The Cl0p Heist: Data Stolen in the MOVEit Zero-Day Attack Blitz

We have been closely following the Cl0p ransomware attacks, affecting dozens of organisations worldwide, and assisting clients worldwide with the fallout.

Attackers have exploited a SQL injection vulnerability in file sharing software MOVEit Transfer that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database to steal sensitive data such as personal and financial information (e.g., national identity numbers and credit card data of customers). The situation is unfolding rapidly.

The zero-day vulnerability was discovered on 31 May 2023 (CVE-2023-34362) and two more were discovered later. At this time, there is only evidence that CVE-2023-34362 (i.e. the first vulnerability) was exploited by the threat actors.  

Progress released patches for all three vulnerabilities by 16 June 2023 but the damage has been done. 

The threat actor has now published a list of compromised organisations on the dark web, spanning multiple jurisdictions and sectors including government, education, transportation, energy, technology, insurance and healthcare. That list is growing by the day.

What is concerning about this attack is that the breaches affect not only organisations that used MOVEit directly – but also those that had data transferred to or from MOVEit systems hosted by other file transfer providers. Even if you do not use MOVEit yourself, you may still be at risk.

Also, the modus operandi of the threat actor differs from other ransomware attacks; in that they have not sent ransom demands, but threatened to dump the data obtained by 14 June 2023 – seven days after the breach occurred – if they were not contacted. 

This is possibly due to the scale of these attacks and the vast amount of data stolen, as the threat actor itself is still taking time to consider how to maximise their gain from their operations.

As of 23 June 2023, around 16% of C10p’s claimed victims have had their data posted online, and we suspect the threat actor is likely to release data in stages.

We are monitoring the situation but in the meantime, organisations should take immediate precautions to protect any sensitive data.

If you are concerned about your potential exposure, consider the following steps:

• Check if you or any of your suppliers or partners has used MOVEit
• Apply all available patches for MOVEit vulnerabilities as soon as possible
• Restrict network access to MOVEit to only trusted IP addresses and entities, e.g., by using firewall rules and certificate-based access control
• Enable multi-factor authentication to prevent unauthorised access to MOVEit
• Consult specialist cyber forensic firms if necessary

These steps will be insufficient if sensitive data has already been exfiltrated from your network.

You will need to adopt a comprehensive approach and seek assistance in mitigating the breach and managing legal and reputation risks, as well as the prospect of regulatory enquiries or investigations or even claims.

Structuring approach to a cyberattack in a way that protects your interests, such as your legal privileges over communications and documents, is a sophisticated task which requires a highly concerted effort to handle multiple work streams simultaneously.

These include conducting a forensic investigation; preserving evidence; maintaining a detailed chronology; complying with notice and investigative requirements; and briefing insurance carriers.

Managing complex cyber security incidents requires assembling a team of professionals highly experienced in handling crisis situations with a strong collaborative culture. You don’t need to go at it alone.