The MOVEit Vulnerabilities and Latest Exploits. Impact On Governmental Agencies And Large Organizations

Governmental agencies and large organizations around the world are being hit by ransomware attacks exploiting several vulnerabilities in MOVEit, a widely used file transfer solution. 

The situation is highly dynamic, with a 3rd zero-day vulnerability disclosed as this is being written (06/15 PM). The purpose of this post is to provide you with the latest on the MOVEit situation. 

If you use MOVEit, it is recommended that you pay close attention to the vendor’s Cloud Status page and their continuously updated MOVEit Transfer and MOVEit Cloud Vulnerability security page.

What’s Happening?

Ransomware attacks exploiting three API vulnerabilities in MOVEit, a Managed File Transfer (MFT) offering from Progress Software, have been occurring for the past 19 days. The MOVEit exploitations were first reported on 05/27¹ and have spiraled out of control since then, impacting potentially “hundreds” of organizations² worldwide.

As part of the attack, Clop has downloaded significant amounts of data from victim organizations and has threatened to publish this stolen information. However, the latest reports indicate that no data has been published yet.³

What’s Being Exploited?

As of this writing, there are three (3) vulnerabilities listed on the official MOVEit Vulnerability security page as being exploited. These include: 

The Latest Vulnerability: Awaiting CVE Number (June 15, 2023)

The most recent MOVEit vulnerability, yet to be assigned a CVE number, is the most concerning of all, mainly because Progress Software has not provided extensive details or offered a patch. In the wake of this discovery, they have simply recommended that users disable all HTTP and HTTPs traffic to their MOVEit Transfer environment.

CVE-2023-35036 (June 9, 2023)

Full analysis of this vulnerability is still in-work. What we know at this moment is that SQL injection vulnerabilities have been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database.

Progress Software has released mitigation guidance for all MOVEit Transfer customers (see KB article here) and all MOVEIt Cloud customers (see KB article here).

CVE-2023-34362 (May 31, 2023)

This exploit abuses an SQL injection to obtain a sysadmin API access token. This access is then utilized to manipulate a deserialization call to obtain remote code execution. Progress Software has released mitigation guidance for all MOVEit Transfer customers (see KB article here) and all MOVEIt Cloud customers (see KB article here).

A detailed Proof of Concept (POC) exploit can be found on GitHub. It’s worth noting that for this POC exploit to work, it needs to reach out to an Identity Provider endpoint, hosting the appropriate RS256 certificates used to forge arbitrary user tokens. By default, the POC will write a file to C:\Windows\Temp\message.txt. However, alternative payloads can be generated using the ysoserial.net project.

Who’s Impacted?

The list of known victims spans every sector from media and banks to petroleum and education, and includes several governmental agencies as well. The potential victim pool is vast, given that according to Progress Software, thousands of enterprises, including 1,700 software companies and 3.5 million developers, use MOVEit.⁴

A partial list includes the Department of Energy (DOE); the Oak Ridge National Laboratory (ONRL); the BBC; British Airways; the oil giant Shell; state governments in Minnesota and Illinois; financial software provider Datasite; educational non-profit National Student Clearinghouse; student health insurance provider United Healthcare Student Resources; American manufacturer Leggett & Platt; Swiss insurance company ÖKK; and the University System of Georgia (USG).^{5, 6}

It’s worth noting that, even before this current spate of attacks had started, Censys found well over 3,500 publicly exposed MOVEit hosts.⁷ A more recent Shodan scan suggests that has dropped to about 2,500 servers are publicly available on the open internet.⁸

Latest updates:

• Massive data breach impacts 90% of Oregonians’ drivers licenses, state IDs.
• Louisiana’s Office of Motor Vehicles (OMV)

Who’s Behind These Attacks?

The CL0p (or CLOP) ransomware group, also known as FIN11⁹ or Lace Tempest¹⁰ in Microsoft’s latest naming convention. According to reports, “Lace Tempest, also called Storm-0950, is a ransomware affiliate that overlaps with other groups such as FIN11, TA505, and Evil Corp. It’s also known to operate the Cl0p extortion site.”¹¹

The Cl0p ransomware group seems to have learned of and started testing exploits against at least some of these MOVEit vulnerabilities a couple of years ago.¹² For instance, risk analysis firm Kroll found evidence that CVE-2023-34362 has been attacked since 2021.¹³

More Resources

Some resources to help you understand your exposure and risk:

• MOVEit Transfer Hacking Campaign Tracking on GitHub from Curated Intel is a repository for tracking events related to the MOVEit Transfer Hacking Campaign, with events mapped to the Diamond Model, plus other resources and information.
• A Cybersecurity Advisory (CSA) entitled CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability was published by CISA and the FBI which includes detection methods (YARA rules and IOCs) along with recommended mitigation strategies; available in STIX format here.
• A couple of other YARA rulesets can be found on GitHub, including this one from Florian Roth (Neo23x0) and this one from Ahmet Payaslıoğlu.
• If you’re not boycotting Reddit, some useful posts include this one in r/sysadmin and this one in r/msp.
• And of course many commercial sources, such as this one from Mandiant (last updated 06/15), this one from Huntress (last updated 06/12), and this one from CrowdStrike (last updated 06/09).

1. [2023-Jun-08] Cl0p may have been too successful with its most recent caper (CyberWire)
2. [2023-Jun-07] Ransomware group Clop issues extortion notice to ‘hundreds’ of victims (The Record)
3. [2023-Jun-15] Clop names a dozen MOVEit victims, but holds back details (Cybersecurity Dive)
4. [2023-Jun-02] Millions of users vulnerable to zero-day in MOVEit file transfer app (SC Magazine)
5. [2023-Jun-15] Exclusive: US government agencies hit in global cyberattack (CNN)
6. [2023-Jun-15] Ransomware gang lists first victims of MOVEit mass-hacks, including US banks and universities (TechCrunch)
7. [2023-Jun-07] MOVEit Transfer Vulnerability (Censys.io blog)
8. [2023-Jun-12] MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response (Huntress blog)
9. [undated] CLOP Analyst Note (Cybersecurity and Infrastructure Security Agency)
10. [2023-Jun-05] Microsoft: Lace Tempest Hackers Behind Active Exploitation of MOVEit Transfer App (The Hacker News)
11. [2023-Jun-05] Microsoft: Lace Tempest Hackers Behind Active Exploitation of MOVEit Transfer App (The Hacker News)
12. [2023-Jun-09] Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021 (SecurityWeek)
13. [2023-Jun-08] Clop Ransomware Likely Sitting on MOVEit Transfer Vulnerability (CVE-2023-34362) Since 2021 (Kroll blog)