Case study MOVEit Vulnerability Exploitation
Overview: In 2023, members of the CL0P ransomware gang exploited a vulnerability in the MOVEit transfer software that allowed them to access data from over 1000 companies that used the MOVEit file transfer system. CL0P then used this stolen data to individually extort each company, threatening to leak each company’s sensitive data online if they did not pay a ransom by a particular date.
Sequence of Events:
In May 2023, CL0P began exploiting a previously unknown structured query language (SQL) injection vulnerability (CVE-2023-34362) in Progress Software’s managed file transfer (MFT) solution known as MOVEit Transfer beginning.
After leveraging this vulnerability to access and exfiltrate sensitive data from over 1000 companies, CL0P began to individually extort the companies that the data belonged to by threatening to leak the data online if they did not pay a ransom.
The extortion continued for several months, with dozens of new victims showing up on CL0Ps ransomware data leak site each week.
Because this attack involved access to a single platform which granted attackers access to data from hundreds of organizations, it was a “supply-chain” attack that ultimately ended up impacting most major U.S. companies as well as several in Europe and Canada.
Impact: CL0P’s exploitation of the vulnerability in the MOVEit Transfer portal and subsequent extortion of victims was the largest supply-chain attack of 2023. In total, the attack was estimated to have cost nearly $10 billion in damage.
Response and Aftermath: Progress Software, the company that produced MOVEit Transfer patched the vulnerability and worked with government and private incident response companies to investigate the hack. Because the data had already been accessed and exfiltrated before the company discovered the problem, though, there was little they could do to stop the downstream impacts of the attack.
Links to Additional Reading: Please see below for links to additional reading that may assist you as you prepare to answer the questions below:
https://www.theverge.com/23892245/moveit-cyberattacks-clop-ransomware-government-business
https://www.cisa.gov/news-events/news/cisa-and-fbi-release-advisory-cl0p-ransomware-gang-exploiting-moveit-vulnerability
https://www.bbc.com/news/technology-65877210
Questions to Answer in Case Study:
How can organizations do a better job of protecting themselves from vulnerabilities in their supply-chain?
How can companies like Progress Software prepare for major incidents by leveraging business continuity planning, data backups, and disaster recovery plans?
How can companies proactively identify vulnerabilities in their software before they are exploited by threat actors?
