**The MOVEit Vulnerabilities and Latest Exploits. Impact On Governmental Agencies And Large Organizations**
Governmental agencies and large organizations around the world are being hit by ransomware attacks exploiting several vulnerabilities in MOVEit, a widely used file transfer solution.
The situation is highly dynamic, with a 3rd zero-day vulnerability disclosed as this is being written (06/15 PM). The purpose of this post is to provide you with the latest on the MOVEit situation.
If you use MOVEit, it is recommended that you pay close attention to the vendorâs [**Cloud Status page**]() and their continuously updated [**MOVEit Transfer and MOVEit Cloud Vulnerability security page**]().
## **Whatâs Happening?**
Ransomware attacks exploiting three API vulnerabilities in [MOVEit](), a Managed File Transfer (MFT) offering from Progress Software, have been occurring for the past 19 days. The MOVEit exploitations were first reported on 05/271 and have spiraled out of control since then, impacting potentially âhundredsâ of organizations2 worldwide.
As part of the attack, Clop has downloaded significant amounts of data from victim organizations and has threatened to publish this stolen information. However, the latest reports indicate that no data has been published yet.3
## **Whatâs Being Exploited?**
As of this writing, there are three (3) vulnerabilities listed on the official [**MOVEit Vulnerability security page**]() as being exploited. These include:
### **The Latest Vulnerability: Awaiting CVE Number** (June 15, 2023)
The most recent MOVEit vulnerability, yet to be assigned a CVE number, is the most concerning of all, mainly because Progress Software has not provided extensive details or offered a patch. In the wake of this discovery, they have simply recommended that users disable all HTTP and HTTPs traffic to their MOVEit Transfer environment.
### [**CVE-2023-35036**]() (June 9, 2023)
Full analysis of this vulnerability is still in-work. What we know at this moment is that SQL injection vulnerabilities have been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database.
Progress Software has released mitigation guidance for all MOVEit Transfer customers (see KB article [here]()) and all MOVEIt Cloud customers (see KB article [here]()).
### [**CVE-2023-34362**]() (May 31, 2023)
This exploit abuses an SQL injection to obtain a sysadmin API access token. This access is then utilized to manipulate a deserialization call to obtain remote code execution. Progress Software has released mitigation guidance for all MOVEit Transfer customers (see KB article [here]()) and all MOVEIt Cloud customers (see KB article [here]()).
A detailed Proof of Concept (POC) exploit can be found on [GitHub](). It’s worth noting that for this POC exploit to work, it needs to reach out to an Identity Provider endpoint, hosting the appropriate RS256 certificates used to forge arbitrary user tokens. By default, the POC will write a file to `C:WindowsTempmessage.txt`. However, alternative payloads can be generated using the `ysoserial.net` project.
## **Whoâs Impacted?**
The list of known victims spans every sector from media and banks to petroleum and education, and includes several governmental agencies as well. The potential victim pool is vast, given that according to Progress Software, thousands of enterprises, including 1,700 software companies and 3.5 million developers, use MOVEit.4
A partial list includes the Department of Energy (DOE); the Oak Ridge National Laboratory (ONRL); the BBC; British Airways; the oil giant Shell; state governments in Minnesota and Illinois; financial software provider Datasite; educational non-profit National Student Clearinghouse; student health insurance provider United Healthcare Student Resources; American manufacturer Leggett & Platt; Swiss insurance company ÃKK; and the University System of Georgia (USG).5, 6
Itâs worth noting that, even before this current spate of attacks had started, Censys found well over 3,500 publicly exposed MOVEit hosts.7 A more recent Shodan scan suggests that has dropped to about 2,500 servers are publicly available on the open internet.8
Latest updates:
* [Massive data breach impacts 90% of Oregoniansâ drivers licenses, state IDs.]()
* [Louisianaâs Office of Motor Vehicles (OMV)]()
## **Whoâs Behind These Attacks?**
The CL0p (or CLOP) ransomware group, also known as FIN119 or Lace Tempest10 in Microsoftâs latest [naming convention](). According to reports, âLace Tempest, also called Storm-0950, is a ransomware affiliate that overlaps with other groups such as FIN11, TA505, and Evil Corp. It’s also known to operate the Cl0p extortion site.â11
The Cl0p ransomware group seems to have learned of and started testing exploits against at least some of these MOVEit vulnerabilities a couple of years ago.12 For instance, risk analysis firm Kroll found evidence that CVE-2023-34362 has been attacked since 2021.13
## **More Resources**
Some resources to help you understand your exposure and risk:
* [**MOVEit Transfer Hacking Campaign Tracking**]() on GitHub from [Curated Intel]() is a repository for tracking events related to the MOVEit Transfer Hacking Campaign, with events mapped to the Diamond Model, plus other resources and information.
* A Cybersecurity Advisory (CSA) entitled [**CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability**]() was published by CISA and the FBI which includes detection methods (YARA rules and IOCs) along with recommended mitigation strategies; available in STIX format [here]().
* A couple of other YARA rulesets can be found on GitHub, including [this one]() from Florian Roth (Neo23x0) and [this one]() from Ahmet PayaslıoÄlu.
* If youâre not boycotting Reddit, some useful posts include [this one]() in r/sysadmin and [this one]() in r/msp.
* And of course many commercial sources, such as [this one]() from Mandiant (last updated 06/15), [this one]() from Huntress (last updated 06/12), and [this one]() from CrowdStrike (last updated 06/09).
## Footnotes
1. [2023-Jun-08] [**Cl0p may have been too successful with its most recent caper**]() (CyberWire)
2. [2023-Jun-07] [**Ransomware group Clop issues extortion notice to âhundredsâ of victims**]() (The Record)
3. [2023-Jun-15] [**Clop names a dozen MOVEit victims, but holds back details**]() (Cybersecurity Dive)
4. [2023-Jun-02] [**Millions of users vulnerable to zero-day in MOVEit file transfer app**]() (SC Magazine)
5. [2023-Jun-15] [**Exclusive: US government agencies hit in global cyberattack**]() (CNN)
6. [2023-Jun-15] [**Ransomware gang lists first victims of MOVEit mass-hacks, including US banks and universities**]() (TechCrunch)
7. [2023-Jun-07] [**MOVEit Transfer Vulnerability**]() (Censys.io blog)
8. [2023-Jun-12] [**MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response**]() (Huntress blog)
9. [undated] [**CLOP Analyst Note**]() (Cybersecurity and Infrastructure Security Agency)
10. [2023-Jun-05] [**Microsoft: Lace Tempest Hackers Behind Active Exploitation of MOVEit Transfer App**]() (The Hacker News)
11. [2023-Jun-05] [**Microsoft: Lace Tempest Hackers Behind Active Exploitation of MOVEit Transfer App**]() (The Hacker News)
12. [2023-Jun-09] [**Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021**]() (SecurityWeek)
13. [2023-Jun-08] [**Clop Ransomware Likely Sitting on MOVEit Transfer Vulnerability (CVE-2023-34362) Since 2021**]()** **(Kroll blog)
The post [What You Need To Know About The MOVEit]() appeared first on [Wallarm]().Read More