The MOVEit file transfer zero-day vulnerability, first discovered on June 1, was used to breach at least 160 confirmed victims by June 30. The successful mass extortion campaign represents an evolution of tactics by the Russian-backed Cl0p ransomware group, which experts say is likely to catch the attention of rival threat actors.
Threat researchers note that the MOVEit campaign has some clues about how to respond to future of supply chain cyberattacks for defenders as well.
So far, the breached organizations include a who's who of international brands, like Avast's parent company, British Airways, Siemens, UCLA, and more. Reports say the ransomware group pulled off the technically detailed mass exploitation after at least two years of careful development, patiently plotting and planning when and where to strike, armed with the secret flaw in the MOVEit file transfer software.
Ransomware-Less Ransomware Attacks
Researchers note a few innovations Cl0p has made between previous exploits and the MOVEit campaign, which are likely to influence other threat groups. For instance, Cl0p has streamlined the extortion business model by doing away with ransomware all together, John Hammond, Huntress security threat researcher explained to Dark Reading.
"From what the industry has seen in [recent] Cl0p breaches (namely, GoAnywhere MFT and MOVEit Transfer), they haven't executed ransomware within the target environments," Hammond says. "The operations have strictly been exfiltrating data and using that stolen information for later blackmail and extortion. It's not clear why they opted not to encrypt files."
While it's not clear why Cl0p pivoted, the end result is a ransomware business model without the overhead of trying building better ransomware, he adds.
"Perhaps other cybercrime gangs will follow suit, and the development of ransomware tooling and creating faster malware may fall to the way-side when adversaries can just focus on their real goal of making money," Hammond says.
Third-Party Zero-Day Exploit Providers
All of that said, if making money was the primary motivation for the MOVEit cyberattacks, the group would have chosen a much simpler approach than investing the time and resources to discover and develop an exploit like the one in MOVEit.
John Fokker, head of threat intelligence with the Trellix Advanced Research Center, explained to Dark Reading he thinks he has the answer: The group acquired the zero-day from a third party.
"There are several aspects and factors of this particular cyberattack and vulnerability that are really interesting," Fokker says. "The MOVEit vulnerability isn't an easy or straightforward one — it required extensive research into the MOVEit platform to discover, understand, and exploit this vulnerability. The skill set required to uncover and exploit this vulnerability isn't easily trained and is hard to come by in the industry."
He adds, devoting that level of detail to an operation isn't something Cl0p ransomware group usually does, which is another clue leading Fokker and his team to suspect Cl0p acquired the MOVEit zero-day vulnerability rather than developing it from scratch.
"It's definitely a possibility that Cl0p didn't actually discover this zero-day vulnerability and exploit but rather acquired it from a third party," Fokker adds. "We believe with moderate confidence that this was the case, based on what was mentioned above in addition to certain other elements of the attack and leak postings."
Shoring up the Software Supply Chain Against Future Zero-Day Exploits
Stopping more sophisticated zero-day supply chain attacks requires investment in proactive efforts, including robust, responsive bug bounty programs funded by software vendors, notes Randy Pargman, director of threat detection with Proofpoint explains.
"There's a huge discrepancy between the amount of money that software vendors are willing to pay for bug bounties versus the amount that zero-day researchers can get from governments and underground markets for their research, so vendors could do better by investing more," Pargman says. "Where software companies can still improve the most is in making it easier for bug bounty hunters to report issues, and treating researchers with respect."
But as Omkhar Arasaratnam, general manager of the Open Source Security Foundation, says what he's more concerned about are reports of panicked responses to the MOVEit exploit among cybersecurity professionals.
"The cybersecurity community should focus on making incidents boring," Arasaratnam says. "When paramedics arrive at an accident scene they do not run around frantically or in a panic. Paramedics deliberately, and stoically execute the procedures that they've learned to gain access, assess the scene, triage, and help effectively. Cybersecurity can take a lesson from paramedics."
