MOVEit Transfer zero-day mass-exploited in data theft attacks

Ink

Administrator
Thread author
Verified
Jan 8, 2011
22,490
Hackers are actively exploiting a zero-day vulnerability in the MOVEit Transfer file transfer software, tracked as CVE-2023-34362, to steal data from organizations.
BleepingComputer has learned that threat actors have been exploiting a zero-day in the MOVEit MFT software to perform mass downloading of data from organizations.

It is unclear when the exploitation occurred and which threat actors are behind the attacks, but BleepingComputer has been told that numerous organizations have been breached and data stolen.

 

MuzzMelbourne

Level 15
Verified
Top Poster
Well-known
Mar 13, 2022
599
CISA has added an actively exploited security bug in the Progress MOVEit Transfer managed file transfer (MFT) solution to its list of known exploited vulnerabilities, ordering U.S. federal agencies to patch their systems by June 23.

The critical flaw (tracked as CVE-2023-34362) is an SQL injection vulnerability that enables unauthenticated, remote attackers to gain access to MOVEit Transfer's database and execute arbitrary code.
 

R3j3ct

Level 1
May 12, 2023
22
Microsoft has linked the Clop ransomware gang to recent attacks exploiting a zero-day vulnerability in the MOVEit Transfer platform to steal data from organizations.


"Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site," the Microsoft Threat Intelligence team tweeted Sunday night.


"The threat actor has used similar vulnerabilities in the past to steal data & extort victims."


Last Thursday, BleepingComputer was the first to report that threat actors were exploiting a zero-day vulnerability in MOVEit Transfer servers to steal data from organizations.

 

vtqhtr413

Level 27
Well-known
Aug 17, 2017
1,609
Microsoft has officially linked the ongoing active exploitation of a critical flaw in the Progress Software MOVEit Transfer application to a threat actor it tracks as Lace Tempest.

"Exploitation is often followed by deployment of a web shell with data exfiltration capabilities," the Microsoft Threat Intelligence team said in a series of tweets today. "CVE-2023-34362 allows attackers to authenticate as any user."

Lace Tempest, also called Storm-0950, is a ransomware affiliate that overlaps with other groups such as FIN11, TA505, and Evil Corp. It's also known to operate the Cl0p extortion site.
 

Gandalf_The_Grey

Level 82
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,189
New MOVEit Transfer critical flaws found after security audit, patch now
Progress Software warned customers today of newly found critical SQL injection vulnerabilities in its MOVEit Transfer managed file transfer (MFT) solution that can let attackers steal information from customers' databases.

These security bugs were discovered with the help of cybersecurity firm Huntress following detailed code reviews initiated by Progress on May 31, when it addressed a flaw exploited as a zero-day by the Clop ransomware gang in data theft attacks.

They affect all MOVEit Transfer versions and enable unauthenticated attackers to compromise Internet-exposed servers to alter or extract customer information.

"An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content," Progress says in an advisory published today.

"All MOVEit Transfer customers must apply the new patch, released on June 9, 2023. The investigation is ongoing, but currently, we have not seen indications that these newly discovered vulnerabilities have been exploited," the company added.

The company says that all MOVEit Cloud clusters have already been patched against these new vulnerabilities to secure them against potential attack attempts.
 

vtqhtr413

Level 27
Well-known
Aug 17, 2017
1,609
Progress Software on Thursday disclosed a third vulnerability impacting its MOVEit Transfer application, as the Cl0p cybercrime gang deployed extortion tactics against affected companies.

The new flaw, which is yet to be assigned a CVE identifier, also concerns an SQL injection vulnerability that "could lead to escalated privileges and potential unauthorized access to the environment."

The company is urging its customers to disable all HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 to safeguard their environments while a patch is being prepared to address the weakness.

The revelation comes a week after Progress divulged another set of SQL injection vulnerabilities (CVE-2023-35036) that it said could be weaponized to access the application's database content.

The vulnerabilities join CVE-2023-34362, which was exploited as a zero-day by the Clop ransomware gang in data theft attacks. Kroll said it found evidence that the group, dubbed Lace Tempest by Microsoft, had been testing the exploit as far back as July 2021.
 

vtqhtr413

Level 27
Well-known
Aug 17, 2017
1,609
Earlier this week, ransomware operator Clop started listing the victims, compromised in the MOVEit data breach, on its data leak website, among the first victims to be listed on the site include 1st Source and First National Bankers Bank, Putnam Investments, Landal Greenparks, Shell, Datasite, National Student Clearinghouse, United Healthcare Student Resources, Leggett & Platt, ÖKK, University System of Georgia.

It was also reported that GreenShield Canada, a non-profit provider of healthcare and dental benefits, was listed and subsequently deleted from the data leak site. While it’s impossible to determine at this point, it could be that the non-profit agreed on a ransom demand and paid it in order to have its data removed from the site.

While these are the first companies the Clop ransomware gang itself posted on the leak site, these are not the first companies in general, that are confirmed to have been hit by the incident. HR and payroll software supplier Zellis confirmed its systems were compromised early last week, and given that it provides its services to some of the biggest companies in the UK, the data breach tricked down. Hence, the BBC, British Airways, and Aer Lingus, all confirmed having sensitive data stolen from their premises.

