An attack campaign staged by the Russian ransomware gang, Cl0p, exploited a widely-used enterprise managed file transfer (MFT) platform over Memorial Day weekend, signifying one of the most significant cyberattacks in history. The event means private equity firms need to vigilantly assess their exposure to the cyberattack.
The campaign against the MOVEit Transfer application was first identified in the wild on May 27, according to the Cybersecurity Infrastructure & Security Agency.
MOVEit is an enterprise MFT platform developed by Progress Software. The MOVEit app is “used by thousands of governments, financial institutions and other public and private sector bodies all around the world to send and receive information,” according to a hack explainer authored by cybersecurity firm Emsisoft.
Finance and professional services account for 24.3 percent of the victims of the attack against the MOVEit Transfer application – the second-most heavily impacted victim group, according to Emsisoft. Cl0p even managed to compromise sensitive data from three of the “Big Four” consulting firms – all in one fell swoop.
So far, the breach is known to have compromised 977 known public and private-sector organizations and the personal data of nearly 59 million people, according to Emsisoft, making it the most significant cyberattack in history. Emsisoft estimates that the resulting cost will surpass $6.6 billion and potentially rise to $37 billion, based on the $165 average cost of each compromised data record.
For PE firms, the fact that Cl0p was able to compromise data belonging to three of the largest consulting firms – Deloitte, Ernst & Young and PwC – is alarming in and of itself, given how frequently the latter are engaged in large-scale M&A transaction advisory.
One MOVEit victim whose business model is explicitly relevant to the PE industry is Datasite, a data-sharing platform that services counterparties involved in M&A transactions. Some of Datasite’s most high-profile clients include Goldman Sachs, Deloitte, EY, JPMorgan and UBS. On June 27, Datasite filed a data breach notice with the Attorney General of Massachusetts in response to the MOVEit hack.
In the filing, Datasite reported that attackers were able to access consumers’ personal information, including their names and their social security numbers. Datasite later reported that the breach exposed the personally-identifying information of 800 individuals. Datasite did not respond to multiple emails requesting comment.
Assessing the hack’s impact on the PE industry, Arani Adhikari, a partner at Armour Cybersecurity, noted that PE firms “that have made substantial investments in IT managed services companies within their portfolio are now confronted with a heightened level of risk exposure. This is due to the interconnected nature of supply chain attacks.”
Other higher-profile MOVEit victims active in the private funds sector include professional services firm Aon; law firms K&L Gates, Kirkland & Ellis and Proskauer Rose; investment manager Putnam Investments; Zurich Insurance Group; Pension Benefits Information Research Services, and Deutsche Bank.
Standard attack, extreme impact
In the same vein as the infamous Solarwinds hack of 2020, the MOVEit breach is considered a supply-chain attack because it targeted a software stack used by hundreds of organizations.
However, the former hack was technically more sophisticated and entailed threat actors compromising Solarwind’s infrastructure to push out malicious updates via the database platform’s API.
MOVEit was a standard web application attack, which is the “most common type of threat facing the financial services sector,” according to Gene Yoo, the chief executive of cyber-intelligence firm Resecurity.
Potential cost of the MOVEit breach, according to Emsisoft
Regardless, this web-app attack had a significant impact on MOVEit’s supply chain, compromising their customers and all related counterparty data stored on impacted MOVEit servers. Despite Cl0p successfully stealing MOVEit customer data and using these information assets as leverage to extort the MFT app’s customers, this hack was not a ransomware attack in the classic sense. Highlighting this distinction is the fact that Cl0p didn’t encrypt victim data to execute their extortion campaign.
Instead, the group weaponized a previously unknown vulnerability in the platform to breach MOVEit servers and exfiltrate as much customer data from them as possible. Cl0p used a structured-query-language injection (SQLi) attack to exploit the vulnerability. An explainer on the Cl0p hack authored by Resecurity said “SQLi attacks enable hackers to compromise relational databases with arbitrary data requests.”
CISA noted in its MOVEit risk advisory that, depending on the database engine being used (such as MySQL, Microsoft SQL Server or Azure SQL), Cl0p or other threat actors wielding the primary SQLi exploit, “may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements.” SQLi attacks are also known to be “fairly routine intrusion vector[s],” according to Resecurity’s Yoo.
Because Progress Software and the broader cybersecurity community was unaware of the vulnerability until the breach, it is counted as a “zero day” attack, meaning there was no time to prepare for it.
