Justin W Christopherson
Old Dominion University
CYSE – 300: Introduction to Cybersecurity
Dr. Jospeh Kovacic
January 21, 2024
The Attack In May of 2023, the ransomware group CL0P used a zero-day vulnerability against MOVEit Managed File Transfer software. In the following paper, an analysis of the attack will be broken into three sections: what vulnerabilities and zero-days were exploited, what the repercussions of the incident were, and what could have been done to prevent it.
Vulnerabilities MOVEit Transfer is a web service, provided by Progress Software, that companies use to make file transfers around the world. In May of 2023, the Russian hacking group CL0P decided it was payday. They exploited a zero-day vulnerability that allowed them SQL injection. The CVE for the vulnerability is 2023-34362 and is listed at a severity rate of 9.8 out of 10. There were also two other CVE’s that were later discovered and are listed under CVE-2023-35036, and CVE-2023-35708, but the focus for this paper is CVE-2023-34362. For the main exploit used the CVE states that “Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements”. The attackers were able to install a web shell named Lemurloot. This in-turn created a 36-character password that need to be used for authentication. This allowed the hackers to manipulate the databases and steal any information they found pertinent to their cause. Once this was done CL0P gave victims until June 15th of 2023 to contact them and threatened to release the stolen data on the Dark Web if they didn’t pay.
Repercussions The MOVEit attack spanned the globe effecting approximately 94 million people and about 2600 companies and their subsidiaries. As of a report released on the 18 January 2024, the estimated cost of all the damage done by the attack was around 11 billion dollars. This breach not only went after private companies but also governments. By October 30, 2023 “A Freedom of Information request reveals that the email addresses of 630,000 federal government employees have been breached, including those belonging to staff working for the Department of Justice, the Air Force and the US Army.” Some but not all of the companies affected were Delta Dental of California, Louisiana Office of Motor Vehicles, Colorado Department of Health Care Policy and Financing, Oregon Department of Transportation, an the State of Maine. An interesting company that was breached is Gen Digital which is headquartered in Tempe Arizona, the reason it stuck out is because they own Norton, Avast, LifeLock, Avira, AVG, ReputationDefender, and CClearner. If CL0P was bold enough to attack cybersecurity companies and parts of the United States government was anyone safe?
Prevention: While there were quite a few zero days involved in the attack a lot of the victims could have prevented their attack by practicing basic cybersecurity hygiene. By 1 June 2023, the first patch was released, but not all users of the MOVEit software applied the patch which led to more companies being breached. A company that deals with data transfers as their primary business should know that suspicious changes in traffic flow should throw up red flags. Some other things found during research that could have been tried is prior to buying any software for a company, read though the terms of service and find out how often patches are applied, and how quickly they release information on breaches. Another powerful addition would be the addition of firewalls with Intrusion Detection Systems embedded in them. Lastly, a program that requires all personnel to create a strong password and require 2 factor authentication anytime they login to make a transfer.
Conclusion. The MOVEit breach that took place in May of 2023 impacted millions of people around the world. The research for this paper was done with almost all academic resources except for the timelines, because they are being updated monthly, but the research was pulled from cybersecurity websites. The fact that the breach affected US government websites, banks, and The Department of Defense is horrifying. If they were able to get into these systems with this breach, it’s a wonder what else is being attacked as I write this paper.
References
#stopransomware: Cl0p ransomware gang exploits CVE-2023-34362 moveit vulnerability: CISA.
Cybersecurity and Infrastructure Security Agency CISA. (2024, January 16).
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a
Nocturnus, C. (n.d.). Cybereason vs. Cl0p Ransomware. Cybersecurity Software.
https://www.cybereason.com/blog/research/cybereason-vs.-clop-ransomware
Powell, O. (2023, November 2). A full timeline of the moveit cyber attack. Cyber Security Hub.
https://www.cshub.com/attacks/news/iotw-a-full-timeline-of-the-moveit-cyber-attack
Simas, Z. (2024, January 18). Unpacking the MOVEIT breach: Statistics and analysis. Emsisoft.
https://www.emsisoft.com/en/blog/44123/unpacking-the-moveit-breach-statistics-and-
analysis/