The pain from the MOVEit file-transfer vulnerabilities keeps spreading for organizations that use the service and their customers.
More than 300 organizations have been impacted by Clop’s mass exploitation of a zero-day vulnerability that Progress Software first disclosed in late May, according to threat analysts and researchers. Five additional vulnerabilities in the file-transfer service have subsequently been discovered.
MOVEit is an approved and accredited file-transfer service that meets regulatory compliance requirements for multiple government agencies and highly regulated industries. These auditor and government-backed certifications made it a widely used service for organizations with sensitive data.
Universities and education service providers — along with some of the world’s largest financial institutions, law firms, insurance providers, healthcare firms and government agencies — have been hit by this slow-moving disaster.
Many organizations have been impacted due to their direct use of MOVEit while others have been exposed as a result of third-party vendors’ use of the file-transfer service, including the National Student Clearinghouse, PBI Research Services, TIAA and Zellis.
The spree of attacks against MOVEit mark the third actively exploited zero-day vulnerability currently linked to a file-transfer service this year. The financially motivated Clop ransomware group is responsible for two of these supply-chain attacks, including a zero-day vulnerability in Fortra’s GoAnywhere file-transfer service the group exploited in March.
The third file-transfer service attacked this year involves a vulnerability in IBM Aspera Faspex that threat actors were still exploiting in late March, almost four months after a patch was first made available.
Clop was also responsible for the zero-day exploit driven campaign against the Accellion file-transfer devices in 2020 and 2021.
Prior to Clop’s latest spree of attacks, the Cybersecurity and Infrastructure Security Agency and the FBI estimated the threat actor group has compromised more than 3,000 U.S.-based organizations and 8,000 organizations based elsewhere.
Cybersecurity experts expect further damage to come.
How the MOVEit mess unfolded
Progress received a call over Memorial Day weekend from a customer alerting the company to unusual activity in their MOVEit environment.
Progress disclosed a zero-day vulnerability in MOVEit, impacting all on-premises and cloud-based versions of the widely used file-transfer service.
The actively exploited SQL injection vulnerability allowed threat actors to escalate privileges and gain unauthorized access to customer environments.
The vendor said it issued a patch for on-premises versions of MOVEit and patched cloud test servers.
Multiple threat intelligence firms shared evidence of active exploits of the zero-day vulnerability and indicators of compromise.
“Mass exploitation and broad data theft has occurred over the past few days,” Mandiant Consulting CTO Charles Carmakal said in a statement.
Progress said it’s “extremely important” for all MOVEit customers to immediately apply mitigation measures, including disabling all HTTP and HTTPs traffic to MOVEit environments.
The actively exploited vulnerability was assigned CVE-2023-34362 with a severity rating of 9.8 out of 10.
Researchers at Censys said they observed more than 3,000 MOVEit hosts exposed to the internet before the first vulnerability was disclosed or patched.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said in an alert.
An initial wave of victims started coming forward, disclosing breaches linked to the exploited vulnerability, including British Airways, the BBC and the government of Nova Scotia.
Progress repeatedly declined to say how many companies were using MOVEit when the zero-day vulnerability was initially discovered. The company estimates MOVEit Transfer and MOVEit Cloud accounted for less than 4% of its annual revenue, according to an 8-K filed with the Securities and Exchange Commission.
Multiple customers of Zellis, a payroll provider compromised by the MOVEit zero-day vulnerability that services hundreds of companies in the U.K. were impacted. “We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them,” a Zellis spokesperson said in a statement.
The period of active exploitation prior to discovery remained a moving target, as security researchers uncovered previously unknown attacks linked to the SQL injection vulnerability and subsequently discovered vulnerability.
“Trustwave has seen activity of source IPs recently exploiting the MOVEit application since at least February,” Spencer Ingram, Trustwave’s SVP of operations, said via email.
Huntress recreated the attack chain exploiting the vulnerability in MOVEit, asserting the webshell indicator of compromise previously shared by Progress and security researchers is not necessary to compromise the software. This would later be identified as a series of subsequently discovered vulnerabilities.
Clop, also known as TA505, published a statement on its dark web site claiming to have exploited the MOVEit vulnerability to exfiltrate data from hundreds of organizations.
Clop set a June 14 deadline for victims to contact the group and begin negotiations.
Mandiant also attributed the attacks to Clop, a group it identifies as FIN11, and published a 34-page containment and hardening guide for MOVEit customers.
Within a week of Progress’ initial disclosure, CISA, CrowdStrike, Mandiant, Microsoft, Huntress and Rapid7 were all assisting the company with incident response and ongoing investigations.
PBI Research Services, a third-party vendor that uses MOVEit and helps many large enterprises search databases, informed some of its customers about an extensive compromise linked to the MOVEit attacks. The breach of PBI’s systems exposed millions of customer files to theft.
“PBI Research Services uses Progress Software’s MOVEit file-transfer application with some of our clients. At the end of May, Progress Software identified a cyberattack in their MOVEit software that did impact a small percentage of our clients who use the MOVEit administrative portal software resulting in access to private records,” a PBI spokesperson said in a statement.
CISA and the FBI released a joint advisory to share recommendations for organizations at risk of compromise.
“Due to the speed and ease TA505 has exploited this vulnerability, and based on their past campaigns, FBI and CISA expect to see widespread exploitation of unpatched software services in both private and public networks,” federal authorities said.
