9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.941 High
EPSS
Percentile
98.8%
The MOVEit Vulnerabilities and Latest Exploits. Impact On Governmental Agencies And Large Organizations
Governmental agencies and large organizations around the world are being hit by ransomware attacks exploiting several vulnerabilities in MOVEit, a widely used file transfer solution.
The situation is highly dynamic, with a 3rd zero-day vulnerability disclosed as this is being written (06/15 PM). The purpose of this post is to provide you with the latest on the MOVEit situation.
If you use MOVEit, it is recommended that you pay close attention to the vendor’s Cloud Status page and their continuously updated MOVEit Transfer and MOVEit Cloud Vulnerability security page.
Several noteworthy updates to our original 06/15 post:
Again, as mentioned in our original post, this is a highly dynamic situation. In fact, as this update was being prepared, Progress Software issued an Emergency Maintenance Notification for MOVEit Cloud servers in order to apply a service pack to address these (and other) issues. Obviously, you will want to keep monitoring the situation to ensure you’ve safeguarded your systems.
Ransomware attacks exploiting three API vulnerabilities in MOVEit, a Managed File Transfer (MFT) offering from Progress Software, have been occurring for the past 19 days. The MOVEit exploitations were first reported on 05/271 and have spiraled out of control since then, impacting potentially “hundreds” of organizations2 worldwide.
As part of the attack, Clop has downloaded significant amounts of data from victim organizations and has threatened to publish this stolen information. However, the latest reports indicate that no data has been published yet.3
As of this writing, there are three (3) vulnerabilities listed on the official MOVEit Vulnerability security page as being exploited. These include:
The most recent known MOVEit vulnerability is another SQL Injection (SQLi) issue which could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database which could result in modification and disclosure of MOVEit database content. A patch is available.
Apparently, the researcher who found this vulnerability did not follow normal "responsible disclosure" processes (that is, they published it before notifying Progress Software), which is what led to the 06/15 recommendation that customers take down their HTTP and HTTPS traffic. This is no longer necessary once the patch is applied.
Progress Software has released mitigation guidance for all MOVEit Transfer customers (see KB article here).
Full analysis of this vulnerability is still in-work. What we know at this moment is that SQL injection vulnerabilities have been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database.
Progress Software has released mitigation guidance for all MOVEit Transfer customers (see KB article here) and all MOVEIt Cloud customers (see KB article here).
This exploit abuses an SQL injection to obtain a sysadmin API access token. This access is then utilized to manipulate a deserialization call to obtain remote code execution. Progress Software has released mitigation guidance for all MOVEit Transfer customers (see KB article here) and all MOVEIt Cloud customers (see KB article here).
A detailed Proof of Concept (POC) exploit can be found on GitHub. It's worth noting that for this POC exploit to work, it needs to reach out to an Identity Provider endpoint, hosting the appropriate RS256 certificates used to forge arbitrary user tokens. By default, the POC will write a file to C:\Windows\Temp\message.txt
. However, alternative payloads can be generated using the ysoserial.net
project.
The list of known victims spans every sector from media and banks to petroleum and education, and includes several governmental agencies as well. The potential victim pool is vast, given that according to Progress Software, thousands of enterprises, including 1,700 software companies and 3.5 million developers, use MOVEit.4
A partial list includes the Department of Energy (DOE); the Oak Ridge National Laboratory (ONRL); the BBC; British Airways; the oil giant Shell; state governments in Minnesota and Illinois; financial software provider Datasite; educational non-profit National Student Clearinghouse; student health insurance provider United Healthcare Student Resources; American manufacturer Leggett & Platt; Swiss insurance company ÖKK; and the University System of Georgia (USG).5, 6
It’s worth noting that, even before this current spate of attacks had started, Censys found well over 3,500 publicly exposed MOVEit hosts.7 A more recent Shodan scan suggests that has dropped to about 2,500 servers are publicly available on the open internet.8
Latest updates:
The CL0p (or CLOP) ransomware group, also known as FIN119 or Lace Tempest10 in Microsoft’s latest naming convention. According to reports, “Lace Tempest, also called Storm-0950, is a ransomware affiliate that overlaps with other groups such as FIN11, TA505, and Evil Corp. It's also known to operate the Cl0p extortion site.”11
The Cl0p ransomware group seems to have learned of and started testing exploits against at least some of these MOVEit vulnerabilities a couple of years ago.12 For instance, risk analysis firm Kroll found evidence that CVE-2023-34362 has been attacked since 2021.13
Some resources to help you understand your exposure and risk:
The post What You Need To Know About MOVEit appeared first on Wallarm.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.941 High
EPSS
Percentile
98.8%