Update: Cl0p claims responsibility for MOVEit file transfer vulnerability and subsequent data breaches.
By Jason Cole, CyberWire staff writer
Jun 6, 2023

Cl0p has now claimed responsibility for widespread exploitation of CVE-2023-34362 against company networks.

Update: Cl0p claims responsibility for MOVEit file transfer vulnerability and subsequent data breaches.

Update, 8:15 PM ET, June 6th, 2023.

A MOVEit spokesperson reached out to the CyberWire this afternoon and offered the following statement on the company's response to the incident:

“Our customers have been, and will always be, our top priority. When we discovered the vulnerability, we promptly launched an investigation, alerted MOVEit customers about the issue and provided immediate mitigation steps. We disabled web access to MOVEit Cloud to protect our Cloud customers, developed a security patch to address the vulnerability, made it available to our MOVEit Transfer customers, and patched and re-enabled MOVEit Cloud, all within 48 hours. We have also implemented a series of third-party validations to ensure the patch has corrected the exploit.

“We are continuing to work with industry-leading cybersecurity experts to investigate the issue and ensure we take all appropriate response measures. We have engaged with federal law enforcement and other agencies with respect to the vulnerability. We are also committed to playing a leading and collaborative role in the industry-wide effort to combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products. Additional details are available on our knowledge base articles for MOVEit Transfer and MOVEit Cloud.”

For more information on the company's response, see the Progress blog, which includes not only status updates, but remediation advice as well.

CISA and FBI issue alert on Cl0p exploitation of MOVEit.

Update, 1:45 PM ET, June 7th, 2023. CISA and the FBI today released, after consultation with Progress Software, makers of MOVEit, a #StopRansomware advisory: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability. The Agency and the Bureau outline four steps an organization can "take today" to mitigate the risk of exploitation:

  1. "Take an inventory of assets and data, identifying authorized and unauthorized devices and software."
  2. "Grant admin privileges and access only when necessary, establishing a software allow list that only executes legitimate applications."
  3. "Monitor network ports, protocols, and services, activating security configurations on network infrastructure devices such as firewalls and routers."
  4. "Regularly patch and update software and applications to their latest versions, and conduct regular vulnerability assessments."

The advisory offers detailed advice on detecting malicious exploitation of the vulnerability, and it highlights the nature of the extortion Cl0p is conducting: it's fundamentally a threat to dox the victim. On this particular kind of extortion, Javvad Malik, Lead Security Awareness Advocate at KnowBe4, wrote: "This attack is a grim reminder of the sheer value of data in the hands of malicious actors. Cybercriminals know organizations cannot afford to lose critical data, causing undue pressure to pay large ransoms. This once again highlights the crushing effect of data breaches on modern organizations; a fact that hackers are acutely aware of. As such, organizations must implement robust security measures that include multi-layered cybersecurity defenses, employee cybersecurity awareness training, and a tested incident response plan. The key message remains clear, we must prioritize our data and adequately invest in its protection."

CVE-2023-34362 exploited in the wild.

Yesterday, Cl0p told BleepingComputer that it was responsible for the employment of the MOVEit Transfer SQL Injection Vulnerability (CVE-2023-34362). The vulnerability, which was added to CISA’s known exploited vulnerability catalog last Friday, was first employed on May 27th BleepingComputer reported. Mandiant had associated exploitation of this vulnerability with Cl0p, as the gang had been searching for partners that use SQL injection. That attribution now seems confirmed.

Also yesterday, Sky News said that Cl0p had claimed responsibility for exploiting the vulnerability against several British and Irish companies (including the BBC, British Airways, Boots, and Aer Lingus) to steal customer information as well as national insurance numbers. The companies at present don’t believe their financial information was stolen. 

The data breaches at British Airways and Aer Lingus at least seem to have started when Cl0p attacked UK payroll and HR solutions provider Zellis. “We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them. All Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate,” Zellis said in a statement to BleepingComputer. Haggai Polak, Chief Product Officer at Skybox Security writes “While the extent of the breach is unknown, threat actors were able to gain access to sensitive and personal information of the companies’ staff members. Organizations must maintain a holistic view of their entire attack surface, including third-party software, to ensure private data remains private.” 

In a gesture intended to put them in a better, Robin-Hoodesque light, Cl0p said that they had deleted all files related to the government, the military, and childrens hospitals. However, the group has said that they will post the data of any victim who does not meet their demands on their Russian-speaking dark web site.

Supply chain attacks are becoming the norm.

This is another third-party supply-chain attack centered around a file transfer software. Many compare to earlier incidents like the one that recently afflicted GoAnywhere. John Shier, Field Chief Technology Officer at Sophos, highlights the prevalence of this attack vector writing, “Like the previous Accellion FTA and GoAnywhere MFT vulnerabilities, the latest attacks against MOVEit Transfer are allegedly being exploited by the Cl0p ransomware gang to steal data from vulnerable organizations. This latest round of attacks is another reminder of the importance of supply chain security. While Cl0p has been linked to this active exploitation, it is probable that other threat groups are prepared to use this vulnerability as well.”

In what may be an underworld trend, Cl0p seems to have moved away from encryption ransomware attacks in favor of direct data theft and extortion. It’s apparently a cost-benefit calculation: encrypting a victim’s files takes a lot of time, and threat actors seem to be capitalizing on a company's requirements to protect the data of their customers over the profits lost due to not being able to access their own files. 

CISA adds Progress software’s MOVEit Transfer SQL Injection Vulnerability to KEVC.

CISA added Progress MOVEit Transfer SQL Injection Vulnerability (CVE-2023-34362) to its Known Exploited Vulnerabilities Catalog on June 2nd. Mandiant reported that this vulnerability seems to have been used on May 27th by UNC4857 and describes it as “a newly created threat cluster with unknown motivations that has impacted organizations operating in a wide range of industries based in Canada, India, and the U.S.'' Mandiant's researchers add that the threat actors are deploying a newly discovered web shell called LEMURLOOT which is used for data theft. “LEMURLOOT provides functionality tailored to execute on a system running MOVEit Transfer software, including the ability to generate commands to enumerate files and folders, retrieve configuration information, and create or delete a user with a hard-coded name. Initial analysis suggests that the LEMURLOOT web shell is being used to steal data previously uploaded by the users of individual MOVEit Transfer systems,” researchers write.

(Added, 12:30 PM ET, June 6th, 2023. Gil Dabah, co-founder and CEO of Piiano, offered some comments on managing risk in SQL databases. “In recent news, a significant data breach has occurred in a prominent company, highlighting the persisting vulnerability of web servers to SQL injection attacks," Dabab wrote. "Despite technological advancements, traditional SQL databases still pose security risks, leaving critical infrastructure housing sensitive information for customers and employees exposed. To address this issue, experts emphasize the adoption of data privacy vaults as a vital solution for the future. Companies must reassess their data storage practices and make necessary changes to avoid falling victim to data breaches.”) 

(Added, 2:45 AM ET, June 7th, 2023. Roy Akerman, Co-Founder and CEO of Rezonate, suggests an approach to scanning for exploitation. “The MOVEit Transfer SQL injection vulnerability allows un-authenticated attacker to gain access to its Transfer’s database. From there it can recon data, structure, as well as running modification and deletion commands, Akerman wrote. “Security teams are advised to go back at least 90 days and investigate any potentially malicious attempts as initial scanning observed by GreyNoise started March 3rd. In addition, rotating relevant keys and credentials are important to make sure no further access, if compromised, is available.“)