2023 Winners: the sad assessment of the MOVEit hack, the most striking hack of the year
This is undoubtedly the worst news of the year 2023 that is coming to an end. The hacking of the MOVEit secure transfer software by Cl0p cybercriminals, spotted at the end of last May, resulted in an impressive number of victims. It was evaluated at 2691 organizations in the last count of the IT security company Emsisoft.
The latest victim is the dental insurance group Delta Dental. The company has just belatedly reported the theft of personal information – including banking information – from 7 million of its American customers. In France, two companies had in particular been affected, the provider of medical diagnostics services Synlab and the specialist in business software for health and insurance professionals Cegedim.
As Emsisoft agrees, it is impossible to calculate the cost of these hacks. According to a study by IBM, a data breach costs an average of $165. With the 91 million people involved in the hacking of MOVEit, this results in an astronomical potential slate of about $ 15 billion.
Flaw in the web application
For this large-scale hack, Cl0p relied on a flaw discovered in the web application of the file transfer software. Vulnerable to an attack by SQL injection, it allowed cybercriminals to authenticate themselves as one of the users before then exfiltrating the data present on the hacked accounts.
IT security specialists then noticed that the attack had not resulted in the deployment of ransomware. Probably to go faster and avoid being detected. The gang had also relied on torrents to publish the stolen data. This is a way to increase the pressure on their victims, with a much faster dissemination than on a Tor site.
Vulnerability spotted as early as 2021
This devastating hack has been carefully prepared. For the consulting company Kroll, the cybercriminals of Cl0p “were probably experimenting with ways to exploit this vulnerability as early as 2021″” The firm also notes that the tempo of the attack, an automated exploitation chain, coincides with a public holiday weekend in the United States.
The Cl0p cybercriminals gang is identified by computer security researchers under the name of TA505. This Russian-speaking group, which has been followed for almost ten years, is described as “mature and sophisticated” by Anssi. The proof with this attack on MOVEit, the result of a carefully thought-out strategy.
Cybercriminal expertise
As the Anssi recalls, “the exploitation of vulnerabilities in secure file transfer solutions does not seem random”. These applications used by large organizations indeed allow “immediate access to many documents”. “It is likely that this group has developed expertise and is looking to exploit other applications in this category of solutions as part of campaigns akin to supply chain attacks,” warns the French cyber-firefighter.
The game is clearly worth the candle for cybercriminals. According to the investigative company Chainalysis, cited by Le Monde, the hacking would have made it possible to fraudulently collect about one hundred million dollars in ransoms. In July, the trading specialist Coveware estimated that it was likely that the earnings of cybercriminals would be in the range of between 75 and 100 million dollars.
Sums extorted, he added, from a small number of victims willing to pay very high ransoms. A war chest that should now be used to finance new criminal actions.
You May Also Like
