Discover Clop ransomware's latest twist! Using torrents to leak stolen data from MOVEit attacks.

Continue reading
In a recent turn of events, the infamous Clop ransomware group has upped their malicious game, employing torrents to leak stolen data from compromised MOVEit Transfer deployments.
This Threatfeed delves into the underlying intricacies of the ransomware attack, analyzing the initial breach, the impacted organizations, and the shift in extortion tactics.
MOVEit, the trusted file transfer platform relied upon by governments, financial institutions, and various public and private sector entities globally, became the epicenter of a cyber catastrophe in late May 2023. The breach was no ordinary file transfer—malicious hackers from the Cl0p ransomware operation orchestrated the attack, stealing critical data and sending shockwaves throughout the industry.
As the dust settled, the staggering scope of the incident emerged. A total of 590 organizations and 39,708,389 individuals fell victim to the nefarious plot. Among the most heavily impacted were organizations like Maximus, the Louisiana Office of Motor Vehicles, the Oregon Department of Transportation, Teachers Insurance and Annuity Association of America, and Genworth. Most victims were based in the United States, followed by Germany, Canada, and the United Kingdom. Finance and professional services, along with the education sector, bore the brunt of the attacks.
Quantifying the cost of the MOVEit incident proved challenging, but potential estimates were staggering. Based on known victims, the breach could cost a mind-boggling $6,551,884,185, with a potential escalation to $38,013,902,301 if all victims confirm similar impacts. The ramifications extend far beyond financial losses, as spear phishing and BEC scams loom on the horizon, exploiting the stolen data to enable even more cybercrimes.
The attackers leveraged not one but three vulnerabilities in MOVEit Transfer. CVE-2023-34362, rated 9.8 out of 10 in severity, served as the initial entry point, allowing unauthorized environmental access since at least May 27th. Two other critical vulnerabilities, CVE-2023-35036 and CVE-2023-35708, followed, further enabling the exploitation of the platform.
The attack on MOVEit was facilitated by exploiting two critical zero-day vulnerabilities. On May 31st, Progress Software disclosed CVE-2023-34362, rated 9.8 out of 10 in severity, alerting users to a potential escalation of privileges and unauthorized access. However, the vulnerability had already been breached since May 27th. Subsequent patches were issued for CVE-2023-35036 on June 9th and CVE-2023-35708 on June 15th, aiming to curtail further exploitation. Despite these efforts, Cl0p had already managed to gain unauthorized access and pilfer sensitive data.
The ransomware group initially claimed to have deleted the stolen data from governments, cities, and police services. However, their bluff was exposed when they listed the UK's Office of Communications (Ofcom) and Ireland's Commission for Communications Regulation (Comreg) on July 17th, 2023. The deceitful narrative crumbled, underscoring the unpredictable and treacherous nature of these cyber adversaries.
Cl0p ransomware, part of the larger TA505 operation, is notorious for deploying file-encrypting ransomware. However, their tactics have evolved, focusing on data exfiltration rather than encryption. By utilizing the threat of releasing stolen data as leverage, Cl0p manipulates organizations into paying hefty ransoms, amassing a staggering $75-$100 million dollars in extortion payments.
To circumvent slow transfer speeds and evasive takedowns, Clop turned to torrents as a distribution method for the stolen MOVEit data. Leveraging peer-to-peer transfers, the threat actors achieved faster download speeds, presenting a new challenge for law enforcement. With the potential for broader data distribution, the victims faced even greater pressure to comply with extortion demands. This ingenious maneuver bypasses the sluggishness of traditional Tor data leak sites and poses a formidable challenge to law enforcement attempting to dismantle the operation The incident's aftermath will be costly, involving remediation, credit monitoring, lawsuits, and a heightened risk of further cybercrime. Secure by Design and Secure by Default initiatives hold promise as essential strategies in fortifying software security.

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.