Headline
Cl0p ransomware gang claims first victims of the MOVEit vulnerability
Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: Progress
Tags: MOVEit
Tags: Transfer
Tags: CVE-2023-34362
Tags: BBC
Tags: Zellis
Tags: BA
The first victims of the ongoing attacks on vulnerable MOVEit Transfer instances are coming forward. The Cl0p ransomware gang claims it is behind the attacks.
(Read more…)
The post Cl0p ransomware gang claims first victims of the MOVEit vulnerability appeared first on Malwarebytes Labs.
On Friday June 2, 2023 we reported about a MOVEit Transfer vulnerability that was actively being exploited. If your organization uses MOVEit Transfer and you haven’t patched yet, it really is time to move it.
Excuse the bad pun, but yesterday we saw the first victims of this vulnerability come forward. MOVEit Transfer is a widely used file transfer software which encrypts files and uses secure File Transfer Protocols to transfer data. As such, it has a large userbase in healthcare, education, US federal and state government, and financial institutions.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. On Friday the CVE had not been assigned yet, but now this vulnerability has now been listed as:
CVE-2023-34362: In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer’s database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.
Microsoft says that the group behind the attacks on MOVEit instances is the Lace Tempest group, which is a known ransomware operator and runs the extortion website Cl0p. This was confirmed by a Cl0p representative to Bleeping Computer, who also said that the criminals started exploiting the vulnerability on May 27th, during the US Memorial Day holiday.
We saw a similar scenario unfold in March which caused Cl0p to occupy the first place as most used ransomware in our Ransomware Review for that month. Contributing to Cl0p’s rise to the number one spot was its extensive GoAnywhere campaign. The group successfully breached over 104 organizations by taking advantage of a zero-day vulnerability in the widely-used managed file transfer software, GoAnywhere MFT.
As we have pointed out before, ransomware gangs can afford to play the long game now. And some of them do. When you have hundreds or maybe even thousands of victims to choose from, you start with the juiciest ones that are most likely to pay.
Payroll provider Zellis who serves British Airways and the BBC would be a good example of that. Pharmacy chain Boots, which employs more than 57,000 people in the UK and Ireland, has also announced that it has been impacted.
A Reuters reporter that has an inside contact in the Cl0p ransomware gang tweeted a screenshot of his contact saying that the military, gov(ernment), children’s hospitals, and police would not be attacked.
The same was repeated by BleepingComputer’s contact. But this is no guarantee, and in the end they may not be able to resist the urge to steal data from those networks anyway.
All this means that if your organization uses MOVEit Transfer and it is internet facing, you should assume that your network has been breached. The fact that you haven’t noticed anything yet probably means you are low on the list of desirable targets. It does NOT mean you got away lucky and simply patching the vulnerability is enough.
What needs to be done
First of all, MOVEit Transfer users should visit the Progress security bulletin about this vulnerability and bookmark it. You can find the latest advice, Indicators of Compromise (IOCs), affected versions, and available patches there.
Basically the advice, and you can find detailed instructions on the page, is to:
- Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment.
- Delete unauthorized files and user accounts.
- Reset service account credentials for affected systems and the MOVEit Service Account.
- Apply the patch or upgrade.
- Verify to confirm the files have been successfully deleted and no unauthorized accounts remain.
- Re-enable all HTTP and HTTPs traffic to your MOVEit Transfer environment.
- Continue to monitor your network, endpoints, and logs for IoCs.
Additionally, users of MOVEit Transfer with Microsoft Azure integration should take immediate action to rotate their Azure storage keys.
In our previous post about this vulnerability I mentioned a few tools to help you find the malicious artifacts:
- MoveIT-WebShellCheck a Python script by ZephrFish
- Sigma rule by Florian Roth
- Yara rule by Florian Roth
- Sigma rule by tsale
Malwarebytes detects the malicious webshell C:\MOVEitTransfer\wwwroot\human2.aspx as Exploit.Silock.MOVEit and blocks five malicious IP addresses—138.197.152.201, 209.97.137.33, 5.252.191.0/24, 148.113.152.144, 89.39.105.108—that were found to be looking for vulnerable systems.
Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
TRY NOW
Related news
While Progress has released patches for the vulnerabilities, attackers are trying to exploit them before organizations have a chance to remediate.
Gotham Orbital-Simulator service prior to 0.692.0 was found to be vulnerable to a Path traversal issue allowing an unauthenticated user to read arbitrary files on the file system.
In Apollo change requests, comments added by users could contain a javascript URI link that when rendered will result in an XSS that require user interaction.
