Lessons from CL0P and MOVEit

/in


Hacking group CL0P’s attacks on MOVEit point to ways that cyber extortion may be evolving, illuminating possible trends in who perpetrators target, when they time their attacks and how they put pressure on victims.

Malicious actors that successfully target software supply chains can maximize their reach, impacting the initial victims as well as their clients and clients’ clients. And Allan Liska, intelligence analyst at threat intelligence platform provider Recorded Future, noted that cyber extortion groups like CL0P have the money to buy zero-day vulnerabilities to compromise commonly used platforms.

Plus, perpetrators increasingly use threats to publish stolen data — more so than file encryption — to put pressure on victims and are exploring new ways of denying victims access to their data.


Still, cyber extortionists aren’t a monolith. While zero days make headlines, shoring up basic cyber defense can still go a long way toward defending against many of today’s ransomware attacks, said Tom Hofmann, chief intelligence officer for cyber intelligence and solutions provider Flashpoint.

And other extortionists are likely watching the MOVEit incident play out and drawing their own takeaways.

“With a lot of these, the first big attack, it gets the headlines, but these ransomware groups are learning at the same time,” Hofmann said. “They’re seeing what worked well, what didn’t, what tactics worked, and they’re learning from each other. So, the next go-around is going to be different.”

TIMING AND ATTACK METHODS

With MOVEit, CL0P struck around Memorial Day, notes risk and financial advisory solutions provider Kroll. This follows a trend of perpetrators timing their attacks for holiday weekends. The 2021 ransomware attack on software from IT company Kaseya also hit right before the Fourth of July holiday.

Groups like CL0P also appear to be putting attention on targeting widely used platforms and exploiting zero-day vulnerabilities.

The MOVEit compromise was CL0P’s third known attack on a file transfer service, each one netting more victims. Its 2020 Accellion exploit stole data from roughly 100 companies,…

Source…