Episode 82: The Cl0p gang’s in love with a very special bug
DINA TEMPLE-RASTON: Dustin Childs is a bounty hunter…
[DOG THE BOUNTY HUNTER MUSIC]
TEMPLE-RASTON: Not quite like Dog the Bounty Hunter, that guy from that TV show who’d chase
down fugitives in Hawaii…
[MORE DOG THE BOUNTY HUNTER TAPE]
TEMPLE-RASTON: Dustin’s bounty hunting involves less running and more typing.
DUSTIN CHILDS: Welcome to my world, which is the bug bounty world.
TEMPLE-RASTON: Dustin goes after computer bugs and collects or pays bounties for them. He is the
head of threat awareness for Trend Micro’s Zero Day initiative. Trend Micro is an IT security
company, and the Zero Day Initiative is the world’s largest bug bounty program.
CHILDS: We buy all sorts of bugs, and we've been at this since 2005. We take the bugs, and we use
them to write filters for our products, so our customers get protected right away. And then we report
the bugs to the vendors so that they can patch it.
[MUSIC BUMP]
CHILDS: We buy Microsoft Bugs, Apple Bugs, Trend Micro, Google, Adobe, you name it.
We have a remote team all over the world, and they're looking, reporting their own bugs.
TEMPLE-RASTON: They find a bug, which is essentially a vulnerability in the code. They tell Dustin
about it, and then he pays them a bounty for their trouble.
CHILDS: Depending on the type of bug, it could be worth $150. And depending on where it's sold, it
could be worth up to 15 million.
TEMPLE-RASTON: And the monster whale, the big get when it comes to coding errors, is something
called a Zero Day. And there are different kinds of Zero Days, some more dangerous than others. But
the easiest way to think about them is to see them as an unpatched hole in widely used software or
technology that no one knows about yet. And because no one knows about it, and no one has
patched it, they can fetch very big bounties
CHILDS: Right now, I think, two and a half million dollars for a zero day exploit in Android phones.
1
�[MUSIC UP AND OUT]
TEMPLE-RASTON: The most rare and prized exploits are Zero Days that are loaded up with other
code to make them more pernicious and then they are part of epic hacks. Those kinds of exploits are
so hard to find that they’re very expensive to buy, so usually only nation-states can afford them.
The list of Zero Day hacks includes things like NotPetya, which was launched by hackers working
with Russian intelligence. In that case they used one zero day exploit.
CBS: It quickly spread, paralyzing major companies and causing more than $10 billion in damage.
TEMPLE-RASTON: Stuxnet, which is thought to be the work of Israel and the U.S., used four Zero Day
exploits.
NEWS: Someone sabotaged a top secret nuclear installation in Iran with nothing more than a long
string of computer code.
TEMPLE-RASTON: So to see an exploit out of that nation-state context, to see one used by an
unaffiliated ransomware group, that makes someone like Dustin really sit up and take notice.
Which is exactly what happened a few months ago, with a file transfer service called MOVEit. It
became the blockbuster hack of the summer.
CBS: We begin tonight with a significant cyber attack
ABC17: The data breach of the MoveIt system was discovered this summer.
CBS: U.S government officials say there has been an attack on federal agencies, hospitals and
schools
[MUSIC BUMP]
TEMPLE-RASTON: So far, the MOVEit hack has affected some 1,000 organizations. It may have
exposed the personal information of some 60 million people. And some experts say that may be just
scratching the surface.
[THEME MUSIC]
TEMPLE-RASTON: I’m Dina Temple-Raston and this is Click Here, a podcast about all things cyber
and intelligence. We tell true stories about the people making and breaking our digital world.
2
�And today, we look at Cl0p, spelled C-L-ZERO-P. They’re the Russian-speaking ransomware
group behind the MOVEit hack, and they’ve made targeting obscure but critical middleware
programs a speciality.
And with this latest attack they used a Zero-Day bug to do it.
CHILDS: They know what they’re doing. They’re not doing things on accident. But it definitely shows
they have a playbook and they’re sticking to it.
