Until early June, it’s likely that the only people who’d heard of Progress Software’s MOVEit file transfer platform were people working in IT departments.
Then news emerged that the platform and many of its large customer base had been successfully targeted by the Clop ransomware group and suddenly everyone had heard of it for the wrong reason.
MOVEit is the latest example of a platform lots of organizations depend on but nobody thinks about as long as it does its job without anyone noticing.
So, what went wrong in the Clop MOVEit attack and what does it reveal about the latest thinking in ransomware circles?
Made famous in IT circles by Ipswitch (acquired by Progress in 2019), MOVEit is a cloud and on-premises file transfer platform used to securely move files from one location to another.
This sounds dull but has over time become a critical function that needs to be carried out in a way that meets modern security and compliance standards.
Organizations transfer a lot of files—CRM, ERP, document management, and payroll systems depend on this type of platform, which is why MOVEit has become a market leader used by thousands of well-known companies, including a reported 1,700 software companies.
A Single Weakness Resulting in Multiple Targets
For attackers, this popularity was the draw. If they could somehow find a flaw in the MOVEit system, in principle they could target multiple organizations through a single weakness.
What gave them an “in” was a zero-day vulnerability now identified as CVE-2023-34362, a SQL injection vulnerability in the MOVEit web front-end affecting both cloud and on-premises customers. It now appears that this flaw has been around for a while and was being tested by Clop as early as July 2021.
In late May, the Clop attackers came back with a vengeance. The attack was a two-stage process with the zero day giving attackers access to the MOVEit database and a second web shell backdoor allowing them to move even deeper into the underlying data storage infrastructure.
The web shell isn’t strictly necessary to steal data but has an advantage in that it makes it harder to root the attackers out. What resulted was a mass data breach that seems to have compromised the data of an unknown number of organizations, including the BBC, British Airways (BA), payroll and HR provider Zellis, Aer Lingus, pharmacy chain Boots, and U.K. media watchdog, Ofcom.
Those victims are all United Kingdom-based, but nobody doubts that many others across the world will have been affected, including in the United States. Clop said it was behind the attack in early June, claiming to have compromised “hundreds of companies” during the incident.
No Simple Defense
What’s left is a slow-motion extortion campaign in which victims will likely be contacted with ransom demands over the coming weeks and months. Recent parallels for this attack include the mass attack targeting VMware in February, and separate Clop attacks on the Fortra’s GoAnywhere file transfer tool in March and aging Accellion gateways in 2021.
Frustratingly, there’s no simple defense against third-party attacks like this. Even the best resourced and staffed security teams are vulnerable. This is ominous; if you can’t target organizations directly, look for weaknesses in their supply chain and grab data through the backdoor.
Unlike traditional ransomware attacks, this kind of breach plays out over a longer period of time, possibly stretching to years. That’s why this incident might eventually turn into the worst type of data breach imaginable—one that never is fully resolved.
That would be bad news all round, not least the long tail of employees whose data has been lost forever and who might find themselves being singled out for attacks in the future.