Over the previous two weeks, there have been three critical vulnerabilities disclosed impacting the MOVEit Transfer MFT solution developed by Ipswitch, a subsidiary of the Progress Software Corporation. Optiv’s Global Threat Intelligence Center (gTIC) has been tracking the updates and has provided our clients with up-to-date notifications and remediation guidance along the way. This blog post covers the latest information related to the vulnerabilities, targeting, and remediation and mitigation recommendations.

CVE-2023-34362

On May 31, 2023, Progress issued a security notice to users of MOVEit Transfer regarding a vulnerability that allows for privilege escalation and potential unauthorized access to the environment. According to the Center for Internet Security, MOVEit Transfer “allows enterprises to securely transfer files between business partners and customers using SFTP, SCP, and HTTP-based uploads.” CVE-2023-34362 is a SQL injection vulnerability that leads to remote code execution (RCE). Security researchers with Rapid7 reported 2,500 primarily U.S.-based exposed MOVEit Transfer servers with the same webshell located on all actively targeted devices. As BleepingComputer writes, “The web shell is named “human2.asp” and has been located in the c:\MOVEit Transfer\wwwroot\ public HTML folder…[W]hen the webshell is accessed and the correct password supplied, the script will execute various commands based on the value of the 'X-siLock-Step1', 'X-siLock-Step1', and 'X-siLock-Step3' request headers.” With these commands, threat actors can retrieve a list of stored files and identify who uploaded them and their file paths. They can also add and remove a MOVEit Transfer user, find information about the configured Azure Blob Storage account, and download server files.

Security researchers with Mandiant reported that the vulnerability had been actively exploited by the Clop ransomware operators (aka TA505, DEV-0950, Lace Tempest), with the earliest exploitation observed on May 27, 2023. However, other reports indicate that the vulnerability had been exploited as early as March 3, 2023. Researchers have observed threat actors deploying a webshell, LEMURLOOT, to steal sensitive data from targeted victims. The LEMURLOOT webshell is written in C# and designed to interact with the MOVEit Transfer platform.

On June 8, 2023, security researchers with Kroll reported that the Clop ransomware group has Likely had access to and has been looking for ways to exploit the vulnerability since 2021. This was determined based on the researchers’ log analysis of some clients’ compromised networks during the investigations of the Clop ransomware group attacks. While the Clop ransomware group conducted a mass exploit attack on May 27, 2023, it is Likely that the group has been actively targeting the vulnerability for the previous 24 months, collecting data and remaining undetected until the vulnerability was discovered.

CVE-2023-35036

On June 9, 2023, Progress issued an update to the security notice related to the MOVEit Transfer vulnerability, CVE-2023-34362, stating that the company partnered with third-party cybersecurity experts who identified additional vulnerabilities that threat actors could potentially exploit. Distinguishing from CVE-2023-34362, which was disclosed on May 31, 2023, Progress explains that attackers could leverage these new vulnerabilities to “submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.” This vulnerability reportedly affects all MOVEit Transfer versions and could also allow threat actors to access and steal sensitive information.

CVE-2023-35708

On June 15, 2023, Progress released another advisory warning of a new vulnerability affecting the MOVEit Transfer MTF software. Adversaries can leverage this vulnerability, CVE-2023-35708, to elevate privileges and potentially gain unauthorized access to the environment. The Progress advisory warned customers to restrict all HTTP access to their environments and implement the patch that became available today, June 16, 2023. Denying HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 would prevent users from being able to log into their accounts via the web UI. File transfers will still be available since the SFTP and FTP/s protocols will continue to work.

Clop Ransomware

On June 6, 2023, the Cl0p ransomware gang posted a message to their data leak site, CL0P^_- LEAKS, demanding that victims contact them before June 14, 2023, to negotiate extortion fees for deleting stolen data. Companies could then receive a small number of their stolen files as proof, after which they would have 3 days to discuss price. After 7 days, Cl0p would begin to publish a company’s data on the data leak site. Interestingly, the ransomware group includes a note at the bottom of their message stating that they have already deleted any city, government, and law enforcement data as they have “no interest” in publishing this type of data. Avoiding government and law enforcement agency targets is one method utilized by ransomware groups to avoid an increase in law enforcement attention.

