The Cl0p ransomware gang has taken credit for breaching Progress Software’s MOVEit file transfer program. The breach, which affected numerous million- and billion-dollar organizations throughout the western world, was not only successful but also unusual in its simplicity. While researchers initially identified the MOVEit hackers as a new group, on June 4th, Microsoft traced the attack to “Lace Tempest,” known for operating the Cl0p extortion website.
The Cl0p ransomware gang confirmed Microsoft’s theory about the attack on June 6th in an announcement to affected companies. The actors wrote in broken English, “THIS IS AN ANNOUNCEMENT TO EDUCATE COMPANIES WHO USE PROGRESS MOVEIT PRODUCT THAT CHANCE IS THAT WE DOWNLOAD A LOT OF YOUR DATA AS PART OF EXCEPTIONAL EXPLOIT.”
According to Vlad Mironescu, a threat intelligence analyst for Searchlight Cyber, the Cl0p connection is not surprising since the gang has been exploiting file transfer solutions for an extended period; they have attacked Accellion, SolarWinds, GoAnywhere, PaperCut, and now MOVEit. He said, “They are the masters of this kind of attack.”
The MOVEit breach’s unexpectedness lies in Cl0p’s success with a simple attack, as explained by John Hammond, senior security researcher for Huntress. After unpacking the CVE-2023-34362 vulnerability in MOVEit, Hammond demonstrated Cl0p’s attack for Dark Reading. He uploaded a GIF from the movie, Madagascar, with no permissions necessary, using straightforward SQL injection to masquerade as a guest user. The unauthorized Cl0p group can now exfiltrate files, upload malware, or perform any other action in an unauthorized MOVEit environment.
Although Cl0p made ample use of the Web shell LEMURLOOT in its attacks, it is not required. Huntress used Meterpreter instead of LEMURLOOT in a version of a demo exploit after Hammond’s conversation with Dark Reading. It elevated to the system level of a virtual machine before deploying Cl0p ransomware.
Beyond the victims and the security community, some cybercriminals have expressed interest in the MOVEit attack, according to Mironescu. A Russian dark web user interested in purchasing some stolen data posted about it. Other actors have expressed interest in the technical aspects of the breach, possibly for their benefit.
Cl0p plans to name and shame their stubborn victims on June 14th, as well as possibly monetize and share their winnings. The group stated on June 6th, “WE ARE THE ONLY ONE WHO PERFORM SUCH ATTACK” and advised victims to “RELAX BECAUSE YOUR DATA IS SAFE.” The reassurance offered required more clarification and was not very reassuring.