Cl0p Claims the MOVEit Attack; Here’s How the Gang Did It

Cl0p Claims the MOVEit Attack; Here's How the Gang Did It

The Cl0p ransomware gang has claimed credit for the breach of Progress Software’s MOVEit file transfer program. Experts say the attack was not only successful — affecting hundreds of million- and billion-dollar organizations throughout the Western world — but also surprisingly simple.

Though researchers initially tracked the MOVEit hackers as a novel group, on June 4 Microsoft attributed the attack to an actor they trace as “Lace Tempest,” known for running the Cl0p extortion website. On the evening of June 6, the Cl0p ransomware gang confirmed Microsoft’s hypothesis, in an announcement to affected organizations. It also issued an ultimatum.

“DEAR COMAPNIES.,” the actors wrote in broken English, “THIS IS ANNOUNCEMENT TO EDUCATE COMPANIES WHO USE PROGRESS MOVEIT PRODUCT THAT CHANCE IS THAT WE DOWNLOAD A LOT OF YOUR DATA AS PART OF EXCEPTIONAL EXPLOIT.”

The Cl0p connection, while dramatic, isn’t surprising, says Vlad Mironescu, threat intelligence analyst for Searchlight Cyber. “We know that Cl0p has been exploiting file transfer solutions for a while now: Accellion, SolarWinds, GoAnywhere, PaperCut, and now MOVEit. They are the masters of this kind of attack.”

What is unexpected, though, is that such a successful attack turned out to be so simple, as John Hammond, senior security researcher for Huntress, explains.

How the MOVEit Cyberattack Worked

After days spent unpacking the MOVEit vulnerability, CVE-2023-34362, Hammond talked to Dark Reading about how Cl0p did it. “Forgive me,” he says over a Zoom call, “I don’t know how nerdy this’ll get.”

Hammond pulls up a virtual machine running an unpatched version of MOVEit, and logs in to show what the environment looks like before he does his magic. The objective: to upload a GIF from the movie Madagascar, no permissions necessary.

“So the gimmick is: Are there any SQL injection vulnerabilities that we could go ahead and take advantage of and exploit?” he explains.

Before running it in Command Prompt, he flashes the window containing his custom malicious script. It’s short — maybe 100 lines, by the looks of it. Does this indicate that the attack was, actually, rather simple?

“Correct,” Hammond says, as he traces back the logic of his reverse engineering. “So if someone goes through it with some due diligence — to try to understand the differences in deltas between the patch and the vulnerable versions — you can see what’s removed, what’s cleaned up, what’s modified, and how Progress Software mitigated this threat.”

“And the logs of the original threat actor activity gives us at least a little bit of a breadcrumb to put the puzzle pieces together, and see what they were doing,” he adds, as he pulls them up.

“It’s stealing the API tokens, and uploading files, as you can tell here. And then further on, they’ll end up uploading their Web shell for persistence,” he explains. The Web shell LEMURLOOT, under the file name “human2.aspx,” has been identified industry-wide as an indicator of compromise (IOC) for MOVEit victims.

Cl0p made liberal use of LEMURLOOT, though it isn’t actually necessary to the attack chain. In a version of an exploit demo published after Hammond’s conversation with Dark Reading, Huntress opted the Meterpreter interactive shell instead of LEMURLOOT, escalating to the system level of a virtual machine and then deploying a Cl0p ransomware payload.

Using straightforward SQL injection, the unauthorized Cl0p can masquerade as a guest user, exfiltrating files, uploading malware, or doing just about anything else within an unauthorized MOVEit environment.

To conclude his demonstration for Dark Reading, Hammond runs his script and refreshes the sample MOVEit window, this time revealing a new file: “reMOVEit.gif.”

The MOVEit Transfer exploitation is not just SQL injection(👀)
We uncovered the very last stage of the attack chain to drop human2.aspx ultimately ends up gaining remote code execution ‼
We fully recreated the attack chain with a demo achieving a reverse shell & ransomware! pic.twitter.com/dPQX80wLQ8

— John Hammond (@_JohnHammond)

What Comes Next?

Beyond the victims and the security community, a few cybercriminals have been asking questions about the MOVEit attack. Like in the following post (translated to English) that Mironescu and his colleagues stumbled upon, from a Russian Dark Web user interested in purchasing some stolen data.

“There’ve been some other posts, but more limited in terms of scope. People have said they’re interested in the data, but they didn’t provide a budget. We also saw one actor who expressed interest in the technical part — he was probably trying to engage in exploiting this vulnerability [himself],” Mironescu posits.

Whether the vultures will get their scraps will be up to Cl0p. “WE ARE THE ONLY ONE WHO PERFORM SUCH ATTACK,” the group stated on June 6. Whether and how they’ll monetize and possibly share in their winnings may become clear June 14th, when the group plans to start naming and shaming their stubborn victims.

For now, they advised victims to “RELAX BECAUSE YOUR DATA IS SAFE.” Not very reassuring.