The first rumblings of the MOVEit vulnerability began a little over a week ago, as payroll provider Zellis confirmed that it was the source of a breach that in turn compromised a number of its own clients. At the time, there was speculation that the vulnerability may have been exploited to penetrate many more organizations.
Confirmation of this appears to have come from ransomware gang Cl0p, which posted a list of the victims it has been racking up since sometime in May. Among what it calls the “first batch” of its targets are both federal and state government agencies, major banks and investment firms, and universities. Many organizations are now scrambling to assess the damage, but some catastrophic breaches have already been revealed including the apparent exposure of nearly every driver’s license and Social Security number on file in Louisiana.
Cyber attack damage still being measured, but confirmed breaches already extensive
Cl0p appears to have been actively exploiting the MOVEit vulnerability to hit as many victims as possible since at least mid-May, but there are now indications that it has been aware of the flaw since 2021 and has been experimenting with the best way to run a campaign with it since.
Eric Foster, VP of Business Development at Stairwell, elaborates on the technical specifics of the cyber attack: “The vulnerability being exploited in MOVEit’s software allows for remote code execution (RCE) in a potentially privileged context. It serves as a hidden backdoor that cyber criminals can use to slip into and seize control of a computer. They pull this off by injecting malicious code into the database input fields on the web page, a method known as ‘SQL injection.’ Once inside, they can plunder any data the compromised computer can access and use this computer as a launch pad to delve deeper into the organization. The actors behind this mass data-extortion attempt are also known for deploying Ransomware within compromised environments, so it is worth ensuring that any redundant access or evidence of pivoting post-exploitation is investigated and remediated.”
The ransomware gang may well have sat on the vulnerability for over a year to avoid tipping off security researchers, as the current victim list (apparently still not complete) indicates how lucrative it is. MOVEit has been a popular managed file transfer system with all sorts of large organizations for over two decades, somewhat ironically due to its reliability and strong file encryption features.
Amit Yoran, CEO of Tenable, notes that Cl0p has a reputation for this exact thing that stretches back years now: “The Clop ransomware gang has focused on exploiting file transfer technologies for years and has had widespread success exploiting a known MOVEit flaw for weeks now. While we don’t know the full extent of the attack on U.S. government agencies, it’s clear that even now many organizations still need to plug holes in their software applications to avoid becoming the next victim. Cybercriminals and nation states alike feast on known vulnerabilities and sloppy hygiene practices that leave organizations unnecessarily at risk. Unrelenting focus on identifying issues, prioritizing them and remediating them makes a world of difference.”
Progress Software, the developer of MOVEit, disclosed the vulnerability on the last day of May and urged all customers to quickly update their software. The first inkling of this vulnerability being exploited came in early June, when UK payroll provider Zellis confirmed it was the entry point for a cyber attack that saw data stolen from a number of its clients (British Airways, the BBC and Aer Lingus among them). However, many more companies make use of MOVEit, and the attackers had been actively exploiting the vulnerability prior to public knowledge of it.
Confirmation of another MOVEit compromise by the provincial government of Nova Scotia quickly led to speculation about how many more victims might be out there.
Cl0p says that the list is long, but it is not revealing the full extent of the damage just yet. What it has revealed has been enough to cause a cybersecurity emergency to be declared. The headline item thus far is the state of Louisiana’s Office of Motor Vehicles, which has confirmed that the records of all of the state’s drivers have been exposed in a cyber attack. The state government confirmed that about six million records were stolen, exceeding the total state population of about 4.6 million, which indicates that records of former residents and drivers that have had licenses expire for some reason are also very likely included. This includes not just the license and registration information, but also possibly Social Security numbers.
Federal government agencies were also hit by Cl0p cyber attacks, though the damage to these is still being assessed. The Department of Energy confirmed that two of its “entities” were hit, and U.S. Cybersecurity and Infrastructure Security Agency (CISA)’s Executive Assistant Director for Cybersecurity Eric Goldstein said that “several” other agencies were receiving assistance.
The private sector appears to have been hit just as hard. That list is headed up by Shell, 1st Source, First National Bankers Bank, Putnam Investments, Datasite, ÖKK and Leggett & Platt among others. The higher education sector is also impacted: the University System of Georgia, National Student Clearinghouse and student health insurance vendor United Healthcare Student Resources are on the list.
Attackers may have stuck to data exfiltration to stay below radar
Though Cl0p is nominally a ransomware gang, one of the elements that jumped out about the Zellis cyber attack was that the victims were not reporting ransomware incidents. It appears Cl0p may have settled on simply exfiltrating data and holding it to ransom with threats of public leaks, an approach that may have allowed it to operate for a longer period without calling widespread attention to the vulnerability. Cl0p has also not contacted the victims of this campaign directly, instead addressing them only via its dark web site.
Cl0p has indicated that it used SHODAN or some similar tool to identify vulnerable public-facing MOVEit systems for the cyber attack campaign. Security researchers have found over 2,500 discoverable in this way, though it remains unclear how many are still unpatched. The majority of these systems are in the United States, and Ilkka Turunen (Field CTO at Sonatype) believes that many more cyber attack disclosures are coming: “Exploiting widely-used software is a very easy way for motivated threat actors to successfully breach many organizations. This is very similar to Log4j in that regard. My guess is there are a lot of organizations using affected software still out there, but due to the United States lacking GDPR notice requirements, we just have yet to hear about them. I’ve said it before and I’ll say it again – companies, and government agencies, need to take care to know what software they are running and which components make up that software. It’s not acceptable to be willfully ignorant about where your software is vulnerable.”
Nick Rago, Field CTO at Salt Security, provides this advice to organizations concerned about potential compromise: “Given the severity of the vulnerability, MOVEit users should patch installations as soon as possible. Moreover, until the patch is applied, it is strongly recommended to disable HTTP/HTTPS access to the MOVEit servers to prevent any unauthorized access. It is also a good reminder that many digital supply chains designed and deployed by organizations leverage third party open source or commercial software packages and applications. Those third party software deployed in your environments are susceptible to the same attacks as in house developed applications, and they should be protected with the same edge and runtime security technologies as you would in house developed apps.”