- Table of contents
The author
Security Researcher at Cyberint
Table of contents
Related Articles
MOVEit Supply Chain Attack Campaign August Update
Updated August 15th
In the past few months, three new vulnerabilities in the the MOVEit file transfer software have been discovered, including one over the weekend. The MOVEit file transfer software is used by around 1700 organizations worldwide. As in most cases when supply chain modules are being compromised, the impact is lethal as big companies such as the BBC and Zellis have been targeted.
One of the most talented and veteran ransomware groups known for thriving when exploiting vulnerabilities, Cl0p ransomware, announced that they would release hundreds of new victims. Cl0p ransomware have reportedly been experimenting with ways to exploit this particular flaw as far back as July 2021. In the first week Cl0p ransomware announced around 30 new victims, but that was just the start and the vulnerability is still being exploited. The Cyberint Research Team is monitoring the group’s activity closely.
All three critical vulnerabilities have since been patched by Progress Software.
The Evolution of the MOVEit Vulnerabilities
MOVEit is a managed file transfer (MFT) software that encrypts files and uses secure File Transfer Protocols to transfer data within teams, departments and companies. By encrypting files and utilizing secure File Transfer Protocols, MOVEit provides an allegedly reliable solution for transferring data. MOVEit is used in the healthcare, finance, technology, and government industries and is trusted by thousands of enterprises, including 1,700 software companies and 3.5 million developers.
On May 31, a critical zero-day vulnerability was discovered in the MOVEit Transfer web application. This vulnerability is an SQL injection vulnerability, which allows threat actors to extract data from the victim’s database, execute their own SQL queries, and manipulate or delete data. On June 2nd, the vulnerability was officially assigned the identifier MOVEit CVE-2023-34362, with a CVSS score of 9.8 (critical).
Furthermore, on June 9, another SQL injection vulnerability in MOVEit Transfer was disclosed. The vulnerability, was assigned CVE-2023-35036 and refers to different attack vectors for SQL injection, allowing threat actors to leak data from the database as well. Exploiting this vulnerability involves submitting a crafted payload to a MOVEit Transfer endpoint, which may result in modifying and disclosing MOVEit databases’ content.
Then, another vulnerability was discovered in MOVEit. The vulnerability, assigned as CVE-2023-35708, is another SQL injection that can lead to escalated privileges and potential unauthorized access. These vulnerabilities allow threat actors to gain administrative privileges, exfiltrate files, and deploy exploits that can instantly deploy ransomware or any other malicious activities.
Exploitation
The vulnerability was widely exploited in the wild prior to its official disclosure and the patch that was made available. While the vendor claims to have observed exploitation of the vulnerability only in late May 2023, numerous security vendors have detected indications of exploitation as early as March 2023.
Moreover, there are indications suggesting that the Cl0p ransomware group had already experimented with this vulnerability in 2021. Exploits and proofs-of-concept (POCs) for this vulnerability have already been published and can be found in various sources on the deep and dark web.
To this day, Cyberint has been able to find more than 2500 exposed MOVEit servers, with the majority of them located in the United States, followed by European countries and Canada.
Clop Ransomware’s MOVEit Campaign
The new information regarding the MOVEit vulnerability did not appear to be new to the Cl0p ransomware group, which had it in its sights long before it was made public. There are suggestions that Cl0p ransomware has been experimenting with this vulnerability since 2021. Indicators also showed that the group attempted to extract data from compromised MOVEit servers in April 2022.
Cl0p ransomware has demonstrated a pattern of conducting zero-day exploit campaigns against various targets, such as Accellion File Transfer Appliance (FTA) devices in 2020 and 2021 and GoAnywhere MFT servers in early 2023. This indicates that such campaigns may be an appealing modus operandi for Cl0p ransomware and provides insights into the technical profile of some of Cl0p’s gang members.
One of the notable victims of the MOVEit vulnerability is Zellis, a UK-based provider of payroll and HR solutions. Utilizing the vulnerability, the Cl0p ransomware group launched an attack on Zellis, and gained unauthorized access to sensitive information belonging to Zellis and its clients. The recent MOVEit supply chain attack has impacted well-known entities such as British Airways, the BBC, and the Minnesota Department of Education, potentially affecting millions of individuals worldwide.
Clop Ransomware’s Statement
In this case, and following many publications regarding Cl0p ransomware’s involvement in exploiting MOVEit vulnerability, Cl0p decided to make a statement on their website regarding the attacks. In the statement, Cl0p claimed to attack hundreds of organizations and provided them with a deadline of June 14 to contact them in order to prevent the leaked data from their systems.
At first around 40 new victims were published, most of them by Cl0p. In addition, Cl0p had stated that they had deleted all the information they had regarding government entities, although there is still a chance that before that, they shared them with other government entities that might find this information useful, as most ransomware groups.
Then,NortonLifeLock joined the list of companies. NortonLifeLock confirmed the attack, but according to their official statement, only employee data was compromised.
This is the official statement to SecurityWeek:
“We use MOVEit for file transfers and have remediated all known vulnerabilities in the system. When we learned of this matter, we acted immediately to protect our environment and investigate the potential impact. We have confirmed that there was no impact to our core IT systems and our services and that no customer or partner data has been exposed. Unfortunately, some personal information of Gen employees and contingent workers was impacted, which included information like name, company email address, employee ID number, and in some limited cases, home address and date of birth. We immediately investigated the scope of the issue and have notified the relevant data protection regulators and our employees whose data may have been impacted.”
So far close to 600 organizations have been impacted by the MOVEit supply chain attack, including Chuck E. Cheese, Deloitte and John Hopkins Health System. Most of these organizations have experienced data loss. Despite Cl0p’s reassurance organizations hit include multiple government entities including U.S. government contractor Maximus, a medicaid enrollment broker.
Maximus released a statement saying that they “use MOVEit for internal and external file sharing purposes, including to share data with government customers pertaining to individuals who participate in various government programs”.
Up until August MOVEit updates have been shared on clear websites that can easily be taken down. Now they are being shared via Torrents for data leaks (Figure 3). This method is decentralized and makes it harder for authorities to shutdown activities.
MOVEit Update August 15th
Cl0p announced that if not paid by August 15th they would be releasing information on major companies they had breached. On August 15th they kept their word. Discord.io was added to the list, with data from 760K users stolen. Discord.io is not an official Discord site, it however is linked closely as it is a a third-party service that allows server owners to create custom invites to their channels.
It’s reported that Cl0p will earn upwards of $75M from the MOVEit extortion attacks.
What’s Coming Next in the MOVEit Supply Chain Attack
As the official final number of victims has yet to be determined regarding this campaign, there is a significant potential for a substantial increase in the number of affected companies in the event of a supply chain attack.
The MOVEit supply chain attack shows us once again how devastating a successful campaign can be. Although MOVEit customers number only around 2000 companies, it still plays a crucial part in the infection of hundreds of victims worldwide.
As Cl0p ransomware’s most popular trait is to exploit zero-days and other high-impact vulnerabilities, we get a deadly combination of a skilled ransomware group and a critical vulnerability in a supply chain product.
Cyberint’s Supply Chain Intelligence Module
Cyberint’s Supply Chain Intelligence module continuously discovers your vendors and technologies, monitors and evaluates their exposures, and issues alerts on major risks and breaches. Learn more about our Supply Chain Intelligence module here or get a demo.