Furthermore, the Johns Hopkins University, as well as Ofcom, also confirmed being hit. The Government of Nova Scotia, and the Transport for London (TfL) were also affected, but it’s too early to tell if Clop will release their files or not. In its initial announcement, the threat actor said “If you are a government, city or police service… we erased all your data.”

The BBC also claims Ernst and Young were affected, too.
 

Gandalf_The_Grey

Level 82
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,189
There is now a 10 million USD bounty on the cl0p ransomware operators.


US govt offers $10 million bounty for info on Clop ransomware
The U.S. State Department's Rewards for Justice program announced up to a $10 million bounty yesterday for information linking the Clop ransomware attacks to a foreign government.

"Do you have info linking CL0P Ransomware Gang or any other malicious cyber actors targeting U.S. critical infrastructure to a foreign government? Send us a tip. You could be eligible for a reward," tweeted the Rewards for Justice Twitter account.

Rewards of Justice (RFJ) is a U.S. Department of State program that offers monetary rewards for information on threat actors and attacks impacting the national security of the USA.

Initially launched to gather information on terrorists targeting U.S. interests, the program has since expanded to include information on cyber criminals, such as the Conti ransomware operation, Russian Sandworm hackers, REvil ransomware, and the Evil Corp hacking group.
 

vtqhtr413

Level 27
Well-known
Aug 17, 2017
1,609
PBI Research Services (PBI) has suffered a data breach with three clients disclosing that the data for 4.75 million people was stolen in the recent MOVEit Transfer data-theft attacks. According to three different disclosures from PBI clients, millions of customers have had their sensitive data exposed in these attacks. However, this number may increase as other companies make further disclosures.

The first impacted entity is Genworth Financial, a Virginia-based life insurance services provider. In a MOVEit Security Event notice published on their website, Genworth says PBI informed them of the security breach on May 29th, 2023, and verified on June 16th that customers' personal data was stolen.

The second firm impacted by the PBI breach is Wilton Reassurance, a New York-based insurance provider, which reports that 1,482,490 of its customers had data stolen. As reported to the Office of the Maine Attorney General, the exposed information includes customers' names and social security numbers.

The third company impacted by PBI's data breach is CalPERS (California Public Employees' Retirement System), the largest public pension fund in the US, which is now informing retirees and beneficiaries about the event.
 

Lightning_Brian

Level 15
Verified
Top Poster
Content Creator
Sep 1, 2017
743
One may now add Norton LifeLock to the growing list of cl0p victims, it seems.


Not good for Norton nor LifeLock owned by Norton. If it is 100% true that could spell major repercussions. If the news reports are correct with folks confirming then Norton has quite the situation on their hands.... to say the least! EEK! Not good! I always wonder if some of these situations are 'honey pots' to see what gets done with the information, but if it is legit woooweeee they got some serious explain' to do!
 

Ink

Administrator
Thread author
Verified
Jan 8, 2011
22,490
Siemens Energy has confirmed that data was stolen during the recent Clop ransomware data-theft attacks using a zero-day vulnerability in the MOVEit Transfer platform.
As part of Clop's extortion strategy, they first begin listing a company's name on their data leak site to apply pressure, followed by the eventual leaking of data.

While no data has been leaked at this time, a Siemens Energy spokesperson confirmed that they were breached in the recent Clop data-theft attacks utilizing a MOVEit Transfer zero-day vulnerability tracked as CVE-2023-34362.

However, Siemens Energy says that no critical data was stolen, and business operations were not impacted.
Source: Siemens Energy confirms data breach after MOVEit data-theft attack

Edit:
The dramatic fallout continues, with as many as 122 organizations now breached. — Ars Technica
 

vtqhtr413

Level 27
Well-known
Aug 17, 2017
1,609
Brett Callow, threat analyst at cybersecurity firm Emsisoft, has been monitoring the campaign, which exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer managed file transfer (MFT) product to gain access to data belonging to organizations that had been using the solution. We are aware of 138 organizations known to have been impacted by the campaign, with the data breaches resulting in the personal information of more than 15 million people being compromised. The list includes major organizations such as Shell (they have already leaked data allegedly stolen from the energy giant), Siemens Energy, Schneider Electric, UCLA, Sony, EY, PwC, Cognizant, and AbbVie. Law firms Kirkland & Ellis and K&L Gates have also been added to Cl0p’s leak website.
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
Thanks, @BryanB--it's hitting home the scope of this breach. I was just informed my bank was impacted by the MoveIt breach. :mad: I'm getting a new Visa card as a "precaution" and they've supposedly not found any suspicious activity (yet). What a "relief."

Tried to change my login password and got a message saying they've been unable to "verify my information." OK, whatever. I did check Have I been Pwned site and my current password is still showing green but that's not a guarantee.

Besides changing the online.password, and monitoring my bank stuff consistently, is there anything else anyone can recommend be done? Here is my security setup but these peripheral hacks are getting more commonplace and it wouldn't matter if I have Fort Knox for a setup, right?

