Cl0ps MOVEit Campaign Represents a New Era in Cyberattacks

The ransomware group shows an evolution of its tactics with MOVEit zero-day — potentially ushering in a new normal when it comes to extortion supply chain cyberattacks, experts say.

The MOVEit file transfer zero-day vulnerability, first discovered on June 1, was used to breach at least 160 confirmed victims by June 30. The successful mass extortion campaign represents an evolution of tactics by the Russian-backed Cl0p ransomware group, which experts say is likely to catch the attention of rival threat actors.
Threat researchers note that the MOVEit campaign has some clues about how to respond to future of supply chain cyberattacks for defenders as well.
So far, the breached organizations include a whos who of international brands, like
Avasts parent company
,
British Airways
, Siemens, UCLA, and more. Reports say the ransomware group pulled off the technically detailed mass exploitation after at least
two years of careful development
, patiently plotting and planning when and where to strike, armed with the secret flaw in the
MOVEit file transfer software
.
Researchers note a few innovations Cl0p has made between previous exploits and the MOVEit campaign, which are likely to influence other threat groups.

For instance, Cl0p has streamlined the extortion business model by doing away with ransomware all together, John Hammond, Huntress security threat researcher explained to Dark Reading.
From what the industry has seen in [recent] Cl0p breaches (namely,
GoAnywhere MFT
and MOVEit Transfer), they havent executed ransomware within the target environments, Hammond says. The operations have strictly been exfiltrating data and using that stolen information for later blackmail and extortion. Its not clear why they opted not to encrypt files.
While its not clear why Cl0p pivoted, the end result is a ransomware business model without the overhead of trying building better ransomware, he adds.
Perhaps other cybercrime gangs will follow suit, and the development of ransomware tooling and creating faster malware may fall to the way-side when adversaries can just focus on their real goal of making money, Hammond says.
All of that said, if making money was the primary motivation for the MOVEit cyberattacks, the group would have chosen a much simpler approach than investing the time and resources to discover and develop an exploit like the one in MOVEit.
John Fokker, head of threat intelligence with the Trellix Advanced Research Center explained to Dark Reading he thinks he has the answer: The group acquired the zero-day from a third party.
There are several aspects and factors of this particular cyberattack and vulnerability that are really interesting, John Fokker, head of threat intelligence with the Trellix Advanced Research Center explained to Dark Reading. The MOVEit vulnerability isnt an easy or straightforward one — it required extensive research into the MOVEit platform to discover, understand, and exploit this vulnerability. The skill set required to uncover and exploit this vulnerability isnt easily trained and is hard to come by in the industry.
He adds, devoting that level of detail to an operation isnt something
Cl0p ransomware
group usually does, which is another clue leading Fokker and his team to suspect Cl0p acquired the MOVEit zero-day vulnerability rather than developing it from scratch.
Its definitely a possibility that Cl0p didnt actually discover this zero-day vulnerability and exploit but rather acquired it from a third party, Fokker adds. We believe with moderate confidence that this was the case, based on what was mentioned above in addition to certain other elements of the attack and leak postings.
Stopping more sophisticated zero-day supply chain attacks requires investment in proactive efforts, including robust, responsive bug bounty programs funded by software vendors, notes Randy Pargman, director of threat detection with Proofpoint explains.
Theres a huge discrepancy between the amount of money that software vendors are willing to pay for bug bounties versus the amount that zero-day researchers can get from governments and underground markets for their research, so vendors could do better by investing more, Pargman says. Where software companies can still improve the most is in making it easier for bug bounty hunters to report issues, and treating researchers with respect.
But as Omkhar Arasaratnam, general manager of the Open Source Security Foundation says, what hes more concerned about are reports of panicked responses to the
MOVEit exploit
among cybersecurity professionals.
The cybersecurity community should focus on making incidents boring, Arasaratnam says. When paramedics arrive at an accident scene they do not run around frantically or in a panic. Paramedics deliberately, and stoically execute the procedures that theyve learned to gain access, assess the scene, triage, and help effectively. Cybersecurity can take a lesson from paramedics.

Last News
▸ Can Britain revive Snoopers Charter? ◂ Discovered: 26/12/2024 Category: security	▸ Thales secures deal for public services network. ◂ Discovered: 26/12/2024 Category: security	▸ Hacker Jeremy Hammond admits guilt anonymously. ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Cl0ps MOVEit Campaign Represents a New Era in Cyberattacks