There have been an unusually high number of zero days exploited “in the wild” this year – meaning they have the ability to spread to other devices and systems without their owners’ consent – with the Zero-Day.cz tracking project logging 54 attack campaigns involving unknown code flaws through the first seven-and-a-half months of 2023. In comparison, the project only tracked 52 zero-day attacks for all of 2022.
Unlike ransomware attacks, “mass exploitation of a vulnerability in file transfer software can allow threat actors to efficiently gain access to many organizations’ sensitive files without the need for additional lateral movement,” wrote Sandra Joyce, a vice-president at cybersecurity firm Mandiant Intelligence, in June.
Lateral movement refers to an attacker’s ability to gain deeper and more privileged access to victim networks after the initial intrusion. In some cases, Cl0p was able to start exfiltrating data “within minutes of exploiting MOVEit systems, almost certainly reducing the time required to monetize access,” said Joyce. That is to say, Cl0p didn’t need to bother performing deeper network reconnaissance before seizing valuable data.
Broader potential vulnerabilities
The primary SQLi ‘common vulnerability and exposure’ is now labeled CVE-2023-34362 by MITRE, a US government-funded research organization that focuses on engineering and cybersecurity initiatives. Since the discovery of this attack campaign, security researchers have identified another five related SQLi-based common vulnerabilities and exposures (CVEs) impacting the MOVEit Transfer application, bringing the total of related MOVEit CVEs to six.
Common vulnerabilities and exposures related to MOVEit
CISA noted in its MOVEit risk advisory that, depending on the database engine being used (such as MySQL, Microsoft SQL Server or Azure SQL), Cl0p or other threat actors wielding the primary SQLi exploit, “may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements.”
Representatives for Microsoft’s Azure service, which hosted a significant share of impacted SQL databases, and which has increasingly become the most popular cloud solution for PE firms, declined to comment on any specifics surrounding the breach.
But Sherrod DeGrippo, Microsoft’s director of threat intelligence strategy, did note that the “threat actor behind this activity is known as Lace Tempest within Microsoft as well as TA505. This threat actor is heavily focused on extortion and financial gain.”
Risk advisory firm Kroll reviewed Microsoft’s Internet Information Services’ logs of impacted clients and “identified activity indicating that the Cl0p threat actors were likely experimenting with ways to exploit” the MOVEit vulnerability as far back as July 2021.
Lower pay rates lead to high-pressure tactics
Inspired by competing Russian ransomware gang BlackCat, which pioneered this extortion-pressure tactic, Cl0p even created clear-web data leak sites (DLS) for multiple victims. Unlike dark-web leak sites, which are only accessible through the anonymity-enhancing TOR browser, clear-web DLS’ make victim data fully accessible to any normal internet user.
Initially stymied by slow clear-web download speeds, Cl0p has pivoted to releasing data via torrents, a file-sharing technology based on significantly more rapid peer-to-peer transfer schemes. Cl0p has created torrents for over 20 victims, including Aon, K&L Gates, Putnam, Delaware Life, and Zurich Brazil.
The act of making stolen data more easily accessible to casual online users is viewed by cybersecurity experts as a pressure tactic weaponized by attackers to publicly shame their victims as much as possible to induce payment. Gangs are resorting to higher-pressure tactics because it is becoming more difficult for them to monetize their ransomware attacks.
Through Q2 of 2023, ransomware victim payouts have even fallen to a record low of 34 percent, according to cyber-extortion incident response firm Coveware. Still, even with this payment ratio, Cl0p’s cyber-extortion campaign is on pace to net the group an estimated $75 million to $100 million in victim payouts, according to Coveware.
But Emsisoft threat analyst Brett Callow cautioned, “I wouldn’t want to try to estimate how much Cl0p may make from this campaign. First, because we don’t yet know how many victims there are and, second, because demands can vary significantly. That said, I wouldn’t be at all surprised if Cl0p were to net $75 million to $100 million. Or more.”
Callow also noted that “Cl0p likely has other options for monetizing the data,” primarily by selling it to other threat actors on the dark web. That’s something they may do “whether victims pay or not,” he added.
A transformative attack model
The aggregate ransom payout projected by Coveware catapults the MOVEit breach into the unofficial cyberattack hall of fame and is likely to encourage copycat intrusions.
More significantly, this shift in ransomware operator tactics could signify a transformative event for how future cyber-extortion attacks are staged, warned the Resecurity report.
Yoo elaborated on his firm’s report, noting that the “design of the malicious web shell used to hack MOVEit would have required unusually sophisticated code-auditing and exploit-engineering skills. As such, the expert-level precision observed in this hack deviates from Cl0p’s known attack signatures.”
