Get in Touch
MOVEit Transfer zero-day vulnerability exploited by threat actors
Target Industry
Indiscriminate, opportunistic targeting.
Overview
It has been reported that threat actors are actively exploiting a zero-day vulnerability within the MOVEit file transfer software. MOVEit Transfer is a file transfer platform that allows organisations to transfer files between individuals using the SFTP, HTTP and SCP protocols.
At the time of writing, the vulnerability has yet to receive an official CVE classification. However, Rapid7 researchers have determined that the security flaw relates to an SQL injection vulnerability that allows for the execution of remote code.
Update: 7th July 2023
A new security patch has been released in order to fix three vulnerabilities including a critical severity SQL injection bug. The severe SQL injection vulnerability is currently tracked as CVE-2023-36934 and the two less severe issues are tracked as CVE-2023-36932, which is another SQL injection issue, and CVE-2023-36933, which allows the attacker to terminate the programme.
Update: 5th June 2023
Microsoft has attributed Clop ransomware operators to the active exploitation of the recently disclosed MOVEit file transfer vulnerability, tracked as CVE-2023-34362.
Update: 7th June 2023
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have released an advisory regarding the recently disclosed MOVEit vulnerability, tracked as CVE-2023-34362, which contains details pertaining to the Indicators of Compromise (IoCs) and tactics, techniques, and procedures (TTPs) of the associated Clop ransomware operators.
Update: 12th June 2023
Security researchers have released a Proof of Concept (PoC) code for the recently discovered MOVEit zero-day vulnerability, tracked as CVE-2023-34362. The PoC exploits the SQL injection flaw to attain sysadmin API access token, which would allow threat actors to gain remote code execution capabilities.
Impact
By exploiting the zero-day within the MOVEit platform, threat actors are able to exfiltrate significant quantities of data from target organisations, thus leading to the compromise of the integrity of data pertaining to employees and business affiliates. Further, this could lead to threat actors attaining elevated privileges and unauthorised access to target environments.
Update: 5th June 2023
Successful exploitation of CVE-2023-34362 could allow a threat actor to gather details regarding the structure and contents of vulnerable databases and execute SQL statements that alter or delete database elements.
Affected Products
- MOVEit Transfer 2023.0.0
- MOVEit Transfer 2022.1.x
- MOVEit Transfer 2022.0.x
- MOVEit Transfer 2021.1.x
- MOVEit Transfer 2021.0.x
Update: 7th July 2023
The affected MOVEit Transfer versions and their remediated versions are:
- MOVEit Transfer 2023.0.x (15.0.x) fixed by MOVEit Transfer 2023.0.4 (15.0.4)
- MOVEit Transfer 2022.1.x (14.1.x) fixed by MOVEit Transfer 2022.1.8 (14.1.8)
- MOVEit Transfer 2022.0.x (14.0.x) fixed by MOVEit Transfer 2022.0.7 (14.0.7)
- MOVEit Transfer 2021.1.x (13.1.x) fixed by MOVEit Transfer 2021.1.7 (13.1.7)
- MOVEit Transfer 2021.0.x (13.0.x) fixed by MOVEit Transfer 2021.0.9 (13.0.9)
- MOVEit Transfer 2020.1.6 (12.1.6) or later fixed by special service pack
- MOVEit Transfer 2020.0.x (12.0.x) or older must upgrade to a supported version.
Containment, Mitigations & Remediations
It is strongly advised that organisations shut down any instances of MOVEit Transfer if a security update has yet to be released for a specific version.
Further details regarding mitigation steps as well as links to the updated versions can be found within the Progress Security Advisory.
Update: 7th June 2023
It is strongly recommended that the following CISA security best practices standards are followed to prevent exploitation by Clop ransomware operators:
- Implement application controls to manage and control execution of software
- Strictly limit the use of Remote Desktop Protocol (RDP) and other remote desktop services
- Disable command-line and scripting activities and permissions
- Restrict the use of PowerShell, using Group Policy, and only grant to specific users on a case-by-case basis
- Update Windows PowerShell or PowerShell Core to the latest version and uninstall all earlier PowerShell versions
- Review domain controllers, servers, workstations, and active directories for new and/or unrecognised accounts
- Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege
- Maintain offline backups of data and regularly maintain backup and restoration (daily or weekly at minimum)
- Require all accounts with password logins to comply with National Institute for Standards and Technology (NIST) standards for developing and managing password policies
- Require multifactor authentication for all services to the extent possible
- Ensure that all operating systems, software, and firmware is up to date
- Segment networks to prevent the spread of ransomware
- Install, regularly update, and enable real-time detection for antivirus software on all hosts
- Disable unused ports
- Consider adding an email banner to emails received from outside your organisation
- Disable hyperlinks in received emails
- Ensure all backup data is encrypted, immutable (i.e., ensure backup data cannot be altered or deleted), and covers the entire organisation’s data infrastructure.
