What You Need To Know About MOVEit

The MOVEit Vulnerabilities and Latest Exploits. Impact On Governmental Agencies And Large Organizations

Governmental agencies and large organizations around the world are being hit by ransomware attacks exploiting several vulnerabilities in MOVEit, a widely used file transfer solution.

The situation is highly dynamic, with a 3rd zero-day vulnerability disclosed as this is being written (06/15 PM). The purpose of this post is to provide you with the latest on the MOVEit situation.

If you use MOVEit, it is recommended that you pay close attention to the vendor’s Cloud Status page and their continuously updated MOVEit Transfer and MOVEit Cloud Vulnerability security page.

2023-Jun-26 Update

Several noteworthy updates to our original 06/15 post:

• The previously mentioned unnamed, late-breaking vulnerability was assigned to CVE-2023-35708 and given a severity rating of 9.8 (Critical); we have updated the description below. Progress Software released a patch for this SQL Injection (SQLi) issue later that evening. They report no evidence that it has been exploited. Consult the official MOVEit Vulnerability security page for more information.
• The security researcher who discovered this 3rd vulnerability thought they had found a 4th one, but this turned out not to be the case.
• CISA and the FBI are offering a reward of up to $10M for information on the CL0p Ransomware gang; the details are of course a bit more complicated, but it shows how seriously the US Government is taking this attack.
• We're learning that many more organizations have been impacted by these exploits against these MOVEit vulnerabilities, impacting millions of customers, employees, and citizens. This list of impacted organizations – which includes government agencies, healthcare and financial organizations, utility companies, universities, and more, around the world – seems to be growing even today, almost a month after it was first reported.
• Bert Kondruss, founder and managing director of KonBriefing Research, has created a list known victims of the CL0p ransomware campaign targeting these MOVEit vulnerabilities. The break-down by country, as of this writing (06/26) is as follows:

source: KonBriefing Research

• Also, we're not surprised to learn that several class-action lawsuits have been filed, including (as of this writing) one in Massachusetts and another in Louisiana, representing individuals impacted by the resulting data breach. We will undoubtedly see more.
• And lastly, we neglected to mention in our original post that CISA added CVE-2023-34362 to its Known Exploited Vulnerabilities (KEV) catalog on 06/04, with a due date of 06/23 (last Friday). While this mandate only applies to US Federal agencies, private companies are certainly also urged to prioritize patching their systems against this actively exploited flaw.

Again, as mentioned in our original post, this is a highly dynamic situation. In fact, as this update was being prepared, Progress Software issued an Emergency Maintenance Notification for MOVEit Cloud servers in order to apply a service pack to address these (and other) issues. Obviously, you will want to keep monitoring the situation to ensure you’ve safeguarded your systems.

What’s Happening?

Ransomware attacks exploiting three API vulnerabilities in MOVEit, a Managed File Transfer (MFT) offering from Progress Software, have been occurring for the past 19 days. The MOVEit exploitations were first reported on 05/271 and have spiraled out of control since then, impacting potentially “hundreds” of organizations2 worldwide.

As part of the attack, Clop has downloaded significant amounts of data from victim organizations and has threatened to publish this stolen information. However, the latest reports indicate that no data has been published yet.3

What’s Being Exploited?

As of this writing, there are three (3) vulnerabilities listed on the official MOVEit Vulnerability security page as being exploited. These include:

CVE-2023-35708 (June 15, 2023)

The most recent known MOVEit vulnerability is another SQL Injection (SQLi) issue which could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database which could result in modification and disclosure of MOVEit database content. A patch is available.

Apparently, the researcher who found this vulnerability did not follow normal "responsible disclosure" processes (that is, they published it before notifying Progress Software), which is what led to the 06/15 recommendation that customers take down their HTTP and HTTPS traffic. This is no longer necessary once the patch is applied.

Progress Software has released mitigation guidance for all MOVEit Transfer customers (see KB article here).

CVE-2023-35036 (June 9, 2023)

Full analysis of this vulnerability is still in-work. What we know at this moment is that SQL injection vulnerabilities have been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database.

Progress Software has released mitigation guidance for all MOVEit Transfer customers (see KB article here) and all MOVEIt Cloud customers (see KB article here).

CVE-2023-34362 (May 31, 2023)

This exploit abuses an SQL injection to obtain a sysadmin API access token. This access is then utilized to manipulate a deserialization call to obtain remote code execution. Progress Software has released mitigation guidance for all MOVEit Transfer customers (see KB article here) and all MOVEIt Cloud customers (see KB article here).

