On June 7, 2023, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a Joint Cybersecurity Advisory in connection with a recent zero-day (or previously undetected) vulnerability in Progress Software’s managed file transfer software (MOVEit Transfer), exploited by the CL0P ransomware group. CL0P publicly claimed responsibility for exploiting the vulnerability on June 5, 2023 and has a well-established history of targeting vulnerabilities in file transfer software, gaining notoriety in 2021 after the group exploited the zero-day vulnerability in Accellion’s File Transfer Appliance.
According to the Advisory, on May 27, 2023, CL0P began exploiting a previously undetected SQL injection vulnerability in MOVEit Transfer. CL0P exploited this vulnerability to install a webshell named LEMURLOOT on MOVEit Transfer web applications (i.e., programs that are delivered over the internet through a web browser). Security researchers, such as Rapid7, identified roughly 2,500 instances of MOVEit Transfer exposed to the public internet. According to a posting by CL0P on its dark web leak site, CL0P has given affected companies until June 14 to contact them to negotiate payment for their data before threatening to publish the company’s name and stolen data to its leak site.
What Affected Companies May Expect Moving Forward
Affected companies that do intend to contact CL0P or negotiate an extortion payment will need to move quickly based on the June 14 deadline. And CL0P is likely operating in UTC time, which is four hours ahead of EDT and seven hours ahead of PDT, meaning that companies should consider June 13 as the deadline.
According to CL0P’s blog post, CL0P intends to negotiate for only three days, and if they cannot come to an agreement with the company on payment, CL0P will begin posting the company’s data seven days later. CL0P may not leak all the data at once, but favor publishing a small amount of data initially, hoping to negotiate an extortion payment in the coming weeks. Consistent with CL0P’s previous extortion tactics, the group may proceed to post additional data in subsequent waves depending on the affected company’s size, profile, work portfolio, and reputation.
CL0P further explained that, during negotiations, it will only provide 10% of affected companies’ data as well as 2-3 random requested files to provide evidence that CL0P has possession of the company’s data (also referred to as “proof of life”).
CL0P may also call affected companies after posting either the name of the company or some of its data. In a similar incident in January 2023, CL0P sent ransom notes to upper-level executives of the victim companies as they parsed through the exfiltrated data. By contrast, in this incident, CL0P has reportedly sent emails to some impacted companies with ransom notes, but may not do so for all impacted companies. Accordingly, potentially impacted companies should be scanning their spam filters to ensure that they are able to receive any communications that CL0P may send.
Remediation
As of June 9, 2023, Progress Software has released patches for both the original vulnerability as well as the additional vulnerabilities well as the additional vulnerabilities. All organizations should apply the most recent security patches released by Progress Software. Additional information can be found at https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023. Additional tips for remediating CL0P ransomware may be found in the Joint Cybersecurity Advisory referenced above, which include inventorying assets and data to confirm unauthorized devices and software, establishing a software allow list that only executes legitimate applications, maintaining ongoing monitoring and secure network configurations, and regularly patching software and applications.
Alston’s Privacy, Cyber & Data Strategy team continues to monitor this situation.