TEMPLE-RASTON: Stay with us.
[BREAK]
[STINGER]
TEMPLE-RASTON: Cl0p is a Russian-speaking ransomware gang that has been committing
cybercrimes since 2018. Their attacks tend to be the standard fare: Hack into some company’s
network, encrypt their files so they can’t use them, demand a ransom, and then if they get paid,
provide a key that unlocks the files.
In the past five years, Cl0p is believed to have raked in more than $500 million from its victims,
which is the kind of number that puts a hacker in the crosshairs of police.
[RAID VIDEO: COPS YELLING, KNOCKING ON DOOR]
TEMPLE-RASTON: This is a video from an international sting operation on Cl0p’s hideouts near Kyiv.
They called it Operation Cyclone.
[SAW SOUND]
TEMPLE-RASTON: That’s the sound of a buzzsaw. The video shows police actually sawing a hole in
the front door of one of the suspects. Then they cut to a shot of a young guy and a woman in their
pajamas sitting on a couch. Their faces are blurred, but you can hear the police reading the charges
against them.
[COP READING THE CHARGES]
3
�TEMPLE-RASTON: They are money launderers for Cl0p. Then the video cuts to the police, in white
surgical gloves, counting stacks of rubles. The suspected money launderers? They take the
cryptocurrency payments Cl0p gets as ransom and turn it into cash. And there are so many stacks
laid out on the floor, it looks like a carpet.
[UKRAINIAN OFFICER SPEAKING]
TEMPLE-RASTON: A Ukrainian police officer offers a bit of a declaration at the end of the video:
“We’re ready to conduct more of these kinds of international operations in the future,” he says. “We
will resist hackers throughout Ukraine and the world is not alone. We will be your partner.”
[VIDEO FADES OUT]
Operation Cyclone didn’t seem to cramp Cl0p’s operations much though. They had already attacked
the file transfer service inside Accellion, a firewall vendor. And then, earlier this year, they set their
sights on GoAnywhere, another file transfer system.
So in some ways, we should have seen MOVEit coming, or at least it shouldn’t have come as a
surprise.
[MUSIC OUT]
TEMPLE-RASTON: Even so, it did catch Dustin Childs off guard.
[BEACH SOUNDSCAPE]
TEMPLE-RASTON: He remembers exactly where he was when the MOVEit hack went public. He was
on holiday.
CHILDS: So I was scrolling my phone, on a beach next to a pool. And like, yeah, great. Why does it
always happen on vacation ?
TEMPLE-RASTON: All he knew initially was that there was a zero day used to attack a file transfer
program he’d never heard of.
CHILDS: The first thing that went through my mind is: What is MOVEit? Because it was not a
software that I was familiar with.
TEMPLE-RASTON: But, it turns out, MOVEit is a major player in the file-sharing world.
4
�MOVEit VIDEO: Your business depends on transferring mission critical sensitive data securely and
reliably. MOVEit can help.
TEMPLE-RASTON: That’s from one of MOVEit’s promotional videos. Its transfer service is ubiquitous.
It has thousands of corporate clients: Chase Bank, Disney, and Johns Hopkins University. Also, lots of
government clients, like the Department of Energy.
You may have used it, too — maybe to upload your W2 to your tax preparer or to send your
mortgage papers to the bank. Even so, MOVEit is so behind the scenes that users might not even
realize they’re using it.
CHESTER WISNIEWSKI: I had never heard of it [chuckles] I mean, I give my information to my
accountant for my taxes over one of these. In fact, it might be MOVEit. I have no idea what the thing
is. It’s a private branded web portal. I just go, Hey, they're giving me a secure way to send them files. And
like everybody else in the world, I click the upload button, right? And I put all my stuff in and I never
considered, like, “How secure is this thing?” Cause I just assume it's like a secure file transfer
service. This company must invest a lot of money in security if the thing they're selling is a security
thing, right? But I guess that's a bit too much to expect.
TEMPLE-RASTON: That’s Chester Wisniewski.
WISNIEWSKI: I’m field chief technology officer for applied research at Sophos.
