13. 06. 2023 Beatrice Dall'Omo Red Team, SEC4U

What We Know about the MOVEit Transfer 0-day

0-day vulnerabilities are predicted to grow more and more, posing new threats for the cybersecurity. It’s hard to predict them and when their exploit occurs, since developers and vendors are unaware of the flaw until they are actually exploited. Hence, there is no ready patch available for a 0-day vulnerability.

MOVEit Transfer 0-day

On May 31, 2023 Progress Software published an advisory warning of an SQL injection vulnerability in the MOVEit Transfer web application that allowed remote and unauthenticated attackers to gain access to MOVEit Transfer’s database. 

MOVEit Transfer is a Managed File Transfer (MFT) solution that allows Enterprises to securely transfer files between business partners and customers using SFTP, SCP, and HTTP-based uploads.

In the published advisory, remediations and security best practices are reported along with a list of IOCs (Indicators of Compromise) identified so far, which is a great help for incident response activities. 

The MOVEit Transfer vulnerability became the second 0-day disclosed in an MFT solution in 2023 (the first was a 0-day affecting the GoAnywhere MFT in February 2023).

Luckily, once a new 0-day is discovered, security enthusiasts, teams and security companies invest time in researching IOCs and POCs (Proofs of Concept), reproducing the exploit and the steps of the hacking activities to gather as much data as possible about the threat actors and 0-day exploits. 

To date, the exploit for the MOVEit Transfer vulnerability has been made available to the community by sfewer-r7 and horizon3ai on GitHub as well as a detection rule to uncover the exploitation by looking for files created with unexpected extensions in the root folder (“C:\MOVEit Transfer\wwwroot\“) of the MOVEit Transfer service. 

Related to the MOVEit Transfer hacking campaign, Curated Intelligence maintains a repository for tracking events and new breakthroughs, representing a valuable source of information to learn about this vulnerability that was assigned as CVE-2023-34362 on June 2, 2023. On the same date, the Microsoft Threat Intelligence team attributed attacks exploiting the MOVEit Transfer vulnerability to the ransomware gang called CL0P (aka Lace Tempest, FIN11 and TA505).

One of the reasons for this attribution is the use of similar vulnerabilities in the past to steal data and extort victims (CL0P was responsible for data-theft attacks using a GoAnywhere MFT 0-day in January 2023 and a 0-day affecting Accellion FTA servers in 2020). The confirmation arrived when the CL0P ransomware gang claims responsibility for the MOVEit extortion attacks, having stolen data from hundreds of companies that will be published starting from June 14, 2023 if a ransom is not paid. 

According to Shodan, there are over 2,500 exposed MOVEit Transfer servers on the Internet, most located in the US.

Updated June 13, 2023. Numbers may vary over time.

CL0P claims to have begun the attacks on May 27, 2023 during the US Memorial Day holiday, a common tactic that has also been used in the past by the ransomware gang. On holidays, few people are at work, so the attack has a greater chance to be successful and to go unnoticed.

However, threat intelligence by several companies indicated that the MOVEit Transfer 0-day was exploited further back than initially thought (i.e., before May 27, 2023):

  • GreyNoise reported activities 90 days prior
  • Kroll reported activities from 2021

Conclusion

Progress Software has released a patch for the MOVEit Transfer vulnerability. Even though updating to a fixed version will help protect against future exploitation, it’s not enough to address potential threat actor access to systems that have already been compromised. Hence, regardless of whether any IOCs are found, customers should perform emergency incident response activities to remove any access or backdoors created in a previous exploitation.

0-day exploits have a significant impact on companies, employees and customers. We as the Cybersecurity team of Würth Phoenix always monitor and keep up-to-date with new vulnerabilities and cybersecurity topics, developing and integrating new detection rules in our SOC to keep our customers safe.

“One single vulnerability is all an attacker needs”
Window Snyder

These Solutions are Engineered by Humans

Did you learn from this article? Perhaps you’re already familiar with some of the techniques above? If you find security issues interesting, maybe you could start in a cybersecurity position here at Würth Phoenix.

Beatrice Dall'Omo

Beatrice Dall'Omo

Red Team & Offensive Security Specialist | Cybersecurity Team | Würth Phoenix

Author

Beatrice Dall'Omo

Red Team & Offensive Security Specialist | Cybersecurity Team | Würth Phoenix

Latest posts by Beatrice Dall'Omo

16. 11. 2023 Red Team, SEC4U
Don’t Do Without EPSS: Vulnerability Prioritization
17. 03. 2023 Red Team, SEC4U
How to Set Up an Effective Phishing Campaign
02. 01. 2023 Red Team, SEC4U
Focus on the noPac Attack
See All

Related Content

Tags: , ,

28. 03. 2024 SOCnews

SOC News | Mar 28 – New Vulnerabilities Added to the KEV Catalog

On March 25, 2024, the Cybersecurity & Infrastructure Security Agency (CISA) added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The catalog is updated regularly and contains those vulnerabilities most likely to be used in attacks. Organizations should monitor Read More
11. 03. 2024 SOCnews

SOC News | Mar 11 – JetBrains TeamCity Authentication Bypass Vulnerabilities

On March 4, 2024, JetBrains released TeamCity version 2023.11.4, which patches two authentication bypass vulnerabilities in the web component of TeamCity. These vulnerabilities were discovered in February by Rapid7’s vulnerability research team and allow a remote unauthenticated attacker to perform Read More
16. 11. 2023 Red Team, SEC4U

Don’t Do Without EPSS: Vulnerability Prioritization

Image from https://www.first.org/epss/ During a Vulnerability Remediation process, understanding which vulnerabilities pose a real and significant risk for an organization is not so obvious, and most of the time it involves several different aspects. It takes into consideration several factors Read More
02. 01. 2023 Red Team, SEC4U

Focus on the noPac Attack

In December 2021 Microsoft revealed two vulnerabilities concerning an Active Directory Domain Services privilege elevation, classified as CVE-2021-42278 and CVE-2021-42287. By combining the two exploits in the so-called noPac attack, a malicious actor could perform a privilege escalation by impersonating Read More
14. 06. 2022 Red Team, SEC4U

How People Reacted to Follina, the New 0-day

Zero-day vulnerabilities pose a serious threat in the field of cybersecurity. These flaws are usually discovered and exploited by criminals before security researchers even know of their existence. Because of this, we call them 0-day. It indicates the amount of Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

Search by technology

Contact

Contact us
Serviceportal

Archive