Background
Progress Software’s managed file transfer (MFT) solution MOVEit Transfer has been under ongoing attacks since late May 2023 by the notorious Cl0p threat group, who has been observed exploiting multiple critical zero-day vulnerabilities. MOVEit Transfer is an on-premise or cloud file transfer server that provides organizations with solutions for collecting, storing, managing, and distributing information between their partners and clients. Following successful exploitation, the threat actors were able to exfiltrate large datasets of sensitive information from a wide array of industries, which were later used to extort ransom payments from the victims. Research firm Emsisoft has been tracking the number of compromised organizations throughout the campaign. To date, Emsisoft has found that at least 383 organizations have been compromised in the MOVEit campaign across the world, negatively impacting more than 20 million people1. This has been a very challenging game of “whack-a-mole” for Progress Software to mitigate; as vulnerabilities were patched, threat actors would discover a new vulnerability to exploit for the same gain. To date, the known vulnerabilities have been patched, and Progress has offered manual mitigation techniques in case new vulnerabilities arise.
Vulnerabilities
There are three (3) main vulnerabilities that were exploited by Cl0p actors to compromise the victim organizations: CVE-2023-343622, CVE-2023-350363, and CVE-2023-357084. The flaws are SQL injection vulnerabilities that allow threat actors to escalate their privileges to conduct remote code execution (RCE)5 attacks. An attacker could exploit these vulnerabilities by sending maliciously crafted payloads to vulnerable MOVEit Transfer endpoints, allowing for modifications to databases and exfiltration of the data within.
Cl0p Ransomware
Throughout the past few years, Cl0p Ransomware has been an active ransomware-as-a-service (RaaS) operation that practices double extortion: encrypting victim data and using that data to further extort ransom payments out of the victims in exchange for the decryption keys. Victims who do not cooperate often eventually find their data exposed on the adversary’s data leak site. Although their modus operandi has been ransomware campaigns, Cl0p has recently begun pivoting heavily to “smash-and-grab” strategies that only exfiltrate the data, as opposed to also encrypting the data on the victim servers. This was seen in the Fortra/Linoma GoAnywhere MFT server compromise by Cl0p in early 2023, the Accellion File Transfer Appliances (FTA) attack campaign in 2020-2021, and the SolarWinds Serv-U attack campaign in 2021. To make matters worse, Cl0p has taken a page out of the ALPHV ransomware gang’s playbook, by posting their victim data on the clear web through individually registered websites. As opposed to only posting on their dark web leak site, which is harder for users to access, and slower to download, Cl0p has been registering websites for the companies they have compromised. The data normally posted on their leak site is now available for download from the open internet, meaning that an exponentially greater number of people could easily access the data. The U.S. State Department's Rewards for Justice program is offering up to $10 million for information tying the Cl0p ransomware gang to a foreign government6, hoping to put an end to the group’s nefarious activities.
Figure 1: Cl0p ransom note4
How It Works
Researchers state that the main sign that a server has been compromised is the presence of a webshell named "human2.asp," located in the "c:\MOVEit Transfer\wwwroot\" public HTML folder7, which, when accessed, will execute a script with various malicious commands. The execution of the script allows the threat actor to perform actions like downloading sensitive files and information, creating new privileged users, and conducting reconnaissance on the configured Azure Blob Storage account, allowing the threat actor to exfiltrate data directly from the victim's Azure Blob Storage containers. The Senior Manager of Rapid7's Vulnerability Research team stated that there is evidence that the threat actors have already automated the exploitation of these vulnerabilities and begun to mass-download data from affected companies8.
Figure 2: MOVEit Transfer server exploited to install webshell5
Impact
Thousands of instances of MOVEit Transfer are exposed to the public internet, with the majority of them located in the United States, including U.S. government entities. The investigations of this attack campaign have shown that victims were compromised in many different ways, whether that be a company getting directly compromised, compromised through a third party, or compromised by a contractor through a third party. As of July 18, 2023, there have been at least 383 victim organizations compromised by Cl0p, affecting almost twenty million individuals. The organizations are in an array of industries, including private entities, U.S. schools, the U.S. public sector, and the international public sector. Out of the 383 impacted organizations, many of them provide services to multiple organizations, meaning that the victim metrics will continue to increase.
The impacted individuals are not only susceptible to fallout from the MOVEit attack campaign but also to future attacks made possible by leaked privileged information. Some examples of the exfiltrated data include names, phone numbers, Social Security numbers (SSN), addresses, financial information, and account credentials. The victims will be at high risk for phishing scams, bank fraud, and other social engineering attacks. The cost to the impacted organizations will be great, and victims will likely require security and credit monitoring in the near future. The exploitation of these vulnerabilities reaffirms the claims made by researchers that the design of file transfer platforms is fundamentally flawed and that patching single vulnerabilities will only defend organizations until threat actors are able to find another way to conduct the same type of exploitation.
Mitigation
Progress Software has released security patches for all affected software versions and restricted HTTPS traffic for MOVEit Cloud. In the event that another zero-day flaw is actively exploited, Progress has urged customers to restrict external HTTP and HTTPS access to their own MOVEit Transfer environments. Progress Software and the U.S. Cybersecurity and Infrastructure Security Agency (CISA)9 have provided manual mitigation and security hardening techniques to help customers identify or thwart exploitation1. These include first shutting down any MOVEit Transfer servers to perform a thorough investigation for indicators of compromise, or evidence of large file downloads. Administrators should also disable all HTTP and HTTP traffic to their MOVEit Transfer environments, including backups.
New findings for this campaign are regularly being published, and the Ankura Cyber Threat Investigations & Expert Services (CTIX) team will continue to monitor the situation and inform our readers of new information through the FLASH newsletter.
[1] https://www.emsisoft.com/en/blog/44123/unpacking-the-moveit-breach-statistics-and-analysis/
[2] https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
[3] https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-CVE-2023-35036-June-9-2023
[4] https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023
[5] https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability
[6] https://www.state.gov/rewards-for-justice-reward-offer-for-information-on-foreign-malicious-cyber-activity-against-u-s-critical-infrastructure/
[7] https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/
[8] https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/
[9] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