TEMPLE-RASTON: Sophos is a global enterprise security company, which basically means they
secure company networks. And security is a big part of MOVEit’s sales pitch.
MOVEit VIDEO: MOVEit keeps your files secure, both in transit and at rest, with a tamper-evident
audit log…
TEMPLE-RASTON: The MOVEit service is pretty simple: You put in an email address for where it is
going, type your email in for where it is from and then drag the file over to a box and hit send. But
MOVEit also allows you to search the files you’ve uploaded to their system.
WISNIEWSKI: When you wanna look something up, you type something in. It has to turn that into a
query to the database to go retrieve the results for you. And there was a bug in the MOVEit product.
TEMPLE-RASTON: And Chester says that the flaw the Cl0p hackers found allowed them to arbitrarily
retrieve any file uploaded to MOVEit by anyone. It gave them a kind of super administrator’s access
that allowed them to put malicious computer code inside the victim’s system.
5
�WISNIEWSKI: In this case, the criminals used these bugs to plant a backdoor.
[MUSIC]
TEMPLE-RASTON: A backdoor that allowed them access to the system even after the bug was fixed.
WISNIEWSKI: If the criminals had managed to access your system before, even if you then went and
applied the update, they could still get back in. So that if you close the original hole, they had a new
hole to come in.
TEMPLE-RASTON: Which is exactly what happened.
[MUSIC BUMP]
TEMPLE-RASTON: MOVEit discovered Cl0p’s initial breach and patched that original hole, instructing
customers to ensure their own systems hadn’t been compromised in the meantime. The concern:
that Clop had managed to plant a backdoor they might not have known about.
[NB: A spokesperson from Progress Software said the company has not found any evidence that that
had actually happened.]
WISNIEWSKI: [Cl0p WAS] able to sort of write a bot basically that would automatically find every
MOVEit server in the world. Steal the data from it in an automated fashion and place a backdoor on
them.
TEMPLE-RASTON: And because they had programmed a computer to do it all for them…
WISNIEWSKI: There was very little labor or personal human effort going into targeting.
TEMPLE-RASTON: So, by breaking into just one entity in this automated way, Cl0p had gained access
to private data held by thousands of organizations. From a hacker’s perspective, all this was
brilliantly efficient. Why go through the effort of hacking thousands of companies, one-by-one, when
you can get the same results faster by hacking a middle-man like MOVEit?
It turns out that wasn’t Cl0p’s only bright idea.
[MUSIC]
TEMPLE-RASTON: When we come back, an evolution of the ransomware business model.
Stay with us.
6
�[BREAK]
[STINGER]
TEMPLE-RASTON: The attack on MOVEit appears to be an evolution of something that’s been
building over the past few years. Back in 2019, Russian state-sponsored hackers took aim at the
Solarwinds management software. It was seen as a supply chain attack: you get into lots of
networks with a kind of bank shot, attacking software your target uses instead of the target itself.
And Dustin Childs, the bug bounty guy we talked to at the beginning of the episode, said the MOVEit
hack is a kind of updated version of that. MOVEit is something called middleware. Attack that, and it
turns out you can monkey-bar into the networks of thousands of other companies.
CHILDS: These middleware programs are a problem. They are very susceptible because there hasn't
been a lot of scrutiny.
TEMPLE-RASTON: Big name programs like Microsoft Windows or Mac OS or Google Chrome —
they’ve got lots of people looking at their code. And, as a result, they’re pretty secure. But more
obscure software, say code that allows applications to talk to each other or file transfer systems like
MOVEit, not so much.
CHILDS: The perimeter is very secure. The desktop is very secure. The stuff in the middle, it's kind of
like the chocolatey nougat that you can get in there and really take advantage of.
[MUSIC BUMP]
TEMPLE-RASTON: The vulnerability of that gooey center seems to be something Cl0p understood.
CHILDS: They may have some very glaring holes that people can exploit once they really shine a
spotlight on them. Because if there's one bug, usually that means there's a lot of bugs. So there's a
viable path to destruction essentially through this middleware.
