MOVEit Vulnerabilities – The Post-Factum View

All this story started with a 0-day vulnerability (CVE-2023-34362) in MOVEit Transfer, which was discovered in early June 2023. All versions of MOVEit Transfer were affected by the problem. Researchers say that attacks with the exploitation of this vulnerability began as early as May 27, 2023.

Attackers used this vulnerability to deploy custom web shells on affected servers. This allowed them to list files stored on the server, download them, and steal account credentials and secrets. The latter included the AzureBlobStorageAccount, AzureBlobKey, and AzureBlobContainer settings. To simplify, all the attacks with that vulnerability was in fact a sophisticated SQL injection. The sophistication here is thanks to the unusual way of accessing the database – actually, through the 0-day breach.

As a result, Microsoft analysts linked the massive attacks to the Cl0p ransomware hack group (aka Lace Tempest, TA505, FIN11, or DEV-0950). And soon the hackers began to make demands, extorting ransoms from the affected companies. At the moment, according to Emsisoft experts, the number of companies-victims exceeds 230: at least 20 schools in the US and dozens of universities around the world were affected. In total, the leaks affected information about 17-20 million people.

MOVEit MFT Vulnerabilities Receive a Fix

MOVEit programs will receive service packs from Progress Software, including MOVEit Transfer and MOVEit Automation. The first one alreadyt got a patch that fixes for a critical SQL injection. It also contains fixes for two other, less serious vulnerabilities.

The critical issue has been identified as CVE-2023-36934 by the Trend Micro Zero Day Initiative. The developers report that it can be used without authentication, allowing an attacker to gain unauthorized access to the MOVEit Transfer database.

There are currently no reports of active exploitation of this breach by hackers. The second vulnerability is also a SQL injection and received the identifier CVE-2023-36932. Hackers actively use this one once they managed to bypass the authentication. Both SQL injections affect multiple versions of MOVEit Transfer, including 12.1.10 and later, 13.0.8 and later, 13.1.6 and later, 14.0.6 and later, 14.1.7 and later, and 15.0.3 and later.

The third issue addressed by patches this month was the CVE-2023-36933 vulnerability. This breach allows attackers to spontaneously terminate a program. Bug persists in MOVEit Transfer versions 13.0.8 and later, 13.1.6 and later, 14.0.6 and later, 14.1.7 and later, and 15.0.3 and later. Company recommends its clients to install updates for their versions, corresponding to the table below.

The post MOVEit Transfer Fixes a New Critical Vulnerability appeared first on Gridinsoft Blog.

Let me remind you that it all started with a 0-day vulnerability (CVE-2023-34362) in the MOVEit Transfer file transfer management solution, which was discovered in early June 2023. All versions of MOVEit Transfer were affected by the problem, and it was reported that attacks on them began as early as May 27, 2023.

Attackers used this vulnerability to deploy custom web shells on affected servers, allowing them to list files stored on the server, download files, and steal Azure Blob Storage account credentials and secrets, including the AzureBlobStorageAccount, AzureBlobKey, and AzureBlobContainer settings.

As a result, Microsoft analysts linked the massive attacks to the Clop ransomware hack group (aka Lace Tempest, TA505, FIN11, or DEV-0950). Soon the hackers began to make demands and extort ransoms from the affected companies.

To date, hundreds of companies have been known to have been compromised during the attacks. Over the past weeks, the break-in has been confirmed by many victims. Among them: Zellis, a UK-based payroll and HR solution provider whose customers include Sky, Harrods, Jaguar, Land Rover, Dyson and Credit Suisse. Due to the Zellis hack, the data of the Irish airline Aer Lingus, British Airways, the BBC, and the British pharmacy chain Boots were compromised.

Also leaked data affected the University of Rochester, the government of Nova Scotia, the authorities of the US states of Missouri and Illinois, BORN Ontario, Ofcam, Extreme Networks and the American Therapeutic Society.

This week the list of victims continued to expand. So, representatives of the University of California at Los Angeles (UCLA) reported about the attack and data leakage. Representatives of the educational institution said that they had already notified the FBI about the incident and involved third-party security experts in the case to investigate the attack and understand what data was affected.

Also attacks on a bug in MOVEit Transfer affected Siemens Energy, a Munich-based energy company that employs 91,000 people worldwide. While no data leak has yet taken place at this time, Clop has already listed Siemens Energy as one of the victims on its dark web site, and company representatives have confirmed to the media that they were hacked in recent Clop attacks.

Siemens Energy emphasizes that no important data was stolen and the company’s business operations were not affected.

Together with Siemens Energy, another industrial giant was added to the Clop website – the French Schneider Electric, which is engaged in power engineering and manufactures equipment for the energy sub-complexes of industrial enterprises, civil and residential construction facilities, data centers, and so on.

Schneider Electric said that after the news of the vulnerability in MOVEit Transfer, the company “quickly deployed available tools to protect data and infrastructure.” Currently, the company’s security specialists are investigating the consequences of the incident and Clop’s claims of data theft.

