To say that June has been a bad month for the global cybersecurity community wouldn’t begin to account for the chaos and damage done by a group of Russian hackers known as Clop, in what U.S. cyber agency officials are calling an unprecedented hacking spree.
Clop began exploiting a zero-day vulnerability in the MOVEit Transfer system on May 27. Although it claimed to breach multiple companies’ servers with this vulnerability, it did not immediately extort the victims, sticking with several localized attacks against smaller organizations.
The group quickly upped the ante when it compromised employee data within the BBC and British Airways the first week in June, while also attacking several U.S. federal and government agencies. However, that same week Clop also claimed to have deleted data related to governments and the military without providing a motive.The FBI and CISA released a joint Cybersecurity Advisory (CSA) on June 7 providing the known Clop ransomware group tactics, techniquesClops’ rapid-fire extortion threats only added to the urgency tech firms, corporations and government agencies from the U.S. to Canada and the UK have been forced to address. As of June 19, according to Progressive Software, the makers of MOVEit, the vulnerability has been fixed in MOVEit Transfer versions 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3). Public disclosure of the flaw happened before Progress came up with a fix.
“File transfer solutions are designed to help make sensitive file sharing easier and ensure compliance. These are not the only solutions out there, so we anticipate that Clop will continue to seek out zero-day vulnerabilities in other file transfer solutions. It would behoove those organizations that produce such products to conduct security audits of their software to identify vulnerabilities before attackers do. Just as we plan for natural disasters, organizations should have a ransomware preparedness plan in place so they can adequately respond to ransomware attacks."
Full-Blown Cyber War?
While putting this report together, SecurityInfoWatcheditors questioned“There’s no immediate indication pointing to a cyber war. All Western nations have been subject to hybrid warfare -- extending to cyber warfare -- in recent years and other countries have also been victims of the MOVEit breach,” says Tyler Sullivan, a Senior Security Consultant with NetSPI.
For example, he notes, BBC and others in the UK have disclosed breaches. “While activity has increased over the last 18 months, it doesn’t indicate a precursor to a full-blown cyber war. These attacks occurred long before the invasion and will likely occur long after,” he concludes.
Sullivan adds that activity from Russian-speaking threat actors has been a constant for years, even before the Ukraine invasion. FIN7, the crew allegedly responsible for the MOVEit attacks has been a part of a long and extensive history of Russian-speaking threat actors in cyberspace. Furthermore, Sullivan points out cyber gangs have rarely discriminated against their targets, and he figures they will likely go for anyone they find vulnerable to their exploits.
“That said, there has been a trend of increased attacks against those supporting Ukraine. While it can’t be said for sure that there is a direct correlation, the MOVEit attacks could be part of that trend,” he says."
Eric Foster is a 25-year cybersecurity professional and is currently the Vice of Business Development for Stairwell. He says it is important to understand the Russian government isn’t directly doing the attack but a criminal group with Russian links (e.g. a criminal enterprise operating in Russia).
“It’s an important distinction,” Foster says. “This isn’t an escalation of cyberwar between Russia and the U.S. It’s yet another attack from cyber criminals, many of which happen to operate out of eastern Europe.
Foster also doesn’t see a correlation between these attacks on U.S. entities and aid going to Ukraine. Clop, also known as 'Lace Tempest,’ is a criminal enterprise that has done this exact type of attack several times before and will do this until they are brought to justice, he says.
“The threat actor has used similar vulnerabilities in the past to steal data and extort victims - most notably the Accellion File Transfer Appliance vulnerability.”
Erich Kron, a security awareness advocate at KnowBe4, shares the mindset of his colleagues that direct attacks on U.S. government entities are not a smart strategy.
“If this was one of the Clopaffiliates, it is a very brazen move as it is likely to draw some serious attention from the federal government. Many cyber gangs, even those backed by nation-state players, try to avoid the focused attention of the U.S. government and its allies. Some significant cybercrime groups have fallen after they have become a focused target of the government, and this sort of attack is likely to put them straight in the crosshairs of the response teamsHow Worrisome is This Attack?
In judging the scope of the Clop campaign, along with the current view of the geopolitical landscape and the alleged nationality of the major affiliation behind the campaign, this operation signals a major escalation in the hostilities of ongoing cyber warfare, says Colin Little, a Security Engineer at Centripetal.
“What's worse, I believe this campaign has the strong potential to trigger a chain reaction of continuing and major escalations of hostilities not only in cyber warfare, but the geopolitical landscape as well," he adds. “Unlike other industry verticals, the U.S. federal government and other governments worldwide that have been breached may be permitted to deploy more offensive cyber resources than, say, a university or a hospital.”
The timeline for these attacks has been calculating and relentless. As reported by risk management and resilience consulting firm Flashpoint based in Washington, D.C., the hackers quickly identified weaknesses in the MOVEit software and went in for the kill.
On May 31, Progress Software publicly disclosed the vulnerability and released an initial patch, as well as recommended remediation steps. However, more vulnerabilities affecting MOVEit have been recently discovered.
On June 5, Zellis UK, a payroll and HR solutions provider, confirmed that it had been compromised by the vulnerability. The attack on Zellis directly led to the compromise of several other organizations within its supply chain.