A detailed Proof of Concept (POC) exploit can be found on GitHub. It's worth noting that for this POC exploit to work, it needs to reach out to an Identity Provider endpoint, hosting the appropriate RS256 certificates used to forge arbitrary user tokens. By default, the POC will write a file to C:\Windows\Temp\message.txt. However, alternative payloads can be generated using the ysoserial.net project.

Who’s Impacted?

The list of known victims spans every sector from media and banks to petroleum and education, and includes several governmental agencies as well. The potential victim pool is vast, given that according to Progress Software, thousands of enterprises, including 1,700 software companies and 3.5 million developers, use MOVEit.4

A partial list includes the Department of Energy (DOE); the Oak Ridge National Laboratory (ONRL); the BBC; British Airways; the oil giant Shell; state governments in Minnesota and Illinois; financial software provider Datasite; educational non-profit National Student Clearinghouse; student health insurance provider United Healthcare Student Resources; American manufacturer Leggett & Platt; Swiss insurance company ÖKK; and the University System of Georgia (USG).5, 6

It’s worth noting that, even before this current spate of attacks had started, Censys found well over 3,500 publicly exposed MOVEit hosts.7 A more recent Shodan scan suggests that has dropped to about 2,500 servers are publicly available on the open internet.8

Latest updates:

• [Massive data breach impacts 90% of Oregonians’ drivers licenses, state IDs.](<http://Massive data breach impacts 90% of Oregonians’ drivers licenses, state IDs>)
• Louisiana’s Office of Motor Vehicles (OMV)

Who’s Behind These Attacks?

The CL0p (or CLOP) ransomware group, also known as FIN119 or Lace Tempest10 in Microsoft’s latest naming convention. According to reports, “Lace Tempest, also called Storm-0950, is a ransomware affiliate that overlaps with other groups such as FIN11, TA505, and Evil Corp. It's also known to operate the Cl0p extortion site.”11

The Cl0p ransomware group seems to have learned of and started testing exploits against at least some of these MOVEit vulnerabilities a couple of years ago.12 For instance, risk analysis firm Kroll found evidence that CVE-2023-34362 has been attacked since 2021.13

More Resources

Some resources to help you understand your exposure and risk:

• MOVEit Transfer Hacking Campaign Tracking on GitHub from Curated Intel is a repository for tracking events related to the MOVEit Transfer Hacking Campaign, with events mapped to the Diamond Model, plus other resources and information.
• A Cybersecurity Advisory (CSA) entitled CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability was published by CISA and the FBI which includes detection methods (YARA rules and IOCs) along with recommended mitigation strategies; available in STIX format here.
• A couple of other YARA rulesets can be found on GitHub, including this one from Florian Roth (Neo23x0) and this one from Ahmet Payaslıoğlu.
• If you’re not boycotting Reddit, some useful posts include this one in r/sysadmin and this one in r/msp.
• And of course many commercial sources, such as this one from Mandiant (last updated 06/15), this one from Huntress (last updated 06/12), and this one from CrowdStrike (last updated 06/09).

Footnotes

1. [2023-Jun-08] Cl0p may have been too successful with its most recent caper (CyberWire)
2. [2023-Jun-07] Ransomware group Clop issues extortion notice to ‘hundreds’ of victims (The Record)
3. [2023-Jun-15] Clop names a dozen MOVEit victims, but holds back details (Cybersecurity Dive)
4. [2023-Jun-02] Millions of users vulnerable to zero-day in MOVEit file transfer app (SC Magazine)
5. [2023-Jun-15] Exclusive: US government agencies hit in global cyberattack (CNN)
6. [2023-Jun-15] Ransomware gang lists first victims of MOVEit mass-hacks, including US banks and universities (TechCrunch)
7. [2023-Jun-07] MOVEit Transfer Vulnerability (Censys.io blog)
8. [2023-Jun-12] MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response (Huntress blog)
9. [undated] CLOP Analyst Note (Cybersecurity and Infrastructure Security Agency)
10. [2023-Jun-05] Microsoft: Lace Tempest Hackers Behind Active Exploitation of MOVEit Transfer App (The Hacker News)
11. [2023-Jun-05] Microsoft: Lace Tempest Hackers Behind Active Exploitation of MOVEit Transfer App (The Hacker News)
12. [2023-Jun-09] Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021 (SecurityWeek)
13. [2023-Jun-08] Clop Ransomware Likely Sitting on MOVEit Transfer Vulnerability (CVE-2023-34362) Since 2021****(Kroll blog)

The post What You Need To Know About MOVEit appeared first on Wallarm.