Microsoft Attributes MOVEit Hacks to Clop Ransomware

A Clop ransomware gang has exploited a critical vulnerability in the secure managed file transfer application known as MOVEit Transfer. This vulnerability, now assigned as CVE-2023-34262, gives hackers unauthorized access to MOVEit Transfer's database. Customers who utilize this MFT software have been encouraged to quickly deploy remediation measures to protect their data.

Explaining the MOVEit Transfer Application Hacks 

Organizations use managed file transfer software for secure electronic data exchange between systems and people.

What Is MOVEit Transfer?

Progress developed MOVEit Transfer to allow businesses to manage critical file transfers while leveraging Progress's security features, such as encryption tools, tamper-evident logging, and access controls. Because of governance requirements for data compliance, thousands of organizations have utilized this MFT software to meet regulations like HIPAA, GDPR, and PCI.

How Was MOVEit Hacked? 

On May 31, 2023, Progress reported CV2-2023-34362 in MOVEit Transfer and MOVEit Cloud. Upon discovery of this vulnerability, they immediately launched an investigation, alerted customers, and offered immediate mitigation guidance. CV2-2023-34362 allows hackers to gain unauthorized access to data by inserting structured query language, or SQL, code into the database.

Microsoft attributed this hack to Lace Tempest, a Clop ransomware gang that has exploited similar vulnerabilities in the past to access data and extort money from victims. This group has since announced that they are responsible for taking advantage of MOVEit's zero-day vulnerability. The impact of this threat may potentially affect thousands of customers if they do not perform remediation measures.

Understanding the Threat of Clop Ransomware

Organizations have been vulnerable to ransomware attacks for over a decade, and they will continue to be open to these cyberattacks if they do not adopt reliable security measures.

What Is Clop Ransomware?

Clop is an extortionist type of malware that utilizes the Ransomware-as-a-Service model. Clop itself is a WIN32 PE file that uses verified user signatures to bypass security software detection. Once Clop gained access to MOVEit Transfer, they authenticated themselves as the highest privileged user to release a data infiltration web shell.

How Can Clop Take Advantage of Its Victims? 

Regarding the MOVEit cyberattack, Lace Tempest announced that they deleted stolen data owned by governments, children's hospitals, and the military. They claimed to have compromised the data of hundreds of organizations and demanded ransoms from their victims to prevent exposure on their Clop data leak site.

Beyond extorting its victims, this Clop group can post data for sale on underground forums and leverage data for future cyberattack operations. Depending on the intellectual nature and sensitivity of the stolen data, the impact of selling this data to underground sites can be devastating for government and military affairs.

Utilizing Remediation Measures To Battle Clop Hacks

Potential victims affected by the MOVEit hacks should employ the following measures to see if they have been infiltrated.

1. If Necessary, Apply Emergency Patches

Per Rapid7 management teams, a patch is available to fix the MOVEit Transfer app for emergency situations. A fixed version of this software is available for upgrade. If a patch is required, Rapid7 recommended that users only download the patch directly from their articles and not from outside sources.

2. Change Keys and Build Firewalls

Because Clop ransomware affected the MOVEit Cloud, users who have adopted the Microsoft Azure Integration should rotate their Azure storage keys. All users should also set firewalls to restrict HTTP and HTTPS traffic into MOVEit on ports 80 and 443.

3. Identify What Data Has Been Exfiltrated

Since event logging is typically enabled after installation, users may have affected records available on the host. Log data should be captured before wiping out and restoring the application. Custom audit reports can be queried directly or through MOVEit's built-in reporting functionality.

Practice These Recommendations for Clop Ransomware Recovery

In light of this ransomware attack, protecting internal and external data transfer is crucial for your organization. While there are no 100% guarantees that you will not be hacked, addressing the following points can help you recover from a ransomware attack:

• Fast Response: Longer response times make it difficult for you to recover data. 
• Backup Verification: Before restoring data, ensure you have removed the ransomware and confirm that you still have access.
• Share and Sync Blocks: Once you detect a potential attack, disable all types of file syncing and sharing to prevent a widespread hack.

An incident response plan should be an essential part of your organization's cybersecurity protocol.

Partner with Cloudficient To Avoid Being a MOVEit Victim

Many businesses have turned to cloud migration to maintain the pace of today's cyberspace and to tap into limitless data storage. While cloud services allow businesses to thrive, choosing the wrong migration team can make your enterprise vulnerable to attacks similar to that of MOVEit Transfer.

With unmatched next generation migration technology, Cloudficient is revolutionizing the way businesses retire legacy systems and transform their organization into the cloud. Our business constantly remains focused on client needs and creating product offerings that match them. We provide affordable services that are scalable, fast and seamless.

If you would like to learn more about how to bring Cloudficiency to your migration project, visit our website, or contact us.