Edit: I crafted several triggers for alerts via suspicious acct. activity. The bank isn't doing business today (figures) so I took what precautions I could, incl. trying to freeze my Visa acct. Wow. Anyone who's been a victim of this, it's not fun is it?
 
Last edited:

Gandalf_The_Grey

Level 82
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,189
Deutsche Bank confirms provider breach exposed customer data
Deutsche Bank AG has confirmed to BleepingComputer that a data breach on one of its service providers has exposed its customers' data in a likely MOVEit Transfer data-theft attack.

"We have been notified of a security incident at one of our external service providers, which operates our account switching service in Germany," a spokesperson told BleepingComputer.

"In addition to our service provider, we understand that more than 100 companies in more than 40 countries are potentially affected," reads the statement, hinting that the incident is related to Clop ransomware's wave of MOVEit attacks.

"Deutsche Bank's systems were not affected by the incident at our service provider at any time," assured the banking giant.

The public German bank, which is one of the largest in the world, having total assets of $1.5 trillion and an annual net income of $6.3 billion, stated that the incident impacted customers in Germany who used its account switching service in 2016, 2017, 2018, and 2020.

The bank said that only a limited amount of personal data was exposed due to the security incident.

The number of impacted clients has not been determined, but Deutsche Bank said they have all been informed accordingly on the direct impact and what precautions they should take regarding their exposed data.

Meanwhile, the bank is investigating the causes of the data leak and taking targeted action to improve its data security precautions to avoid similar incidents from impacting its clients in the future.

Deutsche Bank said that cybercriminals cannot gain access to accounts using the exposed data, but they might try to initiate unauthorized direct debits.

In response to this risk, the bank has extended the period of unauthorized direct debit returns to 13 months, allowing its customers ample time to identify, report, and receive reimbursement for unauthorized transactions.
Other banks impacted

According to German media outlets, the security incident on the unnamed service provider used by Deutsche Bank also impacted other major banks and financial service providers, including Commerzbank, Postbank, Comdirect, and ING.

Handelsblatt received a statement from Commerzbank confirming that the breached service provider is 'Majorel,' who also independently confirmed that it had been the target of a cyberattack leveraging a flaw in the MOVEit software.

Commerzbank told the German news outlet that none of its customers were impacted, but its subsidiary, Comdirect, was indirectly affected.

Postbank was limited to confirming limited impact from the incident, not disclosing any client numbers.

ING announced that it was aware of a cyberattack on a service provider that impacted a "low four-digit number of customers" who used account-switching services.
 

vtqhtr413

Level 27
Well-known
Aug 17, 2017
1,609
Brett Callow, a threat analyst at cybersecurity firm Emsisoft who has been monitoring the campaign, said over the weekend that he is aware of 347 impacted organizations, including 58 educational institutions in the United States. This includes Colorado State University, which last week confirmed that student and employee data may have been stolen. Callow believes more than 18.6 million individuals had their data compromised as a result of the MOVEit hack. He warned that the cybercrime group that conducted the attack, known for its use of the Cl0p ransomware, is in possession of a massive quantity of data that could be useful for business email compromise (BEC) and phishing attacks.

The expert clarified for SecurityWeek that the number of impacted organizations includes both ones that were directly affected and ones that were indirectly hit. For instance, UK-based payroll and HR company Zellis was hit directly and major companies using Zellis services, such as the BBC and British Airways, were impacted indirectly. In the meantime, the Cl0p group continues naming more alleged victims of the MOVEit attack on its leak website. The list now includes industrial giant Honeywell, which issued a statement on the matter in mid-June, when it confirmed that some personally identifiable information had been accessed through the MOVEit app.
 
  • Wow
Reactions: plat

plat

Level 29
Top Poster
Sep 13, 2018
1,793
cl0p earns an estimated 75+ million USD from the MOVEit hack. Yet more victims (30) are announced today.


Above needs an "X" acct. to view. :rolleyes:
Snip

cl0p victims.PNG
My bank issue has been resolved with no further problems. Anyone else been victimized? It's huge!
 

vtqhtr413

Level 27
Well-known
Aug 17, 2017
1,609
New additions to the victims list bring the headcount to 514 organizations and more than 36 million individuals
The MOVEit breach has claimed yet another target: Maximus Inc., a US government contractor. Though the company's internal systems were unaffected, 8 to 11 million people's personal information may have been compromised. Maximus provides technology services for administering and managing government programs like student loan servicing, and Medicaid and Medicare. It operates in Australia, Canada, the UK, and the US employing more than 39,000 people with an annual revenue exceeding $4.25 billion, according to its website.

Beyond businesses, there are millions of individuals in the firing line. Maximus occupies a privileged place in the government supply chain, and manages millions of peoples' economic, health, and other sensitive records, making it a particularly attractive target for Dark Web personal data merchants, and particularly dangerous for the folks who may not even realize they're caught up in such a mess.

"Medical records are worth probably upwards of $1,000 [each] on the Dark Web," Osborn emphasizes, "because you can get Social Security numbers, addresses, phone numbers, dates of birth so you can buy houses, set up credit cards, file fake tax returns — it's all fair game if you've got protected medical healthcare information that has everything important about an individual."
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top