On June 1, 2023, ReliaQuest published a blog highlighting a critical vulnerability in the file transfer software MOVEit. Just a few days later, on June 5, 2023, the Clop ransomware group claimed responsibility for a series of attacks exploiting the zero-day vulnerability, which is tracked as CVE-2023-34362. Clop claimed to have started exploiting the MOVEit vulnerability on May 27, 2023. The ransomware group also stated that it had not yet begun extorting victims. 

The situation changed on June 6, 2023, when Clop published a new post on its data-leak site, “>_CLOP^_-LEAKS” – the dark web page where it shares data belonging to Clop victims who chose not to pay the requested ransom. In this post, Clop claimed to have stolen the data from hundreds of organizations using the MOVEit flaw and instructed victims about how to enter extortion negotiations with Clop, setting a deadline of June 14, 2023. In this post, Clop promised that every impacted organization that does not contact Clop ahead of this date will see its data exposed on Clop’s data-leak site. Clop stated that after 10 days of non-productive negotiation chats, data will be published for victims.

image

Figure 1: Details of ransom negotiations for companies impacted by MOVEit vulnerability (Source: Clop’s data-leak site)

Why Should You Care?

MOVEit Transfer is a popular file-transfer tool used by many enterprises. The MOVEit vulnerability allows threat actors to escalate privileges and obtain unauthorized access to environments. Even before Clop’s responsibility claim, ReliaQuest had observed the vulnerability being actively exploited in the wild to exfiltrate data from companies operating in multiple sectors and geographies. As unpatched MOVEit servers remain exposed to the Internet, it is likely that exploitation will continue over the next few days by Clop and other threat actors. 

Clop’s unique strategy: Exploiting vulnerabilities in file transfer solutions

Clop is one of the most sophisticated and technically skilled ransomware groups currently operating. Unlike most criminal enterprises in this space, Clop has adopted a more advanced strategy when compromising its victims, often relying on the exploitation of zero-day vulnerabilities in popular enterprise file transfer solutions. Many other ransomware groups will often take the traditional route, which involves reconnaissance, gaining initial access, establishing a foothold, lateral movement, exfiltration, and encryption. This entire process can take groups over a week for a successful attack. Meanwhile, Clop can conduct these large-scale attacks affecting hundreds of organizations in just a few days. 

This latest attack showcases a new approach from Clop. For the first time ever, Clop posted on its data-leak site to announce its latest campaign and demanded that victims reach out to Clop to pay ransom payments. There may be three main reasons for this change in tactics: 

  • To increase the pressure on every organization using MOVEit versions vulnerable to CVE-2023-34362, even those that may not have been compromised by Clop. 
  • To save time on individual conversations with each victim, in the case that this attack hit a large number of victims. There were thousands of potentially vulnerable targets when Clop began this campaign. Clop could have compromised so many victims that it needs to take this approach to scale out its operations. 
  • To further publicize its malicious activities, increasing its reputation and notoriety in the cybercriminal underground. 

What Might Happen Next?

Right now, all eyes are on June 14, 2023. That’s the date Clop set as the deadline for impacted victims to contact them and begin negotiations for ransom payments to avoid being posted on Clop’s data-leak site. Of course, Clop may well be bluffing with its threats to expose victims’ data. However, Clop itself said in its latest post on its data-leak site, Clop has been around for many years now and has often kept its promises (unfortunately). For example, Clop claimed to have breached hundreds of organizations using a GoAnywhere vulnerability in February 2023, and the group published close to 100 victims on its data-leak site the following month. 

At this time, the name of organizations compromised by Clop remains unknown. Clop also did not disclose how many victims were breached, unlike in its previous attacks, and this suggests that this campaign could have been larger than any other conducted by the group. Clop has repeatedly demonstrated that it can extort a large number of organizations at the same time. It is safe to assume it intends to do the same this time. 

What To Do Next

ReliaQuest recommends that its impacted customers—along with every potential Clop victim—contact their legal teams for guidance on how to respond to Clop’s posting and execute Incident Response plans. 

  • Companies need to evaluate the files that are stored on their MOVEit solutions and any third party MOVEit servers. Third Party Risk Management teams should reach out to key vendors to understand about potential exposure. How sensitive is the data stored within these solutions? It could be the case for some victims that the data isn’t sensitive, and exposure is less of a risk. Given the primary use cases of Managed File Transfer (MFT) solutions, this is less likely and perhaps wishful thinking. Knowing what data is exposed will help inform decisions on how to proceed with Clop. Interacting with Clop and paying an extortion is a business decision that isn’t without risk. Although Clop is generally known to keep their word, enterprises must carefully consider how to move forward. Inside and outside counsel, Senior leadership, the Board, public relations and for some industries, regulators should all be a part of the decision on how to proceed.  From an incident response point of view, every organization using vulnerable versions of the MOVEit software should assume that they have been compromised.  
  • Any organization with MOVEit Transfer versions before May 31st, 2023 are vulnerable and if publicly accessible should be assumed as compromised. Information has been released that MOVEit Trasnfer writes a Windows EVTX file located in C:\Windows\System32\winevt\Logs\MOVEit.evtx containing the event ID 0. The information contained in this log can be used to identify the specific data and how much of it was exfiltrated. This may also help with regulatory compliance standards where applicable, however backup MOVEit Transfer and store this log data before applying any patches. 

Even if you don’t use MOVEit’s software, there are actions you need to take: 

  • Given Clop’s history of targeting MFT solutions, we can confidently say that Clop will target similar solutions in the future. It is fundamental that organizations understand their MFT solution’s public footprint and do what they can to harden them. That includes restricting public access to authorized users, setting up firewall rules to exclude unknown IPs, and quickly applying software patches. Also, since Clop exploits zero-day flaws, effective detection, and response are the best option for minimizing risks. Evaluate the logging capabilities of any MFT solution. Make sure that logging is enabled, and also ship those logs off to SIEMs or other storage so that in the event you need to hunt for malicious activity in the future, you have the data to do so. While you are at it, take this same approach for any of your Internet facing services, as actors target these for initial access.   
  • Organizations that haven’t conducted extortion tabletop exercises must do so. You don’t want to have to make a payment decision in the midst of an extortion attempt. Tabletop exercises should include both operational and leadership elements. Tactically you can evaluate your ability to detect and response to ransomware and extortion. Strategically, leadership can discuss the benefits and risks of paying extortion demands. Now is a good time for tabletop exercises as 2024 planning and budgeting activities are underway. Use the tabletop to inform your people, process, and technology needs heading into the new year.   
  • If you don’t have a relationship with your local FBI Field Office, now would be a good time to establish one. The FBI might not be able to assist with data extortion, but in cases of ransomware, the FBI might be able to help unencrypt ransomed data.