The MOVEit Breaches

Summary 

CISA released a report stating that MOVEit’s Managed File Transfer (MFT), a tool used by corporations and enterprises to share large files over the internet software was compromised by Cl0P in May of 2023 and has impacted over 200 organizations worldwide. The exploit was used to exfiltrate data, but it was not used to deploy ransomware across affected systems. Progress Software issued a press release on June 5, 2023, claiming they had released a patch within 48 hours of learning about the vulnerability.

Technical Explanation of Breaches:

The Cl0p ransomware group exploited a vulnerability in the MOVEit file transfer service by employing a combination of a common and easily preventable exploitation, SQL injection, and a zero-day exploit once inside the system. The initial breach was conducted at the web-portal level, where an authentication bypass was enabled through a SQL injection, a type of common exploit. This essentially means that malicious SQL code, rather than the expected input such as a username and password, was injected into an entry field for execution, bypassing the portal's security measures and granting the threat actor unauthorized access. 

Once inside the system, the attackers could exploit a zero-day vulnerability, meaning a flaw that is unknown to those who should be interested in its mitigation, such as the software vendor or the users. In this case, the zero-day exploit allowed the threat actor to retrieve API tokens by simply refreshing the fraudulent active session, avoiding the need to enter a password. API tokens are digital keys which allow access to various system functionalities and data. Refreshing the session in this way essentially mimicked the legitimate actions of an authenticated user, thereby maintaining their unauthorized access. 

The combination of these exploits gave the attackers complete command and control over the system, via a reverse shell. A reverse shell allows remote access to a compromised system and is often used by threat actors to maintain persistent access or to further escalate their privileges. The Cl0p group exploited these vulnerabilities in the MOVEit service to access and exfiltrate the data. This vulnerability has not yet seen ransomware deployed by Cl0p, only data exfiltration. 

Interestingly enough, Cl0p seems to be sticking to their word that they will not produce the data of government agencies. (Though CNN claims otherwise) Cl0p's decision to not target governments or government agencies could be influenced by several factors.

1. Risk Mitigation: Engaging in cyber activities against government entities often involves a significantly higher risk compared to other targets. Governments tend to have more resources to respond to such attacks, including the ability to leverage law enforcement and intelligence agencies for investigative purposes. As a result, threat actors might choose to avoid drawing attention from these powerful entities to stay operational for longer.

2. Legal Consequences: The legal repercussions associated with attacking a government entity can be substantial. Given the severity of these crimes, the penalties can include long prison sentences if the perpetrators are caught. This might act as a deterrent for some cybercriminal groups, particularly if they operate from or have connections to countries with strong cybersecurity laws and enforcement.

3. Profit Motive: If Cl0p's primary motivation is financial gain, they might find commercial entities to be more lucrative targets. These businesses often have valuable data they can't afford to lose, making them more likely to pay a ransom. Additionally, commercial entities might be less secure compared to government organizations, making them easier targets.

4. Political Implications: If a ransomware group is affiliated with or backed by a nation-state, it might avoid targeting government entities to prevent geopolitical complications or conflicts. This, of course, depends on the specific relations between the country the group operates from and the countries they target.

In sum, the decision to avoid government targets likely arises from a combination of these factors, all aimed at minimizing risks while maximizing rewards.

Parting Thoughts

Two MASSIVE law firms have been breached, and both have chosen NOT to pay the ransom to CL0p to prevent the release of files: Kirkland & Ellis and K&L Gates.

Given that Cl0p does have a reputation of not releasing files when a ransom is paid by a victim, could there have been a legal duty to pay the ransom in order to preserve the PII of their clients? What about an ethical duty to preserve confidentiality?

Legally

Legally, there is currently no definitive duty for a firm to pay a ransom under U.S. law. This area is largely unregulated, and many law enforcement agencies, including the FBI, advise against paying ransoms, as it may encourage further criminal activity. However, from a torts perspective, if the firm failed to take reasonable precautions to secure client data and that failure led to the breach, the firm could potentially be held liable for negligence. But is there a contracts argument?

It's possible to argue that this situation could represent a breach of contract, and that the breached company (in this case, the law firm) has a duty to mitigate damages.

A law firm typically has contractual agreements with its clients that implicitly or explicitly stipulate the protection of the client's confidential data. If the firm fails to adequately protect that information due to a ransomware attack, it could be seen as a breach of this contractual obligation.

The concept of "duty to mitigate" comes from contract law and refers to the responsibility of a party to take reasonable steps to minimize the damages, or potential damages, resulting from another party's breach of contract. If a law firm has suffered a data breach, it may have a duty to mitigate the damage to its clients, which could theoretically include paying a ransom to prevent the release of client data.

Ethically

Ethically, the American Bar Association's (ABA) Model Rules of Professional Conduct do not directly address the issue of ransom payments. However, several rules may be relevant. Rule 1.6 requires lawyers to maintain confidentiality of client information, while Rule 1.9 requires lawyers to protect the information of former clients. Rule 1.4 requires lawyers to communicate with their clients about issues that allow the clients to make informed decisions about the representation. If a breach occurred, these rules could arguably impose a duty on the firm to do what it can to protect client data, which might include paying a ransom.

However, there's another important consideration: the ABA's Formal Opinion 483, which discusses lawyers' obligations after an electronic data breach. It clarifies that lawyers must take reasonable steps to prevent data breaches and to monitor for them, and that if a breach occurs, lawyers have a duty to notify clients of the breach.

But, as is the case with these two firms, they had the option to pay the ransom and maintain confidentiality under Rule 1.6. At the very least, it should be a part of the conversation.