- MOVEit Transfer is a managed file transfer application developed by Progress Software-owned Ipswitch.
- The file transfer tool was discovered with three vulnerabilities on May 31, June 9, and June 15, 2023.
- Russia-based Clop ransomware gang possibly knew about the flaw since July 2021. The group claims it compromised hundreds of organizations. Several European and American companies have confirmed they are impacted.
Victims of three under-exploitation vulnerabilities in the MOVEit Transfer managed file transfer (MFT) application continue to grow. These include multiple private and government organizations in Europe and the U.S.
“Federal agencies have also been impacted. This is a systemic attack, and CISA has mobilized resources. I feel that this is a harbinger of cyberwar with Russia,†Tom Kellermann, SVP of Cyber Strategy at Contrast Security, told Spiceworks.
While Progress Software, the parent company of MOVEit Transfer developer, Ipswitch, has released patches to the security bugs, significant damage has already been done, according to the leak site of the Cl0p ransomware gang and the Cybersecurity and Infrastructure Security Agency (CISA) officials.
Colin Little, security engineer at Centripetal, echoed a similar sentiment. “Given the scope of this campaign, along with the current view of the geopolitical landscape and the alleged nationality of the major affiliation behind the campaign, my opinion is that this campaign signals a major escalation in the hostilities of ongoing cyber warfare,†Little told Spiceworks.
“What’s worse, I believe this campaign has the strong potential to trigger a chain reaction of continuing and major escalations of hostilities not only in cyber warfare but the geopolitical landscape as well. Unlike other industry verticals, the U.S. federal government and other governments worldwide that have been breached may be permitted to deploy more offensive cyber resources than, say, a university or a hospital.â€
Among those affected by the MOVEit vulnerabilities-based attacks include:
| Organization | Confirmed by | Organization | Confirmed by |
|---|---|---|---|
|
Oak Ridge Associated Universities |
Federal News Network | BBC | Self |
| U.S. Department of Energy’s Waste Isolation Pilot Plant near Carlsbad, NM | Federal News Network | British Airways |
Self |
|
University of Georgia |
Self | Aer Lingus | Self |
| University of Rochester | Self | Zellis |
Self |
|
Government of Illinois |
Self | Government of Nova Scotia | Self |
| American Board of Internal Medicine | Self | Johns Hopkins University |
Self |
|
Better Outcomes Registry Network, Ontario |
Self | Ofcom | Self |
| Extreme Networks | Self | Transport for London |
Self |
|
Government of Missouri |
Self | Shell | Self |
| Health Service Executive, Ireland | Self | Boots |
Self |
Additionally, CISA director Jen Easterly told the press that a small number of U.S. federal agencies were victimized in the campaign but disassociated it with the systemic and national security impact of the SolarWinds campaign.
See More: Your Company’s Data Got Compromised: 5 Things to Do Immediately
However, it does remind the discovery of exploitation of the vulnerabilities in GoAnywhere MFT (discovered in March 2022) by the Clop ransomware syndicate and Accellion’s File Transfer Appliance (discovered in February 2021) by FIN11, which has links with the Clop ransomware gang. Avishai Avivi, CISO at SafeBreach, added that the MOVEit MFT bug differs from GoAnywhere MFT.
“The SQL Injection vulnerability in MOVEIt is different than the one Clop found in GoAnywhere (unsecured administrative interface), but both involve an unauthenticated user being able to leverage the vulnerability and gain privileged access to data stored on the servers,†Avivi explained to Spiceworks.
“This is a playbook that works well for Clop – once they verified the vulnerability, they immediately started looking for additional systems to attack. It’s important to note that Clop doesn’t seem to care about the type of victim as long as they can successfully breach them. They’ve attacked health organizations, financial organizations, utility companies, universities, and government agencies.â€
Erich Kron, security awareness advocate at KnowBe4, added that Clop’s indifference to its victims could spell trouble for them as threat groups at loggerheads with the U.S. government and its renewed resolve to tackle cyber threats haven’t bode well with threat actors.
“If this was one of the Clop affiliates, it is a very brazen move as it is likely to draw some serious attention from the federal government. Many cyber gangs, even those backed by nation-state players, try to avoid the focused attention of the U.S. government and its allies,†Kron told Spiceworks.
“Some significant cybercrime groups have fallen after they have become a focused target of the government, and this sort of attack is likely to put them straight in the crosshairs of the response teams.â€
MOVEit Transfer enables corporates, enterprises, and SMBs to transfer large files and data over the internet. Microsoft assessed that of the three vulnerabilities, the first, an SQL injection issue tracked as CVE-2023-34362, discovered on May 31, 2023, could have been under exploitation as early as July 2021.
Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site. The threat actor has used similar vulnerabilities in the past to steal data & extort victims. pic.twitter.com/q73WtGru7jOpens a new window
— Microsoft Threat Intelligence (@MsftSecIntel) June 5, 2023Opens a new window
Successful exploitation can lead to threat actors with escalated privileges and potential unauthorized access. The Clop ransomware gang claims to have infiltrated hundreds of organizations and provided a June 14 deadline for them to get in touch, possibly to negotiate the price of the stolen data.
“Clop has really made a name for itself in 2023 through their approach of simple extortion, rather than going through the trouble of encrypting the files on the victims’ network. Clop has proven that there is a great deal of value in simply stealing data and threatening to release it. It has also made it clear that demanding ransoms for information as a facet of cybercrime is not going anywhere soon,†Kron added.
See More: How To Protect Critical Infrastructures Before an Attack Happens
The second vulnerability, CVE-2023-35036, was discovered on June 9, while the third, yet to be assigned a CVE, was found yesterday, June 15.
Avivi criticized MOVEit MFT developer Ipswitch and found it “alarming†that the company missed an SQL injections flaw, listed as the third top security risk by the Open Worldwide Application Security Project (OWASP).
Moreover, Avivi also pointed out the mistake of MOVEit MFT users. “While these customers are certainly the victims of a cyberattack, they do bear some responsibility. It’s wrong to assume that just because a piece of software claims to be ‘secure,’ it is, in fact, secure.â€
“Customers must always validate that the software they use is secure and is configured in a way that can protect against cyberattacks. For example, it’s important to note that the MFT servers should only hang on to files for the minimum duration needed to transfer them from one location to another. From the little information currently available, it appears that Clop exfiltrated large amounts of data available on the servers themselves.â€
Avivi opined that a Web Application Firewall would have potentially stopped Clop from exfiltrating data.
“The real victims in this latest set of breaches are the consumers whose information was included in the breach. If the Fortra GoAnywhere breach is any harbinger, we can expect that millions of individuals will be affected by this latest mass breach event,†Avivi concluded.
Should organizations mandate software validation before making a purchase? Share your thoughts with us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!
Image source: Shutterstock