This is undoubtedly the worst news of the year 2023 which is coming to an end. The hacking of MOVEit secure transfer software by Cl0p cybercriminals, spotted at the end of last May, resulted in an impressive number of victims. It was rated at 2,691 organizations in the latest count from IT security firm Emsisoft.
The latest victim is the dental insurance group Delta Dental. The company has just belatedly reported the theft of personal information – including banking information – of 7 million of its American customers. In France, two companies were notably affected, the provider of medical diagnostic services Synlab and the specialist in business software intended for health and insurance professionals Cegedim.
As Emsisoft agrees, it is impossible to calculate the cost of these hacks. According to an IBM study, a data breach costs an average of $165. With the 91 million people affected by the MOVEit hack, this results in a potential astronomical bill of around $15 billion.
Flaw in the web application
For this large-scale hack, Cl0p relied on a flaw discovered in the file transfer software’s web application. Vulnerable to an SQL injection attack, it allowed the cybercriminals to authenticate themselves as one of the users before then exfiltrating the data present on the hacked accounts.
Computer security specialists then noticed that the attack did not result in the deployment of ransomware. Probably to go faster and avoid detection. The gang also relied on torrents to publish the stolen data. Or a way of increasing the pressure on their victims, with much faster distribution than on a Tor site.
Vulnerability spotted in 2021
This devastating hack was carefully planned. For the consulting company Kroll, Cl0p cybercriminals “were probably experimenting with ways to exploit this vulnerability as early as 2021”. The firm also notes that the timing of the attack, an automated exploitation chain, coincides with a holiday weekend in the United States.
The Cl0p cybercriminal gang is identified by computer security researchers as TA505. This Russian-speaking group, followed for almost ten years, is described as “mature and sophisticated” by Anssi. The proof with this attack against MOVEit, the result of a carefully thought-out strategy.
Cybercriminal expertise
As Anssi points out, “the exploitation of vulnerabilities in secure file transfer solutions does not seem random”. These applications used by large organizations allow “immediate access to numerous documents”. “It is likely that this group has developed expertise and is seeking to exploit other applications in this category of solutions as part of campaigns similar to supply chain attacks,” warns the French cyber firefighter.
The game is clearly worth it for cybercriminals. According to the investigation company Chainalysis, cited by Le Monde, the hack would have made it possible to fraudulently collect around one hundred million dollars in ransoms. In July, trading specialist Coveware estimated that cybercriminals’ profits were likely to be in the range of $75 million to $100 million.
Sums extorted, he added, from a small number of victims ready to pay very high ransoms. A war chest which should now be used to finance new criminal actions.