Clop Ransomware and the MOVEit Cyberattack: What to Know
Last week’s Clop (also known as CLOP or Cl0p) ransomware attack against the MOVEit Transfer file-transfer platform led to compromised networks around the globe. And BlackBerry Vice President of Threat Intelligence Ismael Valenzuela says there’s a lot of information threat actors can uncover by compromising this and similar tools.
“File-transfer platforms are prime targets for attackers since they often contain sensitive data, and if the victim is a payroll company or a legal organization, the threat actor may end up having access to a wide range of sensitive customer information from various industries and geographies,” says Valenzuela. In this case, that includes U.S. government agencies, airlines and media companies, an oil giant, health services, international consulting firms, and many more.
The MOVEit Cyberattack and What We Know
The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI first warned on June 7, 2023, that the Clop ransomware gang (TA505) was exploiting a vulnerability in the Managed File Transfer (MFT) application MOVEit Transfer, via a structured query language (SQL) attack vector.
“Internet-facing MOVEit Transfer web applications were infected with a specific malware used by CL0P, which was then used to steal data from underlying MOVEit Transfer databases,” the advisory said, as it explained how threat actors carried out the attack.
While some have wondered about similarities between this attack and the one that affected SolarWinds back in 2020, Valenzuela says there’s a significant difference.
“While it’s bad, it’s also important to notice that this is not like the supply chain attack against SolarWinds or similar,” Valenzuela says. “This is rather a remote code execution attack, where attackers were able to probe, exploit and upload a webshell to exfiltrate data from vulnerable internet-facing servers.”
Mitigating Clop Ransomware Risk
CISA issued four key strategies to help mitigate the risk posed by Clop ransomware and the specific attack against MOVEit Transfer. The best practices listed in the CVE-2023-34362 advisory, include:
- Take an inventory of assets and data, identifying authorized and unauthorized devices and software.
- Grant admin privileges and access only when necessary, establishing a software “allow list” that only executes legitimate applications.
- Monitor network ports, protocols, and services, activating security configurations on network infrastructure devices, such as firewalls and routers.
- Regularly patch and update software and applications to their latest versions and conduct regular vulnerability assessments.
“It’s important to note, organizations that have adopted a defensible security architecture — including the use of Web Application Firewalls (WAF) and ZTNA (zero trust network access) solutions — would have a higher chance of preventing this attack, even if their servers were unpatched,” says Valenzuela.
“There is no single silver bullet in cybersecurity. There’s never been one, and there never will be. But organizations that take a holistic and a threat-informed approach to cybersecurity are always better-prepared to defend against these attacks.”