“What this suggests is that Cl0p did not build this attack kit in-house. Instead, it is more likely the gang bought this… from an initial accesses broker or a specialized exploit developer on the dark web. Assuming this is this case, Cl0p was able to bypass all the exhaustive R&D and time cybercriminals typically have to invest to perform attacks this specialized,” Yoo added.
The upshot is that Cl0p’s wildly successful, latest exploit campaign may inspire a new wave of ransomware attacks, where threat groups discard the time-consuming, internal development of intricate malware and encryption lockers altogether.
“Cl0p was able to bypass all the exhaustive R&D and time cybercriminals typically have to invest to perform attacks this specialized”
Gene Yoo, Resecurity
Galvanized by Cl0p, ransomware groups may find they can achieve similarly desirable extortion-campaign payouts much more efficiently by purchasing ready-made attack kits from specialized brokers of zero-day hack kits on the dark web.
But the more important trend, stressed Yoo, is that “advanced ransomware groups are actively targeting the enterprise IT supply chain to maximize the impact of their attacks and compromise as many organizations as possible – all within a single attack cycle.”
Follow-on attacks likely
In the wake of the MOVEit attack, there are two revealing cyber-risk considerations that private funds should keep in mind for the longer term. First is the confluence between the growing dark-web market for zero-day exploit kits and the obsolescence of many organizations’ IT infrastructures. This risk convergence is particularly acute for MFT applications like MOVEit.
The second long-term risk exposure private funds should consider is the secondary wave of MOVEit-related business email compromise attacks that are bound to ensue. With Cl0p seizing an unprecedented amount of high-value public sector, private sector, and particularly financial and professional services data, PE firms must brace themselves for a historic wave of impersonation scams.
Diving into the first point, MOVEit is the third significant breach involving an MFT in the last three years, joining Accellion (now Kiteworks) in 2020 and Linoma Software’s GoAnywhere MFT earlier this year. In a recent blog, IBM’s Security X-Force Threat Management noted that MFTs have emerged as a “prominent attack vector.”
“By compromising MFTs, attackers can expedite their attacks — immediately jumping to the data exfiltration stage,” said X-Force. They don’t need to take further action or execute additional maneuvers “to deploy malware because they landed right in the pot of gold and are able to steal the data directly from the MFT to extort their victims,” said X-Force.
To help defenders mitigate MFT risks, X-Force has released an index on code-sharing platform GitHub that features a “sample of 13 different detection and response frameworks for the most common and exposed MFT solutions.”
Regardless, cyberattacks targeting MFTs and other web applications are being increasingly fueled by a thriving market for novel vulnerabilities on the dark web. Resecurity’s Yoo noted that “some zero days may cost $1 million-plus in dark web if sold by a reputable developer.”
Yoo says that vulnerabilities in file transfer software can be discovered relatively easily. That’s particularly true with the advent of generative AI, he says. “Such bugs will be extremely relevant for ransomware groups and actors involved in data theft and espionage.”
More soberingly, Ian Thornton-Trump, the chief information security officer at Cyjax, is concerned that the IT architectures underpinning the most prominent MFT solutions have reached the “technical-debt stage”. In other words, Thornton-Trump suggested these MFT software architectures are so antiquated that they might as well be relegated to the cyber junkyard.
“Industry is going to have to contend with the aftermath of the MOVEit breach for years to come”
Gene Yoo, Resecurity
Discussing the MOVEit MFT, Thornton-Trump said that MOVEit’s software includes code that “may date back to 2002 or even further in the past,” and added that the software appears to be a “fancy FTP/sFTP and Http/Https file transfer box.”
The “argument that it supports FTP and HTTP indicates it’s pretty much legacy under the hood,” added Thornton-Trump. “In 2023, there are far more robust and enterprise-level ways to transfer files securely that don’t involve FTP transmission.”
A spokesperson for Progress Software, which is facing at least two potential class-action lawsuits related to the MOVEit breach, said that “with its MOVEit suite of products, Progress follows industry best practices regarding security to help protect our customers.”
The second risk consideration that private funds need to factor is the coming tidal wave of MOVEit-data-staged BEC frauds. Armed with a king’s ransom of sensitive corporate and specifically, financial data, dark-web threat actors have source material to perform especially lucrative executive impersonation or payroll diversion scams.
“Combine this war chest of scam-staging materials with large language models like ChatGPT and deviant LLMs like FraudGPT and WormGPT,” which can enhance crooks’ ability to create and scale convincing impersonation campaigns, “and private funds’ risk exposure to secondary BEC attacks will be particularly severe,” said Yoo.
“Industry is going to have to contend with the aftermath of the MOVEit breach for years to come,” he added.