CL0P Gang’s MOVEit Rampage : (CVE-2023-34362)

Rohan Bhange,

14 June 2023.

As increased ransomware and data extortion attacks have not only become a threat to the national security and critical infrastructure of the United States but have significantly affected the entire world. But when such attacks are carried out by compromising the supply chain, It leads to more devastating effects. Thousands of clients and their endpoints could be compromised leading to hefty financial losses, damaged reputation, and sensitive data leaks of their customers. Whether it be the Kaseya VSA ransomware attack of 2021 or the most recent CL0P gang’s MOVEit data extortion rampage, the scale on which these attacks have been carried out by compromising the supply chain has left the organizations, governments, and individuals in turmoil.


CL0P ransomware group previously known for the double extortion tactic has claimed the responsibility for attacks relating to the exploitation of previously unknown CVE-2023-34362 SQL injection vulnerability which has been found in the MOVEit Transfer web application. It allows an unauthenticated attacker to gain access to MOVEit Transfer's database where an attacker may be able to infer information about the structure and contents of the database and execute SQL statements based on the database being used (CVE - CVE-2023-34362, 2023). According to the NIST: NVD the severity level of the vulnerability has been classified with a base score of (9.8 Critical) (NVD - CVE-2023-34362, 2023) which is a serious threat to several affected prominent organizations. Also recently a new vulnerability has been discovered in the MOVEit Transfer web application CVE-2023-35036 which is currently awaiting analysis. In this vulnerability, unauthorized access to the MOVEit database can be gained by submitting a crafted payload to the application endpoint that could result in modification and disclosure of database content (NVD - CVE-2023-35036, 2023).


A leading cybersecurity company Reliaquest stated that CL0P has issued a threat via its dark web page “CL0P^_-LEAKS”, stating that it has compromised and stolen the data from hundreds of companies using the MOVEit vulnerability, and has given them time till 14 June 2023 for data extortion negotiations, failing to contact by the mentioned date CL0P stated that data will be leaked online to the masses (De Blasi, 2023). CL0P has been accused of operating a RaaS (Ransomware as a Service) and has several other allegations as stated by joint Cybersecurity Advisory (CSA) released by The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) to disseminate known CL0P ransomware IOCs and TTPs (#StopRansomware, 2023). The issued CSA has detailed information about detection methods, TTPs, mitigations, and information on the validation of security controls which might be useful for organizations suspected to be compromised.

 

For mitigation of attacks carried out by CL0P against MOVEit incident response plans must be immediately executed to minimize the impact of the attack, application controls should be implemented for controlling the execution of programs. Command-line, scripting should be disabled and PowerShell should be restricted. Networks should be segregated, backups should be maintained. Software, firmware, and OS should be up to date (#StopRansomware, 2023). It is often advised by the FBI and other security agencies to not pay the ransom amount as it does not guarantee the recovery of files and deletion of stolen data. Also paying such hefty ransom amounts indirectly gives more power to such organized crime groups to carry out similar attacks in the future. If you are a victim of such an attack, contact your local FBI field office as they can provide you with assistance for decrypting the data held for ransom.


References


https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34362

https://www.reliaquest.com/blog/moveit-vulnerability-update-clop-claims-responsibility/

https://nvd.nist.gov/vuln/detail/CVE-2023-34362

https://nvd.nist.gov/vuln/detail/CVE-2023-35036

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a