MOVEit Hack Becoming a Gateway for Multi-State Break-in and Victimizing Over 19 Million Individuals

A critical zero-day vulnerability, tracked as CVE-2023-34362, in the Progress Software’s MOVEit file transfer app has led to unauthorized access and escalated privileges. It has led to massive data theft from hundreds of organizations using the software, including many US federal agencies. Despite Progress releasing the patch within 48 hours of spotting the vulnerability, attackers have managed to make an impact. So, let’s dive deep into the MOVEit hack and see its current developments.

MOVEit Hack – A Quick Overview

MOVEit is a popular corporate file transfer tool developed by Progress Software. Thousands of organizations use it to transfer files between businesses and customers securely.

Since MOVEit often deals with sharing sensitive data, any unpatched vulnerability can raise a serious security concern. This is exactly what happened with the recent zero-day vulnerability in the MOVEit Transfer web application.

According to Progress, the SQL injection vulnerability (CVE-2023-34362) allows attackers to get escalated privileges and unauthorized access. Attackers are able to infer information about the contents and structure of the database, along with the ability to execute SQL statements that delete or alter database elements.

How Has the Vulnerability Been Exploited?

The U.S. government advisory said the exploitation of MOVEit vulnerability began on May 27, 2023. The Clop Ransomware gang is the main group behind the active exploitation of the vulnerability. In fact, they claimed responsibility for the attack shortly after the disclosure of the vulnerability.

As per the joint advisory by the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Federal Bureau of Investigation (FBI), the Clop gang exploited the vulnerability to install Lemurloot, a web shell, on compromised systems. This web shell was used to extract data from databases.

Lemurloot was designed with the main purpose of targeting the MOVEit Transfer platform. It uses a hard-coded password to validate incoming HTTPs requests, downloads files from the MOVEit Transfer database by running commands, retrieves records, extracts Azure system settings, and inserts/creates/deletes a particular user. Moreover, it returns the extracted data in a compiled format.

The Impact of MOVEit Hack

Looking at the extensive use of MOVEit Transfer software across global organizations and government institutions, the victim scale seems to be massive. However, no one is providing the exact victim count.

Clop has started naming victims of MOVEit who have likely failed to pay the ransom. Therefore, researchers are tracking the victims posted by Clop and victim organizations’ data breach notifications. According to threat analyst Brett Callow, the current MOVEit attack statistics stand at 365 victim organizations and over 19.5 million impacted individuals. So, imagine where the number will go when all the victim organizations are identified.

Clop is naming the victim organizations slowly to give the other compromised organizations an opportunity to contact the gang and pay the ransom. Clop promises to delete the stolen data and will not name the victim organization if the ransom is paid. So, it is again unclear how many organizations have contacted Clop and paid ransom to avoid reputational damage.

Clop has victimized both business organizations and government institutes. Many U.S. federal and state agencies, such as the Department of Energy, Maryland Department of Human Services, U.S. Department of Agriculture, Colorado Department of Health Care Policy and Financing, U.S. Office of Personnel Management, and others, had been compromised. However, Clop claims that it has deleted the data stolen from government agencies or contractors to avoid becoming a national security target. The gang announced that its motive is financial gains, not politics.

Moreover, the MOVEit attack by Clop also targeted dozens of educational institutions in the United States. Recently, Colorado State University announced the data theft of employees and students. In addition, the Tennessee Consolidated Retirement System (TCRS) announced the attack and said that the data of 171,836 retirees and/or their beneficiaries had been compromised. Similarly, other PBI customers are also compromised by the attack, such as Genworth Financial and California Public Employees’ Retirement System, which handles the largest U.S. public pension fund.

The attack surface is not just confined to US organizations and agencies. Organizations across the world are compromised by this vulnerability. The British payroll provider Zelle also reported getting breached by Clop. This led to the compromise of data of its eight customers, including BBC, British Airways, and Boots pharmacy chain. Furthermore, The Nova Scotia Government also uses MOVEit for file sharing across departments. It has also issued the statement that the personal information of some citizens has been compromised.

In short, the scale and devastation of the MOVEit attack is massive, compromising hundreds of organizations and millions of individuals globally.

When Was the Vulnerability Patched?

Progress Software patched the original vulnerability on May 31, but the company carried out further investigation by partnering with third-party cybersecurity experts to carry out deeper code reviews. This investigation led to the discovery of more vulnerabilities, which were patched by June 9.

On June 15, the companies took down the HTTPs traffic for MOVEit Cloud and also asked its MOVEit Transfer users to take down their HTTPs and HTTP traffic due to the reporting of a new SQLi vulnerability. On the same day, Progress tested and deployed a patch for MOVEit Cloud and also shared the patch and deployment steps for MOVEit Transfer users. Moreover, Progress also claims that it has seen no evidence that attackers exploit the June 15 vulnerability.

Overall, Progress Software has been actively investigating its system and collaborating with others to remove any traces of potential vulnerabilities that Clop or other groups can exploit.

Wrapping Up

The zero-day vulnerability of MOVEit and the resulting consequences reflect how small loopholes can lead to devastating impacts. Moreover, the ongoing Ukraine war and the active involvement of Russian hacking groups exploiting Ukraine’s allies are triggering the alarm for more such attacks. Therefore, it is important for organizations to have a comprehensive and continuous check on vulnerabilities and potential cyber threats to mitigate the chances of breaches.

MOVEit Hack Becoming a Gateway for Multi-State Break-in and Victimizing Over 19 Million Individuals was last updated August 8th, 2023 by Hamza Razzaq