Indicators of Compromise
Network Indicators:
– 138.197.152[.]201
– 209.97.137[.]33
– 5.252.191[.]0/24
– 148.113.152[.]144
– 89.39.105.108
Administrators should also investigate the ‘c:\MOVEit Transfer\wwwroot\’ folder for unexpected files.
Update: 5th June 2023
File hashes (SHA256):
- 0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9
- 110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286
- 1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2
- 2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59
- 58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166
- 98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8
- a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986
- b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03
- cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621
- ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c
IP addresses:
- 138.197.152[.]201
- 209.97.137[.]33
- 5.252.191[.]0/24
- 148.113.152[.]144
- 89.39.105[.]108
- 5.252.189[.]0/24
- 5.252.190[.]0/24
- 5.252.191[.]0/24
- 198.27.75[.]110
- 209.222.103[.]170
- 84.234.96[.]104
Update: 7 June 2023
MOVEit campaign file hashes (SHA256):
- 0ea05169d111415903a1098110c34cdbbd390c23016cd4e179dd9ef507104495
- 2413b5d0750c23b07999ec33a5b4930be224b661aaf290a0118db803f31acbc5
- 348e435196dd795e1ec31169bd111c7ec964e5a6ab525a562b17f10de0ab031d
- 387cee566aedbafa8c114ed1c6b98d8b9b65e9f178cf2f6ae2f5ac441082747a
- 38e69f4a6d2e81f28ed2dc6df0daf31e73ea365bd2cfc90ebc31441404cca264
- 3a977446ed70b02864ef8cfa3135d8b134c93ef868a4cc0aa5d3c2a74545725b
- 3ab73ea9aebf271e5f3ed701286701d0be688bf7ad4fb276cb4fbe35c8af8409
- 3c0dbda8a5500367c22ca224919bfc87d725d890756222c8066933286f26494c
- 4359aead416b1b2df8ad9e53c497806403a2253b7e13c03317fc08ad3b0b95bf
- 48367d94ccb4411f15d7ef9c455c92125f3ad812f2363c4d2e949ce1b615429a
- 5b566de1aa4b2f79f579cdac6283b33e98fdc8c1cfa6211a787f8156848d67ff
- 6015fed13c5510bbb89b0a5302c8b95a5b811982ff6de9930725c4630ec4011d
- 702421bcee1785d93271d311f0203da34cc936317e299575b06503945a6ea1e0
- 769f77aace5eed4717c7d3142989b53bd5bac9297a6e11b2c588c3989b397e6b
- 7c39499dd3b0b283b242f7b7996205a9b3cf8bd5c943ef6766992204d46ec5f1
- 93137272f3654d56b9ce63bec2e40dd816c82fb6bad9985bed477f17999a47db
- 9d1723777de67bc7e11678db800d2a32de3bcd6c40a629cd165e3f7bbace8ead
- 9e89d9f045664996067a05610ea2b0ad4f7f502f73d84321fb07861348fdc24a
- a1269294254e958e0e58fc0fe887ebbc4201d5c266557f09c3f37542bd6d53d7
- b1c299a9fe6076f370178de7b808f36135df16c4e438ef6453a39565ff2ec272
- b9a0baf82feb08e42fa6ca53e9ec379e79fbe8362a7dac6150eb39c2d33d94ad
- bdd4fa8e97e5e6eaaac8d6178f1cf4c324b9c59fc276fd6b368e811b327ccf8b
- c56bcb513248885673645ff1df44d3661a75cfacdce485535da898aa9ba320d4
- c77438e8657518221613fbce451c664a75f05beea2184a3ae67f30ea71d34f37
- cf23ea0d63b4c4c348865cefd70c35727ea8c82ba86d56635e488d816e60ea45
- d477ec94e522b8d741f46b2c00291da05c72d21c359244ccb1c211c12b635899
- d49cf23d83b2743c573ba383bf6f3c28da41ac5f745cde41ef8cd1344528c195
- daaa102d82550f97642887514093c98ccd51735e025995c2cc14718330a856f4
- e8012a15b6f6b404a33f293205b602ece486d01337b8b3ec331cd99ccadb562e
- ea433739fb708f5d25c937925e499c8d2228bf245653ee89a6f3d26a5fd00b7a
