security

What we know about the MOVEit vulnerabilities and compromises – Cybersecurity Dive


Editor’s note: This article has been updated to detail threats from Clop, the ransomware group responsible for the attacks, and a newly discovered vulnerability. While this story details what was known early on about the MOVEit campaign, please refer to this timeline for a more comprehensive look at how these file transfer attacks have entangled hundreds of victims.

A spree initiated by a financially-motivated ransomware group that actively exploited a zero-day vulnerability in Progress Software’s MOVEit file transfer service to steal customers’ data is afoot.

Exploits have been underway for at least four months, according to Trustwave, and the compromise of MOVEit databases has resulted in at least one follow-on attack that has ensnared multiple downstream victims.

Some large, well known organizations came forward June 5 to disclose the personal identifiable information of their employees was compromised. This occurred after Zellis, a payroll provider based in the U.K. that uses MOVEit, was attacked via the vulnerability. 

The Clop ransomware group, also known as TA505, published a statement on its dark web site on June 6 claiming to have exploited the MOVEit vulnerability to exfiltrate data from hundreds of organizations.

With investigations underway, cyber authorities, threat hunters and security researchers from many firms are on guard and anticipate more victims.

“Due to the speed and ease TA505 has exploited this vulnerability, and based on their past campaigns, FBI and CISA expect to see widespread exploitation of unpatched software services in both private and public networks,” the Cybersecurity and Infrastructure Security Agency and FBI said June 7 in a joint advisory.

High-profile victims come forward

The follow-on attack impacted eight Zellis customers thus far, including British Airways and the BBC.

“We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them,” a Zellis spokesperson said via email.

A British Airways spokesperson said the airline is notifying employees whose PII was compromised and a spokesperson for the BBC said the media company is investigating the extent of the breach.

The government of Nova Scotia, which uses the MOVEit file transfer service, said it discovered the PII of residents was compromised after Progress informed the Canadian province of the vulnerability on June 1.

Readers Also Like:  20 Best Malware Protection Solutions in 2023 - CybersecurityNews

Progress declined to say how many companies currently use MOVEit or how many victims it’s aware of to date.

The company said it has hundreds of thousands of customers, including 1,700 software companies and 3.5 million developers, according to a filing with the Securities and Exchange Commission for the fiscal first quarter ending Feb. 28.

Progress estimates MOVEit Transfer and MOVEit Cloud accounted for less than 4% of its annual revenue, according to an 8-K filed with the SEC on May 30.

The file transfer service has customers across highly regulated industries, exemplifying the potential damage among government, finance and healthcare organizations.

How the zero-day unraveled

The vulnerability, which was first disclosed by Progress on May 31 and assigned CVE-2023-34362 on June 2, impacts on-premises and cloud-based versions of MOVEit.

The vendor issued a patch for on-premises versions of MOVEit and patched cloud test servers on June 1.

“We have also implemented a series of third-party validations to ensure the patch has corrected the exploit,” a Progress spokesperson said.

The company said it’s not aware of any active exploits of the vulnerability prior to last week.

“We have publicly disclosed our understanding of the timeline in our Form 8-K filing. This is an ongoing investigation and based on the intelligence sharing within the security community and what we currently know,” a Progress spokesperson said.

Progress continues to encourage on-premises customers of MOVEit to apply the patch as soon as possible

As of June 7, researchers at Censys observed more than 2,600 hosts exposed to the internet currently running the service.

All hands on deck

CISA, CrowdStrike, Mandiant, Microsoft, Huntress and Rapid7 are all assisting Progress with incident response and ongoing investigations, the company said.

This is the third high-profile, actively exploited zero-day vulnerability currently linked to a file-transfer service this year. Clop is responsible for two of these supply-chain attacks, including a zero-day vulnerability in Fortra’s GoAnywhere file-transfer service the group exploited in March.

Clop was also responsible for the zero-day exploit driven campaign against the Accellion file transfer devices in 2020 and 2021. “In recent campaigns beginning 2021, Clop preferred to rely mostly on data exfiltration over encryption,” federal authorities said in the advisory.

Readers Also Like:  'Plan To Save Downtown San Francisco From Doom Loop Approved ... - Slashdot

Prior to Clop’s latest spree of attacks, CISA and the FBI estimated the threat actor group has compromised more than 3,000 U.S.-based organizations and 8,000 organizations based elsewhere.





READ SOURCE

This website uses cookies. By continuing to use this site, you accept our use of cookies.