In addition to the listed technology giants, to the list of victims of hackers has recently been added:

1. the New York City Department of Education, which admitted that Clop stole documents containing confidential information from 45,000 students;
2. Oregon and Louisiana state authorities, from whom hackers stole data on millions of driver’s licenses.

The post The Number of Companies Affected by Attacks on Vulnerabilities in MOVEit Transfer Increased appeared first on Gridinsoft Blog.

Background

A 0-day vulnerability (CVE-2023-34362) in the MOVEit Transfer file transfer management solution was discovered in early June 2023. All versions of MOVEit Transfer were affected by the problem, and it was reported that attacks on them began as early as May 27, 2023. The bug was a SQL injection that leads to remote code execution. For example, exploitation of a vulnerability can lead to privilege escalation and give third parties unauthorized access to the MOVEit Transfer environment.

Attackers used the vulnerability to deploy custom web shells on affected servers, allowing them to list files stored on the server, download files, and steal Azure Blob Storage account credentials and secrets, including the AzureBlobStorageAccount, AzureBlobKey, and AzureBlobContainer settings. Microsoft analysts have linked these attacks to the Clop ransomware hack group (aka Lace Tempest, TA505, FIN11, or DEV-0950). This group is known for the fact that Clop ransomware operators leaked data from two universities.

MOVEit Developers React to Vulnerabilities

It soon became known that a total of hundreds of companies were compromised during the attacks, and the hack was confirmed by the Irish airline Aer Lingus, British Airways, the BBC and the British pharmacy chain Boots. Now MOVEit Transfer developers have warned customers about new critical vulnerabilities in their file transfer management product. New bugs were found during a security audit, which, after massive attacks, was carried out by experts from the Huntress company.

According to the manufacturer, the new vulnerabilities are SQL injections and affect all versions of MOVEit Transfer, allowing unauthenticated attackers to hack Internet-accessible servers, changing or stealing user information.

The developers note that all MOVEit Cloud clusters have already received fresh fixes that have protected them from potential attack attempts.

It is also worth noting that a PoC exploit for the original zero-day vulnerability (CVE-2023-34362) appeared recently, which began massive attacks on MOVEit Transfer clients. The exploit, as well as a detailed technical analysis of the vulnerability and a list of indicators of compromise that network defenders can use to detect the exploitation of a bug on vulnerable servers, were published by researchers from Horizon3. Information security experts warn that after the release of this exploit, more attackers are likely to use it in attacks or create their own versions to attack unpatched servers still available on the Internet.

The post New critical vulnerabilities found in MOVEit Transfer appeared first on Gridinsoft Blog.

What is MOVEit 0-day breach?

A 0-day vulnerability (CVE-2023-34362) in the MOVEit Transfer file transfer management solution became known in late May. All versions of MOVEit Transfer were affected by the problem, and it was reported that attacks on them began as early as May 27, 2023.

The bug itself was a SQL injection that leads to remote code execution. For example, exploitation of a vulnerability can lead to privilege escalation and give third parties unauthorized access to the MOVEit Transfer environment. Attackers used the vulnerability to deploy custom web shells on affected servers, allowing them to list files stored on the server, download files, and steal Azure Blob Storage account credentials and secrets, including the AzureBlobStorageAccount, AzureBlobKey, and AzureBlobContainer settings.

The week before, Microsoft analysts linked these attacks to the Clop ransomware hack group (aka Lace Tempest, TA505, FIN11, or DEV-0950). Among other things, this group is known for the fact that Clop ransomware operators leaked data from two universities.

Old vulnerability

As experts from the information security company Kroll now report, it seems that hackers have been looking for ways to exploit the mentioned zero-day vulnerability long before the start of mass attacks, and more precisely since 2021.

They also discovered that attackers were testing different ways to collect and steal sensitive data from compromised MOVEit Transfer servers back in April 2022.

Automated malicious activity increased markedly on May 15, 2023, right before the start of massive attacks on the 0-day vulnerability.

Victim data collection

Since similar activity was performed manually in 2021, experts believe that the attackers knew about the bug for a long time, but were preparing the necessary tools to automate mass attacks.

Victims of the attack

Hackers told reporters this past weekend that the vulnerability allowed them to break into MOVEit Transfer servers owned by “hundreds of companies.” Although after that the media urged not to take the word of the hackers, unfortunately, some victims have already confirmed the fact of compromise.

Zellis, a UK-based payroll and HR solution provider whose customers include Sky, Harrods, Jaguar, Land Rover, Dyson and Credit Suisse, was one of the first to confirm the breach and leak of customer data.

Some major Zellis customers have already made official statements about the hack. Among them: government agencies in Nova Scotia (including the Health Authority, which uses MOVEit to exchange confidential and classified information), the University of Rochester, British Airways and the BBC, which reported the theft of employees’ personal information and that there were other Zellis customers among the victims – Irish airline Aer Lingus and the British pharmacy chain Boots.

Currently, Clop has not yet begun to publish information stolen from companies. On their dark web site, the attackers gave the victims until June 12, stating that if the companies do not contact them and start negotiations on the payment of a ransom by that time, data leaks will follow.

The post Clop Attacks on MOVEit Transfer Affected British Airways, BBC and More appeared first on Gridinsoft Blog.