Getty Images
Organizations large and small are falling prey to the mass exploitation of a critical vulnerability in a widely used file transfer program. The exploit began during the Memorial Day holiday, while the critical vulnerability was still a zero-day, and is now continuing, some nine days later.
On Monday night, payroll service Zellis, the Canadian province of Nova Scotia, British Airways, the BBC and British retailer Boots were known to have stolen data in the attacks, which were fueled by a recently patched vulnerability in MOVEit, a file transfer provider that offers both cloud and as on-premises services. Both Nova Scotia and Zellis had breached their own agencies or cloud services. British Airways, the BBC and Boots were customers of Zellis. All hacking activity has been attributed to the Russian-speaking Clop crime syndicate.
Widespread and quite substantial
Despite the relatively small number of confirmed breaches, researchers monitoring the ongoing attacks describe the exploitation as widespread. They liken the hacks to robberies, where a window is smashed and thieves take whatever they can get their hands on, and warned that the high-speed heists hit banks, government agencies and other targets in alarmingly high numbers.
“We have a handful of customers who ran MOVEit Transfer open on the Internet and they were all compromised,” Steven Adair, president of security firm Volexity, wrote in an email. “Other people we’ve talked to have seen similar things.”
Adair continued:
I don’t want to categorize our customers at this point as I don’t know what all is out there in terms of who runs the software and gives them away. But that said, it is organizations both large and small that have been affected. The cases we investigated all involved some degree of data exfiltration. The attackers typically grabbed files from the MOVEit servers within two hours of exploitation and shell access. We think this was probably widespread and quite a large number of MOVEit Transfer servers running internet-facing web services had been compromised.
Caitlin Condon, a senior manager of security research who leads the research arm of security firm Rapid7, said her team normally reserves the term “widespread threat” for events involving “many attackers, many targets.” The ongoing attacks have neither. So far, there is only one known attacker: Clop, a Russian-speaking group that is among the most prolific and active ransomware actors. And with the Shodan search engine indexing only 2,510 Internet-facing MOVEit instances when the attacks began, it’s fair to say there aren’t “many targets” relatively speaking.
In this case, however, Rapid7 makes an exception.
“We don’t see commodity threat actors exploiting or low-skilled attackers here, but the exploitation of available high-value targets globally across a wide range of organization sizes, industries and geolocations is decisive for us in classifying this as a widespread threat,” she explained in a text message.
She noted Monday was only the third working day since the incident became public knowledge and many victims are only now learning that they have been compromised. “We expect a longer victim list to emerge over time, especially as regulatory reporting requirements come into play,” she wrote.
Independent researcher Kevin Beaumont, meanwhile, said on social media on Sunday night, “I’ve been following this – there’s a double-digit number of organizations that have had data stolen, including multiple U.S. government and banking organizations.”
The MOVEit vulnerability results from a vulnerability that allows SQL injection, one of the oldest and most common exploit classes. Often abbreviated as SQLi, these vulnerabilities usually stem from a web application’s failure to adequately scrub queries and other user inputs of characters that an app might consider a command. By entering specially crafted strings into vulnerable website fields, attackers can trick a web app into returning confidential data, granting administrative system privileges, or subverting the way the app works.
Timeline
According to a report published Monday by security company Mandiant, the first signs of the Clop exploit occurred on May 27. In some cases, data theft occurred within minutes of installing a custom web shell tracked as LemurLoot, the researchers said. They added:
Mandiant is aware of multiple cases where large amounts of files have been stolen from victims’ MOVEit transfer systems. LEMURLOOT can also steal Azure Storage Blob information, including credentials, from the MOVEit Transfer application settings, suggesting that actors exploiting this vulnerability may be stealing files from Azure in cases where victims store device data in Azure Blob storage, though it is unclear whether theft is limited to data stored in this way.
The web shell is disguised with file names such as “human2.aspx” and “human2.aspx.lnk” in an attempt to impersonate human.aspx, a legitimate part of the MOVEit Transfer service. Mandiant also said it “observed several POST requests to the legitimate guestaccess.aspx file before interacting with the LEMURLOOT web shell, indicating that SQLi attacks targeted that file.”
On May 31, four days after the initial attacks began, MOVEit provider Progress patched the vulnerability. Within a day, posts surfaced on social media reporting that the vulnerability was exploited by a threat actor who installed a file called human2.aspx in the root directory of vulnerable servers. Security firms soon confirmed the reports.
Formal attribution that Clop is behind the attacks came from Microsoft on Sunday, that linked the attacks on “Lace Tempest”, the name researchers at the company use to track a ransomware operation that maintains the extortion website for the Clop ransomware group. Mandiant, meanwhile, found that tactics, techniques, and procedures used in the attack matched those of a group tracked as FIN11, which has deployed the Clop ransomware in the past.
Clop is the same threat actor that massively exploited CVE-2023-0669, a critical vulnerability in another file transfer service known as GoAnywhere. That hacking allowed Clop to topple data security firm Rubrik, obtain health information for a million patients from one of the largest hospital chains, and (according to Bleeping Computer) take credit for hacking 130 organizations. Research from security firm Huntress has also confirmed that the malware used in intrusions using CVE-2023-0669 had indirect links to Clop.
So far, there have been no reports of victims making ransom demands. The extortion site Clop has also so far said nothing about the attacks. “If the purpose of this operation is extortion,” Mandiant researchers wrote, “we expect victim organizations to receive extortion emails in the coming days to weeks.”
