Connecting the Dots: Microsoft Traces MOVEit Attack to Cl0p as British Airways, BBC Fall

Microsoft links MOVEit zero-day exploitation to Cl0p ransomware outfit

On June 1, Progress Software released a patch for a zero-day vulnerability in its MOVEit file transfer programme, but researchers and potentially affected organisations have been trying to pick up the pieces. Hackers are believed to have exploited the vulnerability from as early as 27 May and analysis suggests that criminals had been scanning for the login page as early as March 2023. As of 2 June, Mandiant was treating the attackers as a potentially novel group with links to the FIN11 cybercrime gang, and a Twitter from Microsoft on 4 June attributed the attacks to Lace Tempest, also a Clop affiliate. The tweet read “Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site”.

Victims and responses

Notable victims of the attacks have begun coming to light, including the government of Nova Scotia and UK payroll company Zellis, with some of its high-profile clients such as Boots, the BBC and British Airways listed as affected companies. John Hammond, a senior security researcher for Huntress, anticipates the next move will be extortion of victims who have experienced data theft and advises existing customers to not only patch, but also thoroughly audit their system logs. Companies that traffic sensitive data with these services will need to find a longer-term solution to what’s turning out to be an endemic problem, warned Hammond.

File-transfer services under threat

This is merely the latest in a string of similar cyberattacks against file-transfer services by the Cl0p ransomware outfit. The vulnerability of file-transfer services was highlighted in the recent swarm of cyberattacks against tech companies such as IBM’s Aspera Faspex and Fortra’s GoAnywhere. Unfortunately, companies that traffick sensitive data with these services remain vulnerable to the cyber threat.

Advice

As a bare minimum, it is imperative for customers to not only patch but also ensure that any web shells are removed and deleted before they can be used in follow-on attacks. A longer-term solution to protect against data breaches will also be vital for companies that traffic sensitive data through file-transfer services. Reducing software that is not needed or applications that could be handled in a better, more modern way is a good strategy, offered Hammond. In the face of these cyberattacks, companies must be vigilant in ensuring the security of their systems to protect themselves and their clients against data theft.

Internet security and a philosophical discussion on data privacy

As the use of file transfer services continues to increase, so too does the risk for cyberattacks. On the internet, there is no such thing as guaranteed security, and even the most secure infrastructure will have vulnerabilities that can be exploited. In light of this fact, adopting a philosophy of privacy over security may be a better approach for individuals and organizations alike. In a world where data is increasingly valuable, it falls to individuals and organizations to safeguard their data. While cybersecurity measures are certainly critical in protecting sensitive data, focusing on data privacy can create a culture of awareness that helps to prevent data breaches from occurring at all.

Editorial

Cyberattacks against file-transfer services show no signs of slowing down, with more companies becoming victims of attacks on a regular basis. While patching and reducing the attack surface can help, there is no way to completely eliminate the risk of cyberattacks. Companies handling sensitive data must adopt a philosophy of privacy to ensure that data breaches do not occur. As the value of data continues to increase, so too does the importance of protecting it. It is time for companies and individuals to take cybersecurity and data privacy seriously.