity. “Other people we’ve talked to have seen something similar.”
Adair continued.
I don’t want to categorize our customers right now because I don’t know what’s out there or who’s running the software and giving it to them. However, along with this, both large and small organizations have been hit. The cases we’ve looked at all involve some level of data export. Attackers typically capture files from MOVEit servers less than two hours after the exploit and shell access. We believe this was likely widespread, and a fairly significant number of MOVEit Transfer servers running Internet-facing web services were compromised.
Caitlin Condon, a senior security research manager who leads the research team at security firm Rapid7, said her team typically reserves the term “pervasive threat” for events involving “many attackers, many targets.” The ongoing attacks have neither. So far, only one attacker is known: Clop, a Russian-language group that is one of the most effective and active ransomware actors. And since the Shodan search engine only indexed 2,510 Internet-related MOVEit cases when the attacks began, it’s fair to say there aren’t “many targets” in comparison.
In this case, however, Rapid7 makes an exception.
“We don’t see commodity threat actors or low-skill attackers using it here, but the use of global high-value targets across a wide range of organization sizes, verticals and geographies increases this classification for us. as a widespread threat,” he explained in a text message.
He noted that Monday was only the third business day since the incident became widely known, and many victims may only now know they are at risk. “We expect a longer list of victims to be released over time, particularly as regulatory reporting requirements come into play,” he wrote.
Independent researcher Kevin Beaumont, meanwhile, said Sunday evening on social networks. “I followed it. there are double-digit numbers of organizations that have had their data stolen, including multiple US government and banking organizations.”
The MOVEit vulnerability stems from a security flaw that allows SQL injection, one of the oldest and most common classes of exploits. Often abbreviated as SQLi, these vulnerabilities typically result from a web application failing to properly sanitize search queries and other character input that the application might consider a command. By entering specially crafted strings into vulnerable fields on a web site, attackers can trick a web application into returning confidential data, granting administrative system privileges, or disrupting the application.
Timetable
According to a note published by security firm Mandiant on Monday, the first signs of Clop exploitation occurred on May 27. In some cases, the data theft occurred within minutes of the custom network being tracked by LemurLoot, the researchers said. They added:
Mandiant is aware of numerous cases where large volumes of files have been stolen from victims’ MOVEit transfer systems. LEMURLOOT can also steal Azure Storage Blob information, including credentials, from the MOVEit Transfer application settings, suggesting that actors exploiting this vulnerability could steal files from Azure in cases where victims store device data in Azure Blob storage, although it is not clear if a theft was committed. is limited to data stored in this manner.
The webshell is disguised with filenames such as “human2.aspx” and “human2.aspx.lnk” in an attempt to pose as human.aspx, a legitimate component of the MOVEit Transfer service. Mandiant also said it “observed several POST requests made to a legitimate guestaccess.aspx file prior to interacting with the LEMURLOOT webshell, indicating that SQLi attacks were targeting that file.”
On May 31, four days after the earliest attacks began, MOVEit provider Progress patched the vulnerability. Within a day, there were social media posts reporting that the vulnerability was being exploited by a threat actor who placed a file named human2.aspx in the root directory of vulnerable servers. Security companies soon confirmed the reports.
The official attribution that Klopp was behind the attacks came from Microsoft on Sunday, which connected attacks on “Lace Tempest,” the name researchers at the company use to track ransomware, which maintains an extortion site for the Clop ransomware group. Meanwhile, Mandiant found that the tactics, techniques and procedures used in the attack matched those of a group tracked by FIN11 that previously installed the Clop ransomware.
Clop is the same threat actor that massively exploited CVE-2023-0669, a critical vulnerability in another file transfer service known as GoAnywhere. That hacking spree allowed Clop to lose data security company Rubrik, obtain health information from one of the largest hospital networks per million patients, and (according to Bleeping Computer) take credit for hacking 130 organizations. Research by security firm Huntress also confirmed that the malware used in the attacks exploiting CVE-2023-0669 has indirect links to Clop.
So far, there are no known victims demanding ransom. Clop’s extortion site has also not reported any attacks so far. “If the intent of this operation is extortion,” Mandiant researchers wrote, “we expect that affected organizations may receive extortion emails in the coming days or weeks.”