Cl0p’s MOVEit Campaign Represents a New Era in Cyberattacks
The MOVEit file transfer zero-day vulnerability, first discovered on June 1, was used to breach at least 160 confirmed victims by June 30. The successful mass extortion campaign represents an evolution of tactics by the Russian-backed Cl0p ransomware group, which experts say is likely to catch the attention of rival threat actors.
Threat researchers note that the MOVEit campaign has some clues about how to respond to future of supply chain cyberattacks for defenders as well.
So far, the breached organizations include a who’s who of international brands, like Avast’s parent company,
British Airways, Siemens, UCLA, and more. Reports say the ransomware group pulled off the technically detailed mass exploitation after at least two years of careful development, patiently plotting and planning when and where to strike, armed with the secret flaw in the MOVEit file transfer software.
Ransomware-Less Ransomware Attacks
Researchers note a few innovations Cl0p has made between previous exploits and the MOVEit campaign, which are likely to influence other threat groups. For instance, Cl0p has streamlined the extortion business model by doing away with ransomware all together, John Hammond, Huntress security threat researcher explained to Dark Reading.
“From what the industry has seen in [recent] Cl0p breaches (namely, GoAnywhere MFT and MOVEit Transfer), they haven’t executed ransomware within the target environments,” Hammond says. “The operations have strictly been exfiltrating data and using that stolen information for later blackmail and extortion. It’s not clear why they opted not to encrypt files.”
While it’s not clear why Cl0p pivoted, the end result is a ransomware business model without the overhead of trying building better ransomware, he adds.
“Perhaps other cybercrime gangs will follow suit, and the development of ransomware tooling and creating faster malware may fall to the way-side when adversaries can just focus on their real goal of making money,” Hammond says.
Third-Party Zero Day Exploit Providers
All of that said, if making money was the primary motivation for the MOVEit cyberattacks, the group would have chosen a much simpler approach than investing the time and resources to…