Kroll’s forensic investigators identified the pattern used in the current attacks which deployed the LenurLoot web shell (human2.aspx) via interaction with internal components in MOVEit’s application. Using this pattern and reviewing web server logs they identified some of the same type of actions going as far back as June 2021. In April of 2022 the Kroll team identified automated efforts to collect and extract data from impacted servers. The stealthy and careful approach seems to have changed just before the disclosure of the zero-day by MOVEit. This likely means that the Cl0p group knew they had been caught and wanted to get as much as they could on their way out the door.
Since the disclosure of the zero-day Cl0p has become more talkative about the incident including telling Security site Bleepingcomputer that it was indeed them (Cl0p) behind the attacks. This coincides with Microsoft’s attribution for the exploitation of the vulnerability. Cl0p has also posted on their site that they will start releasing the names of companies they have stollen data from if they do not hear from them and agree to their terms for not disclosing /selling the information.
Organizations that have been impacted by the data theft are in a bit of a bind, they will need to disclose to their clients and regulators that they were breached, and data was stollen. They also still have to deal with the possible disclosure of that data by Cl0p which will lead to more penalties in one way or another. It is a ugly mess for them and one that probably should have been identified in the two years since Cl0p found it by the actual developers. Issues like this one are why there is a need for more comprehensive processes around testing and securing software products. Starting with software and application build of materials and a baseline for operation we can build a better foundation for products. This should be combined with a requirement for application penetration testing that does not just look for the known vulnerabilities but allows the attackers to get creative in finding ways to own the software. Anything less than this is simply fighting the last war, and that is a way to lose the battle.