TEMPLE-RASTON: To pave that path to destruction in MOVEit Cl0p bought a zero day. There are
essentially two kinds of zero days: the cheaper version, just the bug itself, a flaw that gets you in…or
the premium version — an exploit, which is the bug fully loaded with all the bad things you can do
once you’re in.
7
�You can think of the bug as a key to get into a room. And the exploit as the key plus tools and a map
of what to steal or destroy once you’re inside. Nation-states tend to buy those fully loaded exploits.
But Cl0p bought just the cheaper bug.
[MUSIC]
TEMPLE-RASTON [INTERVIEW]: How do you think they got their hands on a zero day?
CHILDS: There's multiple ways they could have acquired it. There are underground forums where
there are auctions. They could have someone in their group who actually found the zero day or they
could have purchased it from an initial access broker.
TEMPLE-RASTON: Think of Initial access brokers as a kind of specialist. They are hackers that are
really good at breaking into systems, and they essentially sell access to something they’ve already
broken into. So, if one were to guess, Dustin says, Cl0p may have bought its bargain-basement
MOVEit zero day for, like, $20,000.
And Dustin is so good at pricing this because, this is exactly the kind of thing he pays people to find
in his bug bounty business, which can be incredibly profitable.
CHILDS: There’s people around the world where finding a zero day is life-changing for them. We
have one researcher in Ethiopia, and he was punching the air because we essentially made him the
richest man in his village.
TEMPLE-RASTON: And Cl0p members have become some of the richest guys on the darkweb
because they are finding or buying these zero-day bugs and actually deploying them in a very
methodical way.
CHILDS: They seem to be a little bit more on the professional side. I don't like to use the word
professional when it comes to ransomware because it is a criminal activity, but they color with a
different crayon.
TEMPLE-RASTON: And now, increasingly, they are coloring outside the lines. We said earlier the
traditional ransomware attack is: break in, encrypt the data, send a ransom note, get paid,
unscramble the data.
But now, it appears they’ve evolved their business model. They’ve started skipping a couple of those
steps. They are breaking into networks, stealing data and not even bothering to lock MOVEit’s
clients out by encrypting it. Cl0p figures, why bother with all that? We have your data and you know
it. They put out an alert that they will either make your data public or sell it on the Darkweb if you
don’t pay us, and that’s enough of a threat.
8
�CHILDS: They don't seem to be in a rush. It's like, you know, we'll just take our time. We'll sit here on
your data. You know, we already have it, so there's nothing you could do about it and we'll just get to
you when we get to you.
TEMPLE-RASTON: Which may be a sign that they are testing a new more efficient way to do
ransomware. Chester Wisniewski again.
WISNIEWSKI: This one feels like dipping the toe in the water to see if they can get away with just
having extortion as opposed to encryption.
TEMPLE-RASTON: Focusing on just extortion saves time, and it may be more effective. Ransomware
isn’t the big unexpected thing it used to be. These days, most companies have back-up systems
ready in the event of a ransomware attack. So payouts are becoming more rare. According to an
analysis by Coveware, a ransomware recovery firm, only 34 percent of companies targeted by
ransomware decided to pay the ransom for their data last quarter. It’s a record low.
But if you buy a zero-day vulnerability, for say 20 grand, and you are able to compromise tens of
millions of people…do the math. It’s quantity over quality, an approach that, Coveware estimates,
could land $75 million into Cl0p’s pockets. And Chester says he can see the argument.
WISNIEWSKI: When you do a traditional ransomware attack, you're generally only able to target a
few victims per week. Extortion is far simpler, faster, and cheaper for the criminals.
TEMPLE-RASTON: It’s not that they extort people one by one. That would take forever. They go after
the companies.
WISNIEWSKI: It would take a long time to commit identity theft against the 25 million Americans
who had their records stolen, right? I mean, that's a monumental effort to exploit that many people.
But the companies who lost that data, of course, may be subject to class action lawsuits, regulation,
fines. There was literally nothing they could have done to protect themselves, right? Simply having
bought the MOVEit software was all they did wrong.
