FAQ for MOVEit Transfer Vulnerabilities and CL0P Ransomware Gang

Frequently asked questions relating to vulnerabilities in MOVEit Transfer, including one that was exploited by the prolific CL0P ransomware gang.

Contexte

The Tenable Security Response Team has put together this blog to answer Frequently Asked Questions (FAQ) regarding the MOVEit Transfer vulnerabilities and the CL0P ransomware gang.

FAQ

What is MOVEit Transfer?

MOVEit Transfer is a secure managed file transfer (MFT) software made by Progress Software that provides a centralized solution for a variety of organizations — including financial services, healthcare, information technology, government and the military — to securely share files.

When was the first vulnerability in MOVEit Transfer disclosed?

On May 31, Progress Software published its first advisory to address a “critical” SQL injection vulnerability in MOVEit Transfer.

How many vulnerabilities have been disclosed in MOVEit Transfer?

As of June 15, 2023, there were three Common Vulnerabilities and Exposures (CVEs) assigned for multiple flaws in MOVEit Transfer. Two of the three were zero-day vulnerabilities, though only one was exploited in the wild.

Are there patches available for all of the MOVEit Transfer vulnerabilities?

As of June 16, 2023, patches are available for the three CVEs found in MOVEit Transfer:

Customers are advised to update to the latest versions of MOVEit Transfer.

Which CVE was exploited in the wild and who exploited it?

CVE-2023-34362, which was disclosed on May 31, was exploited in the wild by the CL0P ransomware gang. Reports suggest that the first evidence of confirmed exploitation was on May 27, 2023. However, there are reports that suggest CL0P may have kept this zero-day vulnerability in its pocket as far back as July 2021.

Who is CL0P?

CL0P is the name of a ransomware group associated with a threat actor known as TA505, CL0P was first observed in February 2019 as a variant of the CryptoMix ransomware family. It is currently one of the more prolific ransomware groups today that operates as ransomware-as-a-service (RaaS).

What is RaaS?

RaaS is a service model, just like software‐as‐a‐service. Instead of providing access to legitimate software applications, ransomware groups provide the malicious software (ransomware) and infrastructure necessary to facilitate ransomware attacks.

These RaaS groups rely on third parties, known as affiliates, to do the actual dirty work of gaining initial access into an organization before deploying the ransomware.

Is this the first time CL0P has targeted a file transfer solution?

No, CL0P has targeted at least two other file transfer solutions dating back to December 2020.

Why does CL0P target file transfer software?

Uncovering zero-day vulnerabilities in file transfer solutions like Progress MOVEit MFT, GoAnywhere MFT and Accellion FTA enables CL0P to steal data from potentially hundreds of organizations en masse. This emphasis on data theft allows CL0P to focus its effort on extorting businesses to pay the ransom demands by threatening to publish the stolen data on its data leak site.

What is a data leak site?

A data leak site is a website controlled and operated by ransomware gangs that is typically hosted on the dark web and used to name and shame victim organizations with a threat to publish stolen data obtained through cyberattacks. CL0P operates a data leak site known as “CL0P^_-LEAKS” that has been in operation since early 2020.

Image Source: Tenable, June 2023

For more information on ransomware, including RaaS and data leak sites, please check out our Ransomware Ecosystem report.

How many organizations that use file transfer software have been compromised in these attacks?

Based on open source intelligence, CL0P managed to compromise over 50 organizations in the Accellion breach between 2020 and 2021, allegedly over 130 organizations in the GoAnywhere breach and reportedly in the “hundreds” with the MOVEit breach, according to a message from the gang on its CL0P^_-LEAKS data leak site.

Image Source: Tenable, June 2023

Is there any other information on CL0P and its attack on MOVEit Transfer customers?

Yes, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a #StopRansomware joint cybersecurity advisory (CSA) on June 7 (identified as AA23-158A) about CL0P and its exploitation of CVE-2023-34362 in MOVEit Transfer. It includes information on the group, the first vulnerability (CVE-2023-34362) as well as detection methods and indicators of compromise associated with the attack.

What are ways I/my organization can identify these vulnerabilities in MOVEit Transfer?

As of June 15, 2023, Tenable has released the following detection plugins and version check plugins for MOVEit Transfer. A version check plugin for CVE-2023-35708 will be released soon.

The following is a list of MITRE ATT&CK Techniques associated with the CL0P ransomware gang that has been mapped to Tenable attack path analysis techniques:

In addition to our plugins, customers can also leverage our Tenable Research Advisory widget in Tenable Vulnerability Management (formerly Tenable.io) to identify assets that contain missing patches or that have applied patches:

For example, the image below includes a list of assets with missing patches using the Tenable Research Advisory widget:

In addition to identifying the MOVEit Transfer vulnerabilities outlined in this blog post, Tenable Research has put together dashboards in both Tenable Vulnerability Management and Tenable Security Center (formerly Tenable.sc) that includes known vulnerabilities across multiple file transfer solutions that have been targeted by the CL0P ransomware gang over the last three years.

Tenable Vulnerability Management Dashboard:

Tenable Security Center Dashboard:

We have also published the following blog posts with more information on both of the dashboards:

• Tenable Vulnerability Management Dashboard
• Tenable Security Center Dashboard

Is Tenable impacted by the MOVEit Transfer vulnerability used by CL0P?

No, Tenable does not utilize the MOVEit Transfer software.

Où trouver plus d'informations

• CVE-2023-34362: MOVEIt Transfer Critical Zero-Day Vulnerability Exploited in the Wild
• Progress Software Security Center: MOVEit Transfer and MOVEit Cloud Vulnerability
• Progress Software MOVEit Transfer Critical Vulnerability (CVE-2023-34362)
• Progress Software MOVEit Transfer Critical Vulnerability (CVE-2023-35036)
• Progress Software MOVEit Transfer Critical Vulnerability (CVE-2023-35708)

Rejoignez l'équipe SRT de Tenable sur Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.