Infosecurity Europe
4-6 June 2024
ExCeL London

What You Need to Know About the MoveIT Hack 

The exploitation of the MOVEit managed file transfer service has seen organisations like the BBC and Siemens have their data compromised 

‘It’s not if, but when’ is a common rhetoric in the cybersecurity world, and the recent MOVEit hack can certainly be seen as one of those ‘it was going to happen at some point’ type incidents.

At the time of writing, it is estimated that the Clop ransomware gang may earn as much as $100m from its data extortion campaign, after a small number of victims paid the group large sums of money, this is according to Coveware.

Why has the MoveIT hack been so successful for the gang? And more importantly, what can businesses do to protect against such attacks in the future? We’ll take a look at this and more in this blog. 

Hitting the Business Supply Chain 

The wide-reaching nature of this incident is since so many organisations use the compromised file transfer tool MOVEit.

The zero-day vulnerability, which was originally uncovered by Progress, is an SQL injection weakness found in the managed file transfer (MFT) product. This flaw (CVE-2023-34362) can grant escalated privileges and unauthorised access.

The MOVEit Hack is a reminder of the importance of supply chain security. When organisations rely on third-party software, they are vulnerable to attacks that exploit vulnerabilities in that software.

Supply chain attacks are particularly popular with cyber-criminals because often it is easier to compromise a supplier to then gain entry to a large organisation than it is to try and break down the defences of a large organisation with a mature security posture.

Unfortunately, it is difficult for organisations, especially large ones, to have full visibility of all the software suppliers they use and what their vulnerabilities may be. 

Clop TTPs 

Clop is a financially motivated organisation believed to currently operate from Russian-speaking countries and has ties with various threat groups including TA505 and FIN11.

Originally, the group’s tactics relied on phishing attempts, brute forcing and exploiting known vulnerabilities.

They evolved to be among the first threat groups to use a ‘double extortion’ strategy, in which an adversary threatens to publish critical data on a leak site if the victim refuses to pay.

According to Sophos’ threat intelligence analyst, David Wallace, the group is known for its innovative techniquess including being among the first to use the tactic of emailing customers and partners of a compromised site to demand that they, too, pressure the compromised target to pay.

Clop’s involvement in the exploitation of the MOVEit Transfer is the third attack attributed to Clop during the first half of 2023, after the GoAnywhere incident in February and the PaperCut incident in April.

Here are some key takeaways from the MOVEit Hack:

  • The Clop ransomware group is a highly sophisticated and well-resourced threat actor.
  • The Clop attack on MOVEit Transfer exploited a zero-day vulnerability in the software.
  • The attack had a far-reaching impact, affecting organisations around the world including the BBC, New York City Department of Education and energy companies Schneider Electric and Siemens Electric.
  • Cybersecurity practitioners must take steps to protect their organisations from supply chain attacks.

Here are some tips for protecting your organization from supply chain attacks:

  • Regularly patch your software.
  • Implement security best practices, such as multi-factor authentication and data encryption.
  • Monitor your network for suspicious activity.
  • Be aware of the latest threats and vulnerabilities.

By following these tips, you can help to protect your organisation.

To hear to the Infosecurity Magazine team discuss the incident with threat intelligence experts and cybersecurity professionals listen to the July podcast here for everything you need to know about the supply chain attack.


Enjoyed this article? Make sure to share it!

Looking for something else?