TEMPLE-RASTON: As for the lawsuits, Chester is right. We tracked down Tyler Bean, an attorney with
Siri and Glimstad, a Manhattan-based law firm representing victims of the MOVEit breach.
TYLER BEAN: There have been roughly 50 cases that have been filed across the country, against
either progress software or against progress software clients.
TEMPLE-RASTON:Progress software owns MOVEit. He says the company is negligent.
9
�TEMPLE-RASTON [INTERVIEW]: So we heard from some security researchers who say that the risk to
any one individual is pretty low in this sort of breach. What do you make of that argument?
BEAN: I would like to discuss that with them. There are absolutely individuals who have already
experienced misuse of their information, who have received notifications from legitimate credit
monitoring and identity theft services, that their information has been found on the dark web.
Fraudulent charges to credit cards and debit cards.
TEMPLE-RASTON: A breach of this size, he added, isn’t just about dollars and cents. There’s the
anxiety of knowing that your private information could be out there on the darkweb, just waiting for
the highest bidder.
TYLER BEAN: How did Progress Software and the companies that were using the MOVEit transfer
application let this happen? It's happened many times before, even by the same Russian cyber gang.
When are companies going to finally invest in protecting these individuals and their private
information?
TEMPLE-RASTON: We reached out to Progress Software, and the company declined to comment on
ongoing litigation. In the meantime, Cl0p continues to sit on the data of millions of people,
including, we discovered, the data of a couple people here at the Click Here team.
It all begs the question as to whether Cl0p is onto something: Is an encryption-free holdup the next
big thing? Or an experiment that will fade in the fullness of time?
CHILDS: I think it will be a trend for a while, if nothing else, because Cl0p has been incredibly
successful. If one ransomware group is very successful, the other ransomware groups will see that
success and try to imitate it.
TEMPLE-RASTON:The U.S. State Department is offering a $10 million reward for information that can
lead to the arrest of members of Cl0p. For any of you bounty hunters out there….
DOG THE BOUNTY HUNTER: We’re gonna hunt this scum down!”
TEMPLE-RASTON: This is Click Here.
[HEADLINES MUSIC]
TEMPLE-RASTON: Here are some of the top cyber and intelligence stories of the past week.
The Metropolitan Police Service in London is looking into what looks like a hack into one of its
suppliers. The breach may have exposed officers’ personal protected information. According to a
10
�spokesperson for the force, a company responsible for printing the officer’s identity cards – those
badges they flash – was hacked. So 47,000 people who make up the force have been notified about
the possible exposure of their names, photographs and ranks. Their addresses and phone numbers
were not held in the supplier’s database, according to the Sun newspaper. The National Crime
Agency has been called in to investigate over fears that the data could be exploited by organized
crime or terrorists to fabricate warrant cards, or to target officers.
One of the oldest historical societies in the state of Ohio, the Ohio History Connection, was hit with a
ransomware attack. The Connection is a statewide history nonprofit and it said that in early July
cybercriminals attacked internal servers and encrypted them. They wanted millions in ransom to
release the files. The History Connection’s ransom counter offer was rejected so the hackers have
started to release names, addresses and Social Security numbers of people employed by the
organization from 2009-2023 The hackers appear to have stolen W-9 reports and other records. All
told, about 7,600 people were likely affected by the incident.
—-
And finally, Lazarus, a notorious hacking group working on behalf of the North Korean government,
is targeting healthcare facilities in the US and Europe — and they’re using a new malware strain.
Security researchers from Cisco Talos say Lazarus hackers are exploiting a vulnerability in
ManageEngine Service Desk. ManageEngine helps companies manage their IT services and it is
particularly popular with Fortune 500 organizations. The company behind ManageEngine said back
in January that there was a vulnerability being exploited by hackers. The new malware strain CIsco
Talos found allows the hackers to gather data about the infected device, and it has a feature that
allows it to “sleep” for predetermined amounts of time which makes it much harder for cyber
security officials to find.
11