Risk analysis firm Kroll pushed the timeline for the now-exploited vulnerability dating back years, with its assertion Clop knew about and was experimenting with ways to exploit one of the vulnerabilities in MOVEit as early as July 2021.
Progress corroborated Huntress’ findings about a series of newly discovered SQL vulnerabilities in MOVEit. The company issued a patch for the new vulnerabilities and said there was no evidence the vulnerabilities had been exploited.
The new SQL injection vulnerabilities in MOVEit were assigned CVE-2023-35036 with a severity rating of 9.1.
"Cybersecurity experts and potential victims were on high alert as the initial deadline set by Clop expired.
Clop, which bills itself as one of the top organizations offering "after-the-fact penetration testing," made good on its threat and named a dozen victim organizations on its data-leak site.
Progress disclosed and released a patch for a new MOVEit vulnerability, the company said in an advisory, marking the third since Progress disclosed an actively exploited zero-day vulnerability two weeks prior.
The vendor encouraged all MOVEit customers to immediately address the new privilege escalation vulnerability, CVE-2023-35708, including measures to disable all HTTP and HTTPs traffic to MOVEit environments.
“At this time, we have not seen indications that this new vulnerability has been exploited,” a MOVEit spokesperson told Cybersecurity Dive in an emailed statement.
The advisory came just after officials from the CISA disclosed a “small number” of federal agencies were impacted by the campaign, which CISA attributes to the Clop ransomware gang.
“Although we are very concerned about this campaign and working on it urgently, this is not a campaign like SolarWinds that presents a systemic risk to our national security,” CISA Director Jen Easterly said on a press call.
“As far as we know, these actors are only stealing information that is specifically stored on the file-transfer application at the precise time that the intrusion occurred,” Easterly said.
At the time, Emsisoft Threat Analyst Brett Callow said there are 63 known and confirmed victims, plus an unspecified number of U.S. government agencies.
The U.S. State Department offered a $10 million bounty related to information on the Clop ransomware group, after records from at least two of the department’s entities were compromised.
Researchers at Reliaquest said they observed “the first possible instance of leaked data after one named organization apparently refused to engage in negotiations, according to the Clop site.”
Clop simultaneously leaked data and publicly named an organization, marking the second instance of a data leak related to the MOVEit exploits, according to Reliaquest.
The California Public Employees’ Retirement System, the largest pension system in the U.S., confirmed the personal data of about 769,000 members was exposed and downloaded in connection to the PBI breach.
The MOVEit attack campaign victim count rose to more than 100 organizations, Callow told Cybersecurity Dive via email.
Clop claimed to have leaked data stolen from 17 of its alleged victims to date, according to Reliaquest.
Progress reported nearly $1.5 million in cyber incident and vulnerability response expenses during its fiscal second quarter, which ended May 31, and said it expects to incur additional expenses in future quarters.
“We’ve been taking this issue very seriously,” Yogesh Gupta, president and CEO at Progress, said during the company’s earnings call, according to a Seeking Alpha transcript.
“While working through an issue of this nature, it’s important not to speculate broadly or prematurely but rather focus on the task at hand, doing what we can to protect our customers against the ongoing threat of cybercriminals,” Gupta said.
The widely exploited vulnerability in MOVEit has impacted nearly 200 organizations to date, according to Callow.
Progress released another update, including security fixes, and said it will consistently release MOVEit product updates every two months going forward.
Progress disclosed three new vulnerabilities in an advisory that details the security fixes it released in the service pack the day prior.
One of the vulnerabilities, CVE-2023-36934, is assigned a severity rating of 9.1. The other two vulnerabilities, a series of SQL injection vulnerabilities assigned to CVE-2023-36932, and CVE-2023-36933, are still undergoing analysis.
This brings the total number of CVEs assigned to MOVEit since initial disclosure to six.
CISA issued an alert, advising MOVEit customers to apply the product updates. “A cyber threat actor could exploit some of these vulnerabilities to obtain sensitive information,” the federal agency said.
Progress claims only one of the six vulnerabilities, the initially discovered zero day, have been exploited.
“To our knowledge at this time, none of the vulnerabilities discovered after the May 31 vulnerabilities have been actively exploited,” a spokesperson told Cybersecurity Dive via email.
“We remain focused on supporting our customers by helping them take the steps needed to further harden their environments, including applying the fixes we have released,” the spokesperson said.
The enterprise software vendor addressed the risk organizations confront across their technology stacks. “The reality today is that sophisticated cybercriminal groups are executing highly complex campaigns at an increasing rate,” the spokesperson said.
“While no one is immune," the spokesperson said, "our goal since learning about the initial vulnerability has been to work to address the security and safety of our customers, including releasing patches in a timely manner, expanding our support services to address customer questions, establishing a steady cadence of update communications and working with third-party security experts to further improve the security of our products and share information that may benefit our customers and the industry as a whole."
More than 300 victim organizations have been identified since Progress was first alerted to malicious activity on a customer’s MOVEit environment. Major organizations are joining the long list of victims every day.
Bert Kondrus, founder and managing director of KonBriefing Research, has been maintaining a list of victims and identified at least 317 organizations impacted by the exploited MOVEit vulnerability to date.
Callow said he’s identified at least 314 victim organizations and noted the PII more than 18 million individuals has been exposed.
“The potential for identity fraud isn’t the only risk, or necessarily even the most serious,” Callow said. “Phishing and business email compromise could be even bigger threats.”
Experts expect the number of organizations and individuals impacted, which includes victims that reported breaches and others named on Clop’s site, will continue to rise.