Exploitation of the MOVEit file transfer application linked to the Cl0p ransomware group has not resulted in the deployment of ransomware or the compromise of entire organizations, according to new research from Huntress.
In a blog post July 7, Huntress researchers said the tactics as documented by Huntress and others indicates that initial access was used to deploy a web shell that the attackers could use to copy and exfiltrate files.
No known instances exist where Cl0p attempted a full network compromise, say the researchers.
The Huntress researchers said this tactic follows a similar campaign led by Cl0p in which it exploited the GoAnywhere MFT — an operation that led to data exfiltration but no public evidence of network encryption.
“We have thus observed a change in aspect — from deliberate compromise of entire network environments for ransomware deployment to opportunistic exploitation of vulnerabilities for data exfiltration,” wrote the Huntress researchers.
John Hammond, a senior security researcher at Huntress, added: “They use the stolen files and information as leverage against the victims, with the threat of having customer PHI/PII or other details publicly published online being enough of a risk for organizations to pay.”
The research by Huntress came late last week when Progress Software reported three new vulnerabilities. The newly reported flaws follow reports of multiple disclosed SQL injection vulnerabilities reported in MOVEit Transfer and MOVEit Cloud in May and June. At least one of the bugs was exploited by the Cl0p extortion group, resulting in dozens of companies disclosing that their data was stolen in the attack.
Cl0p has listed nearly 200 companies thus far on its dark web leak page, and experts expect to discover more victims in the coming weeks and months. The actively exploited zero-day vulnerability has been tracked as CVE-2023-34363 and has been under continued, active exploitation even after patches were released.
The Huntress research said Cl0p extorts its victims by threatening to post stolen sensitive data, explained James Horseman, exploit developer at Horizon3.ai. Instead of encrypting the files and forcing the victim to pay for the decryption key, Horseman said Cl0p steals the files and threatens to publicly post the files unless the victims pays.
“By only stealing the data and not encrypting it, Cl0p can avoid detection for a longer period of time and compromise more victims,” explained Horseman.
What Huntress reported reflects a departure from the traditional ransomware model where a domain compromise would result in data exfiltration, crippling of backup and recovery mechanisms, encryption and subsequent extortion, said Andre van der Walt, director of threat intelligence at Ontinue. In this case, van der Walt said Cl0p has simply gained a foothold on many MOVEit systems where sensitive files were stored and transferred through — and then exfiltrated the data.
“In most cases, there would be little point from them to encrypt the data, as the sender has a copy which remains out of reach for the ransomware gang, so recovery is not an issue,” explained van der Walt. “Of course, many sensitive files are transferred between entities. And unless companies take additional steps to encrypt files in transit, this data is now exposed and provides leverage for extortion attempts. As Huntress points out, Cl0p may have bitten off more than they can chew here, as their ability to capitalize on their initial success was curtailed by lack of resources.”