On June 14, 2023, the Clop operators began naming companies on their data leak site CL0P^_- LEAKS. The group has not posted the purportedly stolen data and has begun listing the victims’ names, websites, phone numbers, and addresses. At the time of writing, the group has publicly named 39 victims. Of those 39, a few have been removed, indicating that these names were either mistakenly listed or the victims have initiated negotiations. It is Likely that the group will continue naming alleged victims on their data leak site over the next 30 days as they sort through the victim list and purportedly stolen data.

 

Image

Figure 1: Cl0p ransomware group’s extortion message Posted to CL0P^_- LEAKS

The Cl0p ransomware variant was first discovered in February 2019 as an updated version of the “CryptoMix” ransomware. Cl0p targets large enterprises across numerous global verticals. However, it is designed to terminate itself if the target is identified as an organization within Russia or another Commonwealth of Independent States (CIS) country.

The Clop ransomware group has historically taken advantage of transfer software and services to exfiltrate data and hold it for ransom. Among the hundreds of victims listed on the CL0P^_- LEAKS data leak site include those targeted in the December 2020 zero-day exploitation of Accellion FTA servers and the January 2023 exploitation of the GoAnywhere MFT zero-day. In these attacks, the Clop ransomware operators did not encrypt data and focused on data exfiltration. The group has targeted organizations in all verticals, but over the previous six months, they have focused on Industrials, financial services, healthcare, and technology organizations. Most of their victims have been located in North America (97), with a focus on the United States (82), followed by organizations based in Europe (30).

 

Image

Figure 2: Victims by vertical listed on Clop Ransomware data leak site January 01 – June 16, 2023

The graphic below illustrates the Optiv Threat Actor Metric^™ for Cl0p ransomware. The Optiv Threat Actor Metric™ was developed by Optiv’s gTIC and is a multi-faceted, qualitative approach to determine a cyber adversary’s or campaign’s potential threat to an organization or industry. The metric considers known and assessed non-technical capabilities and intentions and is scored out of a total possible of 100. The purpose of this metric is to provide an added layer of depth to risk-based intelligence analysis and support proactive and remediating recommendations by presenting a visualization of non-technical, qualitative risk factors of adversaries and threat campaigns. It is similar in function to the United States Department of Defense’s CARVER targeting scale.

 

Image

Figure 3: Threat Actor Metric Score for Clop Ransomware

Threat Outlook

Clop operators have grown a reputation for targeting this type of software by exploiting zero-day vulnerabilities and stealing sensitive data. It is Likely that additional threat actors will begin exploiting this vulnerability over the next 30 days. Additionally, it is Likely that other, lower-level threat actors will attempt to send scam emails purporting to have stolen data and demanding a ransom payment over the next 30 days.

Optiv’s Global Threat Intelligence Center (gTIC) assesses with High Confidence that the MOVEit Transfer vulnerability will continue to be exploited by threat actors in an attempt to steal sensitive information, credentials, and deploy malware over the next 30 days. Additionally, it is Likely that additional threat actors, including APT and cybercriminals, will begin targeting the vulnerability over the next 30 days.

Supply-chain attacks in which third-party software is compromised to infect multiple entities are Likely to increase over the next 12 months. Optiv’s gTIC assesses with High Confidence these will occur because of the increasing number of high-impact and high-visibility supply-chain attacks over the past three years.

An extreme case of where a high-level vulnerability resulted in a significant compromise was the July 2021 Kaseya supply-chain attack. This attack stemmed from a SQLi vulnerability in Kaseya’s VSA software that was exploited by cyber-criminals to deploy the REvil ransomware to hundreds of Kaseya’s customers via a fake software update.

Optiv’s gTIC assesses with High Confidence that adversary groups will rely on software and service providers’ websites for reconnaissance efforts to identify high-value targets that are listed on the providers’ webpage (see Figure 3). These webpages, like testimonials or “Who We Serve” sections, are used for marketing and lead generation but also provide valuable information to adversary groups during target selection.

Mitigations

References