MOVEit
Website Link: https://www.ipswitch.com/moveit
About MOVEit
MOVEit is a file transfer platform made by Progress Software Corporation. The Progress MOVEit is a secure Managed File Transfer (MFT) software used by thousands of organizations, governments, financial institutions and other public and private sector bodies all around the world to provide complete visibility and control over file transfer activities.
MOVEit Market place
Around the world in 2023, over 636 companies tracked by 6sense and based on publicly available information, have started using MOVEit as File Sharing tool.
Solutions that MOVEit provides
- Banking & Finance Solutions
- Healthcare Solution
- Government Solutions
- Insurance Solutions
- Education Solutions
- Retail Solutions
- Manufacturing Solutions
- Transportation Solutions, etc.
The Breach
Progress had discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment.
The critical-rated vulnerability allowed attackers, specifically the notorious Clop ransomware and extortion gang to raid MOVEit Transfer servers and steal customers’ sensitive data stored within.
This growing list of compromises includes banks, hospitals, hotels, energy giants, etc. and is part of an attempt to pressure victims into paying a ransom demand to stop their data from spilling online.
The tally of organizations and individuals known to have been impacted by this incident is shown below.
The MOVEit breaches to have impacted the most individuals are:
“The most heavily impacted sectors are finance and professional services and education, which account for 13.8 percent and 51.1 percent of incidents respectively.” –EMSISOFT BLOG
According to IBM, data breaches cost an average of $165 USD per record. Based on the numbers of individuals confirmed to have been impacted, that puts the cost of the MOVEit incident at $10,239,011,145.
Vulnerability
SQL Injection
(CVE-2023-34362) – May 31th
(CVE-2023-35036) – June 9th
(CVE-2023-35708) – June 15th
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability had been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer’s database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may have be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements.
Story of Cl0p
When a ransomware gang attacks a corporate target, they first steal data from the network and then encrypt files. This stolen data is used as leverage in double-extortion attacks, warning victims that the data will be leaked if a ransom is not paid. Ransomware data leak sites are usually located on the Tor network as it makes it harder for the website to be taken down or for law enforcement to seize their infrastructure.
The Russia-linked Clop ransomware group, which claimed responsibility for the hacks, has been publicly listing alleged victims since June 14 and Clop’s attacks and threats to publish the stolen data if it doesn’t receive payments have continued.
Cl0p confirmed that it had been responsible for the attack on the MOVEit platform with the below June 6th post on the group’s site on the dark web.
In a post, Cl0p said that on August 15th, it would leak the “secrets and data” of all MOVEit victims that refused to negotiate
Clear Web tactics
A clearweb website is hosted directly on the Internet rather than on anonymous networks like Tor, which require special software to access.
The Clop ransomware gang is copying an ALPHV ransomware gang extortion tactic by creating Internet-accessible websites dedicated to specific victims, making it easier to leak stolen data and further pressuring victims into paying a ransom.
However, this hosting method comes with its own issues for the ransomware operators, as a specialized Tor browser is required to access the sites, search engines do not index the leaked data, and the download speeds are typically very slow. This new method makes it easier to access the data and will likely cause it to be indexed by search engines, further expanding the spread of the leaked information.
The first site created by the threat actors was for business consulting firm PWC, creating a website that leaked the company’s stolen data in four spanned ZIP archives.
Wast of time from Cl0p
These sites aim to scare employees, executives, and business partners who may have been impacted by the stolen data, hoping it causes them to exert further pressure on a company to pay the ransom.
However, while there may be some benefits to leaking data in this way, they also come with their own problems, as putting them on the Internet, rather than Tor, makes them far more easily taken down.
At this time, all of the known Clop clearweb extortion sites have been taken offline.
It is unclear if these sites are down due to law enforcement seizures, DDoS attacks by cybersecurity firms, or hosting providers and registrars shutting down the sites.
Due to the ease with which they can be shut down, it is doubtful that this extortion tactic is worth the effort.
Who are Cl0p?
Cl0p is a type of ransomware that has been used in cyberattacks since 2019. Data stolen in the attacks is published to a site on the dark web – a so-called “data leak site” or “DLS” – which the hackers refer to as “CL0P^_- LEAKS.” The ransomware and website have been linked to FIN11, a financially-motivated cybercrime operation which has been connected to both Russia and Ukraine and which is believed to be part of a larger umbrella operation known as TA505.
While the actors behind Cl0p have previously deployed file-encrypting ransomware, they have increasingly switched to a smash-and-grab, exfiltration-only strategy, relying on the threat of releasing stolen data as leverage to extort payment. This is likely so that Cl0p can quickly exfiltrate data from as many organizations as possible, before the vulnerability being exploited is patched.
This is not the first time the group has attacked a file transfer platform. MOVEit-like attacks were launched against Accellion File Transfer Appliances (FTA) in 2020/2021, SolarWinds Serv-U in 2021, and Fortra/Linoma GoAnywhere MFT servers in 2023.
Links to other articles:
https://www.ipswitch.com
https://www.ipswitch.com/industries
https://6sense.com/tech/file-sharing/moveit-market-share
https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
https://nvd.nist.gov/vuln/detail/CVE-2023-34362
https://nvd.nist.gov/vuln/detail/CVE-2023-35036
https://nvd.nist.gov/vuln/detail/CVE-2023-35708
https://techcrunch.com/2023/08/25/moveit-mass-hack-by-the-numbers/
https://techcrunch.com/2023/08/11/moveit-mass-hacks-lessons/
https://www.emsisoft.com/en/blog/44123/unpacking-the-moveit-breach-statistics-and-analysis/
I was wondering if you ever thought of changing the structure of your website? Its very well written; I love what youve got to say. But maybe you could a little more in the way of content so people could connect with it better. Youve got an awful lot of text for only having 1 or two pictures. Maybe you could space it out better?
Sure, our upcoming blogs will be modified with this input from you, Thank you.
~CyberPranava Team