Since Progress released an advisory addressing the MOVEit Transfer critical vulnerability, researchers have been able to make discoveries leading to unearthing exploitation of the bug.
The previously unnamed MOVEit Transfer critical vulnerability was named CVE-2023-34362 on June 2. This discovery has raised concerns about the potential impact on organizations utilizing MOVEit Transfer for secure file transfer, highlighting the urgent need for prompt action to mitigate the risk.
In a clear case of burnt fingers, after a vulnerability in managed file transfer (MFT) software GoAnywhere opened the biggest stream of ransomware attacks in Q1, 2023, researchers are finding similar patterns.
As security experts continue to analyze the intricacies of this vulnerability, organizations are urged to stay vigilant and take necessary measures to protect their sensitive information from potential exploitation. Here is what you need to know:
MOVEit Transfer critical vulnerability – Discovery to exploitation
CVE-2023-34362, which according to a NIST report is still awaiting a complete analysis, is an SQL injection vulnerability in the MOVEit Transfer web application.
Hackers may gain information about the structure and content of the database, and execute SQL statements to delete database elements on vulnerable systems.
“On May 31, threat actors were discovered targeting a critical zero-day in MOVEit Transfer software resulting in escalated privileges and unauthorized data access,” according to a Trustwave report. The MOVEit Transfer critical vulnerability affects all MOVEit Transfer versions.
On June 1, hackers dropped the file named human2.aspx on the targeted device. A backdoor with the same name was uploaded for exploitation and exchanging malicious commands, the Cyble Global Sensor Intelligence (CGSI) network observed.
The MOVEit Transfer critical vulnerability allowed mass downloading of data from organizations using the service. More than 2,500 publicly accessible MOVEit Transfer instances were found to be vulnerable.
“Based on a Shodan query, there were 2,526 MOVEit Transfer potentially vulnerable instances publicly accessible as of June 2, 2023, with nearly three-quarters originating in the United States (73.4%) followed by the United Kingdom at 5% and Germany at 4.6%,” said a Tenable report.
Shodan results of the MOVEit Transfer critical vulnerability
The Shodan search for the public-facing MOVEit instances resulted in the following findings –
- More than 500 systems have MOVEit in the service headers
- Over 2,500 systems were found using the MOVEit favicon
A cybercriminal group called Lace Tempest was already exploiting the MOVEit Transfer critical vulnerability, Microsoft tweeted on June 5.
“Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Cl0p extortion site,” said the tweet.
The tweet brought to light that the cybercriminal group responsible for the cyber attacks exploiting the MOVEit Transfer was also handling the Cl0p ransomware group’s extortion website.
Interstingly, it was Cl0p ransomware that exploited the Fortra GoAnywhere MFT RCE vulnerability CVE-2023-0669, claiming victims across the world, from global corporations such as P&G and Hitachi and to city administrations and regional governments.
The Lace Tempest group had exploited similar vulnerabilities in the past and stolen data to extort money from targets, the tweet further read.
MOVEit Transfer critical vulnerability: The Cl0p effect
The Cl0p ransomware group has been consciously targeting organizations that cater to or serve several clients with data transfer facilities.
“The Clop Ransomware group exploited the file transfer service GoAnywhere to extort data from multiple organizations, which indicates that Threat Actors(TAs) have a keen interest in the vulnerable internet-exposed assets that might be utilized for espionage, data theft, and ransomware purposes,” a Cyble blog post stated.
In 2020, the Cl0p ransomware group targeted Accellion’s legacy file transfer appliance to steal enormous data from over 100 companies associated with Accellion. They demanded a ransom of $10 million. The group gradually released data from all the hacks leading to privacy breaches and data leaks.
Patch available for MOVEit Transfer critical vulnerability
It was found that nearly 300 customers were still using legacy versions of the software. Accellion added in its press release that over 20 years old file transfer appliances were found to be in use by the company post the large-scale exploitation of its vulnerability.
Patches for the vulnerability in MOVEIt Transfer have been made available and published by Progress. Users are urged to install the updates immediately or go for the remediation steps like disabling all the HTTP and HTTPs traffic. Reviewing and deleting user accounts that are not legitimate.