Introduction
We would like to bring your attention to a serious security threat that has recently emerged, which could have significant consequences for your organization's file transfer operations. A vulnerability in MOVEit Transfer, a widely used file transfer software, has been exploited by cybercriminals to gain unauthorized access to sensitive information. In this blog post, we will explain the impact of this threat in simple terms, highlighting the importance of addressing it promptly to safeguard your data.
The Threat
MOVEit Transfer is a software solution that helps manage file transfers within organizations. Unfortunately, a group of cybercriminals known as CL0P ransomware gang, recently discovered and exploited a zero day vulnerability in the software. A zero-day vulnerability refers to a security flaw that is discovered and exploited by attackers before the software vendor becomes aware of it or has a chance to develop a patch or fix. This vulnerability, known as CVE-2023-34362, allowed the Cl0p ransomware gang to install a malicious script called LEMURLOOT on MOVEit Transfer's web application.
Once LEMURLOOT is installed, it creates a hidden backdoor, providing unauthorized access to the attacker. This unauthorized access grants the attackers the ability to perform various actions that can compromise your organization's security, including retrieving sensitive information, deleting important files, and even creating new administrator accounts with elevated privileges.
The Consequences
Once the attackers have gained access to MOVEit Transfer, they can carry out several harmful activities. These actions include:
Retrieving Sensitive Information: The cybercriminals can access and extract sensitive information stored within Microsoft Azure system settings and the underlying SQL database. This puts your confidential data, such as customer information or business secrets, at risk of exposure.
Unauthorized File Access: The attackers can store specific strings of data provided by their operators and retrieve files from the MOVEit Transfer system that match those strings. This means they can access and potentially steal your important files without your knowledge.
Unauthorized Account Creation and Deletion: The attackers can create new administrator accounts with high privileges, disguising them as a harmless "Health Check Service." These accounts could be used to gain further control over your systems or perform malicious activities. Similarly, they can also delete accounts, potentially disrupting your operations or removing crucial access rights.
Immediate Actions
Given the severity of this vulnerability, it is crucial to take prompt action to protect your organization. The software vendor, Progress Software, already discovered the vulnerability and provided guidance on affected versions, software upgrades, and patches. It is essential to review this guidance and ensure that your MOVEit Transfer software is updated to a secure version promptly.
Affected Versions
The following versions of MOVEit Transfer have been identified as vulnerable to this exploit:
MOVEit Transfer 2023.0.0
MOVEit Transfer 2022.1.x
MOVEit Transfer 2022.0.x
MOVEit Transfer 2021.1.x
MOVEit Transfer 2021.0.x
MOVEit Transfer 2020.1.x
MOVEit Transfer 2020.0.x
Widespread Impact
The FBI and CISA (Cybersecurity and Infrastructure Security Agency) anticipate that this vulnerability will be widely exploited across both private and public networks. The CVE-2023-34362 vulnerability in MOVEit Transfer software has the potential to impact the software's supply chain, which refers to the network of organizations involved in the development, distribution, and maintenance of the software. The supply chain impact can be summarized as follows:
Compromised software integrity: If the MOVEit Transfer software is compromised due to this vulnerability, it can affect the integrity of the software itself. Attackers may be able to inject malicious code or backdoors into the software, compromising its functionality and security. This can result in the distribution of compromised or tampered software versions to other organizations in the supply chain.
Spread of the vulnerability: If an organization in the supply chain receives a compromised version of the software, they may unknowingly distribute it further to their customers or partners. This can lead to the widespread propagation of the vulnerability, affecting multiple organizations and potentially exposing them to exploitation by threat actors.
Reputation and trust: A supply chain compromise can damage the reputation and trust of the software vendor and other organizations involved. Customers and partners may lose confidence in the software's security and reliability, leading to potential financial and business impacts. It can also strain relationships within the supply chain as organizations may question the security measures and practices of their partners.
Increased attack surface: A compromised supply chain introduces an increased attack surface for threat actors. They can exploit the vulnerability in the software to gain access to multiple interconnected organizations, potentially leading to a chain of breaches and further supply chain compromises.
To mitigate the supply chain impact, it is crucial for software vendors and organizations involved in the supply chain to promptly address the vulnerability. This includes applying patches and updates provided by the software vendor, conducting security assessments of software components, and maintaining open communication and collaboration within the supply chain to ensure the security of software distribution.
CISA and the FBI have since issued an Advisory to disseminate known CL0P ransomware IOCs and TTPs identified through FBI investigations as recently as June 2023. Both the FBI and CISA are encouraging organizations to implement the recommendations in the Mitigations section of the Advisory to reduce the likelihood and impact of CL0P ransomware and other ransomware incidents: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a
Conclusion
In the face of threats like CVE-2023-34362 and the associated supply chain impact, it is crucial for organizations and researchers to join forces and collaborate as a united front. The dynamic and ever-evolving nature of cyber threats demands a collective effort to ensure the safety and security of our digital ecosystem. By working together, organizations can share valuable information, insights, and best practices that can help detect, mitigate, and prevent such threats.
Collaboration enables the rapid dissemination of threat intelligence, allowing organizations to stay one step ahead of malicious actors. It fosters a community where knowledge and expertise are shared, empowering all parties to strengthen their defenses and respond effectively to emerging threats. By breaking down silos and fostering collaboration, we can create a resilient and interconnected network that collectively defends against cyber threats, safeguarding not just individual organizations but the entire digital landscape.
Together, we can achieve a safer and more secure cyberspace.
Keep your organisation ahead of threats with Cytidel Threat Intelligence
To find out more about Cytidel’s threat intelligence offering, visit
https://www.cytidel.com/threat-intelligence
Stay safe and secure!
The Cytidel Threat Intelligence Team