A day later, Clop officially claimed credit for exploiting the MOVEit vulnerability. Clop also claimed to have deleted any data related to governments, military and children’s hospitals. However, several U.S. federal agencies and government contractors are known to have been affected by the recent Clop ransomware attack.
The following day, on June 7, the FBI and CISA released a joint Cybersecurity Advisory (CSA) providing the known Clopransomware group tactics, techniquesLess than a week later, Clop began to publish its list of victims.
Avishai Avivi, the CISO of SafeBreach, explains that the Clop Ransomware group has leveraged yet another vulnerability in a Managed File Transfer (MFT) system. The SQL Injection vulnerability in MOVEIt is different than the one Clop found in GoAnywhere (unsecured administrative interface), but both involve an unauthenticated user being able to leverage the vulnerability and gain privileged access to data stored on the servers.“This is a playbook that works well for Clop once they verified the vulnerability, they immediately started looking for additional systems to attack. It’s important to note that Clop doesn’t seem to care about the type of victim, as long as they can successfully breach them. They’ve attacked health organizations, financial organizations, utility companies, universities and even government agencies,” Avivi says.
He adds that while the customers who used MOVEIt and were breached by Clop are certainly the victims of a cyberattack, they do bear some of the responsibility. “It’s wrong to assume that just because a piece of software claims to be ‘secure’ that it is in fact secure. Customers must always validate that the software they use is secure and configured in a way that can protect against cyberattacks.”
For example, he says, MFT servers should only hang on to files for the minimal duration needed to transfer the files from one location to another. “From the little information that’s currently available, it appears that Clop exfiltrated large amounts of data that was available on the servers themselvesFederal Agencies, DOJ Respond
The U.S. government has moved swiftly to help mitigate this broad-based attack that has left many state and federal agencies that use the MOVEit software vulnerable, but officials remain unclear just how many have been compromised.The FBI and CISA released recommendations on how organizations should deal with the Clop hack. Progress Software has also been proactive in telling victims to update their software packages and has issued security advice.
In fact, last week the Justice Department announced the creation of a new National Security Cyber Section within its existing National Security Division. With approval from Congress, NatSec Cyber was on the heels of Deputy Attorney General Lisa O. Monaco’s Comprehensive Cyber Review conducted in July 2022.
"NatSec Cyber will give us the horsepower and organizational structure we need to carry out key roles of the Department in this arena,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division in an agency press release.
“This new section will allow NSD to increase the scale and speed of disruption campaigns and prosecutions of nation-state threat actors, state-sponsored cybercriminals, associated money launderers, and other cyber-enabled threats to national security.”
The National Security Cyber Section will increase the Justice Department’s capacity to disrupt and respond to malicious cyber activity while promoting intragovernmental partnerships in tackling increasingly sophisticated and aggressive cyber threats by hostile nation-state adversaries.
NatSec Cyber will bolster collaboration between key partners, including the Criminal Division’s Computer Crimes and Intellectual Property Section (CCIPS) and the FBI’s Cyber Division, and will serve as a valuable resource for prosecutors in the 94 U.S. Attorneys' Offices and 56 FBI Field Offices across the country.
“Responding to highly technical cyber threats often requires significant time and resources,” U.S. Assistant Attorney General Olsen says. “NatSec Cyber will serve as an incubator, able to invest in the time-intensive and complex investigative work for early-stage cases.”
The DOJ made it clear that this new initiative builds upon recent successes in identifying, addressing and eliminating national security cyber threats, including the charging of an alleged cybercriminal with ransomware attacks against U.S. critical infrastructure and disruption of the Russian government’s premier cyberespionage malware tool.
Where Do We Go From Here?
As with every large-scale and well-publicized cyberAnd there are various advanced technology solutions for enhancing detection and response capabilities -- such as solutions that augment defenders’ capabilities with automation, machine learning, or artificial intelligence – or deception technologies that can both fool attackers and alert defenders.”
Foster adds that he believes cybersecurity is always going to be an ongoing battle; and requires a combination of people, processes, and technology that work together to enhance enterprises' abilities to detect and respond to advanced threats.
“Ultimately, it requires constant vigilance,” he stresses.
Kron concludes that having a patching strategy and keeping vulnerable devices updated with the latest security updates is critical, even for those that aren’t directly connected to the Internet.
“In addition, groups like Clop love to use social engineering tactics to get the initial network access, so a well-developed employee security awareness program that teaches employees how to spot and report phishing emails and other social engineering attempts quickly and efficiently can have a huge impact on the organization’s security posture,” Kron explains.
"One of the biggest pieces of leverage used by ransomware or extortion groups to get their money is the data they've stolen, ensuring that access to the data is limited only to people that require it and using data loss prevention controls to watch for data moving to unusual places are some important technical controls that should also be in place.”
About the author: Steve Lasky is a 34-year veteran of the security industry and an award-winning journalist. He is the editorial director of the Endeavor Business Media Security Group, which includes magazines Security Technology Executive, Security Business and Locksmith Ledger International and the top-rated webportal SecurityInfoWatch.com. Steve can be reached at [email protected]