- f0d85b65b9f6942c75271209138ab24a73da29a06bc6cc4faeddcb825058c09d
- fe5f8388ccea7c548d587d1e2843921c038a9f4ddad3cb03f3aa8a45c29c6a2
MOVEit campaign IP addresses:
- 04.194.222[.]107
- 146.0.77[.]141
- 146.0.77[.]155
- 146.0.77[.]183
- 162.244.34[.]26
- 162.244.35[.]6
- 179.60.150[.]143
- 185.104.194[.]156
- 185.104.194[.]24
- 185.104.194[.]40
- 185.117.88[.]17
- 185.162.128[.]75
- 185.174.100[.]215
- 185.174.100[.]250
- 185.181.229[.]240
- 185.181.229[.]73
- 185.183.32[.]122
- 185.185.50[.]172
- 188.241.58[.]244
- 193.169.245[.]79
- 194.33.40[.]103
- 194.33.40[.]104
- 194.33.40[.1]64
- 198.12.76[.]214
- 206.221.182[.]106
- 209.127.116[.]122
- 209.127.4[.]22
- 45.227.253[.]133
- 45.227.253[.]147
- 45.227.253[.]50
- 45.227.253[.]6
- 45.227.253[.]82
- 45.56.165[.]248
- 5.149.248[.]68
- 5.149.250[.]74
- 5.149.250[.]92
- 5.188.86[.]114
- 5.188.86[.]250
- 5.188.87[.]194
- 5.188.87[.]226
- 5.188.87[.]27
- 5.252.23[.]116
- 5.252.25[.]88
- 5.34.180[.]205
- 62.112.11[.]57
- 62.182.82[.]19
- 62.182.85[.]234
- 66.85.26[.]215
- 66.85.26[.]234
- 66.85.26[.]248
- 79.141.160[.]78
- 79.141.160[.]83
- 84.234.96[.]31
- 89.39.104[.]118
- 91.202.4[.]76
- 91.222.174[.]95
- 91.229.76[.]187
- 93.190.142[.]131
Threat Landscape
MOVEit are ranked within the top tier of file transfer solutions as it pertains to the associated market share. Threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on. As a result, file transfer solutions, such as MOVEit, have become a prime target for threat actors. Due to the fact that file transfer platforms have become an integral aspect of both personal and business operations, threat actors will continue to exploit vulnerabilities contained within the associated platforms in an attempt to extract the sensitive data contained therein.
Update – 5th June 2023
Lace Tempest has leveraged similar vulnerabilities in the past to achieve the objectives of data exfiltration and victim extortion. Clop ransomware operations have also been attributed to previous file transfer platform vulnerabilities such as the GoAnywhere MFT zero-day (CVE-2023-0669) in January 2023.
Reports have indicated that the attack campaign was initiated on 27th May 2023 with several organisations becoming victims in the process. Clop ransomware operators typically add a list of new victims to their data leak site following their initial extortion attempts. It should be noted that at the time of writing, although victims have yet to be actively extorted, it is almost certain that this will occur in the near future.
Update: 12th June 2023
The release of the PoC means that threat actors will enhance their efforts to exploit the vulnerability relating to any remaining unpatched systems.
Threat Group
No attribution to specific threat actors or groups has been identified at the time of writing.
Update: 5th June 2023
Microsoft has attributed the Clop ransomware operations regarding CVE-2023-34362 to the financially motivated threat actor group tracked as ‘Lace Tempest’ (also known as FIN11, TA505).
Mitre Methodologies
Tactic:
TA0004 – Privilege Escalation
Tactic:
TA0010 – Exfiltration
Further Information
Quorum Cyber Clop Ransomware Report
Horizon3 MOVEit Vulnerability PoC Report
Update: 7th July 2023
