Organizations worldwide, both large and small, are falling victim to a mass exploitation of a critical vulnerability in a widely used file-transfer program. The attacks, carried out by the Russian-speaking Clop crime syndicate, have resulted in data breaches at prominent companies and government agencies. Despite the relatively small number of confirmed breaches, security experts warn that the exploitation is widespread and rapidly spreading, affecting banks, government agencies, and various targets across different industries. This article delves into the details of the attacks, the impact on affected organizations, the nature of the vulnerability, and the potential for further victim disclosures and extortion attempts.
This exploitation, initiated during the Memorial Day holiday as a zero-day vulnerability, has continued for over nine days, causing significant concern within the cybersecurity community.
Notably, renowned entities such as Zellis (a payroll service), the Canadian province of Nova Scotia, British Airways, the BBC, and UK retailer Boots have all experienced data breaches due to these ongoing attacks. The common factor behind these breaches is the exploitation of a recently patched vulnerability in MOVEit, a versatile file-transfer provider offering both cloud and on-premises services. Nova Scotia and Zellis had their own instances or cloud services breached, while British Airways, the BBC, and Boots were customers of Zellis. The Clop crime syndicate, a Russian-speaking group, has been identified as the orchestrator of these hacking activities.
Although the number of confirmed breaches remains relatively small, researchers closely monitoring these attacks describe the exploitation as widespread. They liken the hacks to smash-and-grab robberies, where intruders quickly seize whatever valuable data they can before making a swift exit. Disturbingly, the targets of these attacks span various sectors, including banks, government agencies, and other organizations.
Steven Adair, President of security firm Volexity, revealed that several customers running MOVEit Transfer with open Internet access were compromised. Adair added, “Other individuals we have spoken to have encountered similar incidents.” Caitlin Condon, Senior Manager of Security Research at Rapid7, expressed that her team typically reserves the term “widespread threat” for situations involving multiple attackers and numerous targets. However, given the exploitation of high-value targets across diverse organizations worldwide, Rapid7 made an exception in this case, categorizing it as a widespread threat.
Condon pointed out that it was only the third business day since the incident became widely known, and many victims may still be unaware of their compromised status. As time progresses and regulatory requirements for reporting take effect, it is expected that a longer list of victims will come to light.
Independent researcher Kevin Beaumont also disclosed via social media that a double-digit number of organizations, including US government entities and banking organizations, have experienced data theft. This underscores the severity and scope of the attacks.
The vulnerability in MOVEit stems from a security flaw enabling SQL injection, a common and longstanding method of exploitation. SQL injection vulnerabilities occur when web applications fail to properly sanitize user input, allowing attackers to manipulate queries and retrieve confidential data, gain administrative privileges, or manipulate application behavior.
According to a post published by security firm Mandiant, the Clop exploitation spree began on May 27, with instances of data theft occurring within minutes of the installation of a custom webshell known as LemurLoot. Mandiant’s researchers noted that significant volumes of files had been stolen from victims’ MOVEit transfer systems. The webshell, cleverly disguised with filenames such as “human2.aspx” and “human2.aspx.lnk,” aimed to masquerade as the legitimate component “human.aspx” of the MOVEit Transfer service. Furthermore, Mandiant observed SQL injection attacks targeting the legitimate “guestaccess.aspx” file before interacting with the LEMURLOOT webshell.
On May 31, four days after the initial attacks, MOVEit provider Progress patched the vulnerability. However, reports emerged on social media, suggesting that threat actors were actively exploiting the vulnerability by installing a file named “human2.aspx” in the root directory of vulnerable servers. Security firms subsequently verified these reports.
MOVEit officials issued a statement acknowledging that as soon as they discovered the vulnerability, they promptly launched an investigation and informed their customers about the issue, providing them with mitigations to enhance their security. Within 48 hours, the company’s engineers disabled web access to the MOVEit cloud service, developed a security patch, and made it available to customers. They also applied the patch to the cloud implementation.
In their ongoing efforts to address the situation, MOVEit is collaborating with leading cybersecurity experts, engaging with federal law enforcement agencies, and taking comprehensive measures to combat the increasingly sophisticated tactics employed by cybercriminals. The company remains committed to securing widely used software products and actively participating in industry-wide initiatives to safeguard organizations from malicious exploits.
Formally attributing the attacks to the Clop group, Microsoft named the operation “Lace Tempest” and associated it with a ransomware campaign connected to the Clop ransomware group. Mandiant’s investigation also revealed similarities in tactics, techniques, and procedures used by the attack group FIN11, which has previously deployed Clop ransomware.
As of now, there have been no reports of victims receiving ransom demands. The Clop extortion site has remained silent about these specific attacks. However, Mandiant researchers anticipate that victim organizations may receive extortion emails in the coming days or weeks if the ultimate goal of this operation is extortion.
The incident timeline highlights the urgency and speed with which organizations must respond to critical vulnerabilities. MOVEit’s swift response in developing a patch and actively assisting customers demonstrates the importance of proactive cybersecurity measures and collaboration among stakeholders.
The widespread exploitation of the critical vulnerability in the widely used file-transfer program has posed significant challenges for organizations of all sizes. The activities orchestrated by the Clop crime syndicate have targeted valuable data across various industries, raising concerns within the cybersecurity community. The incident serves as a reminder of the ongoing threat landscape and the need for robust security measures to mitigate potential risks. Organizations must remain vigilant, promptly address vulnerabilities, and collaborate with industry experts to protect their valuable data and systems from ever-evolving cyber threats.