Clop has dominated the security news cycle since word of the MOVEit zero-day vulnerability broke in late May. This week, as promised, Clop began to leak victim names on its dark website to up the pressure to force victims to pay their extortion demands. And on Thursday, the MOVEit campaign made the national news when CNN reported that several federal agencies were targeted, though CISA would not confirm which group was behind the attack. We are still in the early days of this campaign, and as more victims become public, organizations will face tough decisions.
Toward that end, here are five steps security teams can take to better manage this extortion campaign and prepare for future ones:
If the organization still runs MOVEit Transfer or MOVEit Cloud, consider shutting them down for now
Last week additional vulnerabilities (CVE-2023-34362) were discovered, resulting in another software patch. Progress Software’s investigation is "ongoing," and "further detailed code reviews" are underway. Depending on use cases, security teams may have the luxury to suspend using the applications to let the investigation play out. Better to be safe than sorry.
Understand the company’s exposure
It’s time to make critical decisions, and if security teams don't understand their potential exposure, they may make the wrong decision. What data was stored in the company’s MOVEit instance? Was the data exfiltrated? How sensitive was this data? Was it regulated data? Was it sensitive intellectual property? What are the legal and regulatory implications of this data leaking on Clop's site? Did the organization have sensitive data from third parties? Which third-party partners use MOVEit? What is your exposure there? Reach out to critical suppliers and confirm exposure. Incomplete answers to these questions could severely constrain the decision-making process of the top executives.
Decide if the organization will engage and pay Clop’s demands
Succumbing to an extortion demand requries a risk-based business decision. Start by understanding the organization’s exposure. If the team can confirm that no sensitive data exists in scope, the organization can potentially ignore the extortion demand outright. If Clop stole sensitive data, then that’s a more difficult question. To answer, engage with inside and outside counsel, senior leadership, the board, public relations, law enforcement, and possibly regulators. Weigh the risks of exposing the company’s data against the chance that Clop doesn't destroy it (no honor among thieves) and releases it anyway. There’s also the potential that other extortionists will begin to target the organization because it has been known to pay ransom demands. Hopefully, the team has done a tabletop exercise and answered these questions in advance.
Harden whatever file transfer software the organization has deployed
Clop has had astounding success with these campaigns (Accellion, GoAnywhere), so this won’t be the last time it leverages zero-days to go after managed file transfer (MFT) software. Next time, they could attack whatever product the organization uses to exchange sensitive files. Harden and restrict access to the company’s file transfer software now. This includes restricting public access to authorized users, setting up firewall rules to exclude unknown IPs, and patching the software to the latest software. Also, because Clop exploits zero-day flaws, effective detection, and response are the best option for minimizing risks. Evaluate the logging capabilities of any deployed MFT product. Enable logging, and ship those logs off to SIEMs or other storage so that in the event the team needs to hunt for malicious activity in the future, it will have the data to do so. I see it repeatedly that organizations are missing adequate logging and can't answer the most important questions at the most critical times.
Audit and harden all external facing services
Clop can uncover zero-day vulnerabilities, which it could apply to other software in the future. Follow the same guidance from above for all these services. Some may read this guidance and say, "Thank you, Captain Obvious," but defenders struggle with ever-increasing attack surface and mergers and acquisitions that can make this much easier said than done. Initial Access Brokers and ransomware operators have great success targeting unpatched systems. It's not a good sign if the team can't defend against known exploits. How will it then protect against zero-day exploits? After the incident response phase, take the time to conduct a risk assessment on all external facing services.
This situation will continue to evolve in the coming days and weeks. It isn't too late to take action to minimize the damage and better protect the organization against future attacks.
Rick Holland, chief information security officer, Office of the CISO, ReliaQuest