The foundry campaigns service was found to be vulnerable to an unauthenticated information disclosure in a rest endpoint
A security defect was discovered in Foundry Issues that enabled users to create convincing phishing links by editing the request sent when creating an Issue. This defect was resolved in Frontend release 6.228.0 .
A missing origin validation in Slate sandbox could be exploited by a malicious user to modify the page's content, which could lead to phishing attacks.
A security defect was discovered in Foundry job-tracker that enabled users to query metadata related to builds on resources they did not have access to. This defect was resolved with the release of job-tracker 4.645.0. The service was rolled out to all affected Foundry instances. No further intervention is required.
A security defect was identified that enabled a user of Foundry Issues to perform a Denial of Service attack by submitting malformed data in an Issue that caused loss of frontend functionality to all issue participants. This defect was resolved with the release of Foundry Issues 2.510.0 and Foundry Frontend 6.228.0.
Users need to patch the latest SQL injection vulnerability as soon as possible. Meanwhile, Cl0p's data extortion rampage gallops on.
A security defect was identified in Foundry workspace-server that enabled a user to bypass an authorization check and view settings related to 'Developer Mode'. This enabled users with insufficient privilege the ability to view and interact with Developer Mode settings in a limited capacity. A fix was deployed with workspace-server 7.7.0.
This Metasploit module exploits an SQL injection vulnerability in the MOVEit Transfer web application that allows an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker can leverage an information leak be able to upload a .NET deserialization payload.
These clinics offers pro-bono cybersecurity services — like incident response, general advice and ransomware defense — to community organizations, non-profits and small businesses that normally couldn’t afford to pay a private company for these same services.
The announcement was posted on Twitter via the Rewards for Justice Twitter account, alongside encrypted messaging system options for anyone to get into contact should they have viable information.
Gen Digital, the parent company of the security companies, is the latest victim in a rash of Cl0p attacks on the bug in the MOVEit transfer software, leading to employee data being revealed.
The Clop ransomware group has claimed responsibility for exploiting the vulnerability to deploy a previously unseen web shell, LemurLoot.
Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: Progress Tags: Moveit Tags: CVE-2023-34362 Tags: CVE-2023-35036 Tags: Cl0p Progress has released an advisory about yet another MOVEit Transfer vulnerability while new victims of the first one keep emerging. (Read more...) The post MOVEit discloses THIRD critical vulnerability appeared first on Malwarebytes Labs.
Progress Software on Thursday disclosed a third vulnerability impacting its MOVEit Transfer application, as the Cl0p cybercrime gang deployed extortion tactics against affected companies. The new flaw, which is yet to be assigned a CVE identifier, also concerns an SQL injection vulnerability that "could lead to escalated privileges and potential unauthorized access to the environment." The
The information leak threats are certainly new, but the education and messaging from security evangelists (and even just anyone trying to educate an older or less security-savvy family member) doesn’t change.
By Waqas Ofcom, the UK communications regulator, is the latest victim of the infamous Cl0p extortion gang, who have been exploiting MOVEit vulnerabilities to target high-profile firms. This is a post from HackRead.com Read the original post: UK’s Ofcom confirms cyber attack as PoC exploit for MOVEit is released
Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: MOVEit Tags: Progress Tags: Cl0p Tags: ransomware Tags: CVE-2023-34362 A security audit of the MOVEit code has revealed more SQL injection vulnerabilities, while victims of the first vulnerability are coming to the surface. (Read more...) The post More MOVEit vulnerabilities found while the first one still resonates appeared first on Malwarebytes Labs.
Progress Software, the company behind the MOVEit Transfer application, has released patches to address brand new SQL injection vulnerabilities affecting the file transfer solution that could enable the theft of sensitive information. "Multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain
YouTube released a statement that “we will stop removing content that advances false claims that widespread fraud, errors, or glitches occurred in the 2020 and other past US Presidential elections.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have published a joint advisory regarding the active exploitation of a recently disclosed critical flaw in Progress Software's MOVEit Transfer application to drop ransomware. "The Cl0p Ransomware Gang, also known as TA505, reportedly began exploiting a previously unknown SQL injection
Microsoft has officially linked the ongoing active exploitation of a critical flaw in the Progress Software MOVEit Transfer application to a threat actor it tracks as Lace Tempest. "Exploitation is often followed by deployment of a web shell with data exfiltration capabilities," the Microsoft Threat Intelligence team said in a series of tweets today. "CVE-2023-34362 allows attackers to
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS.