Kevin Beaumont
With #MoveIT Transfer, stuff I know so far:
- Huge US footprint, including US government. It's quite expensive, so mostly western enterprises.
- It's definitely a zero day, although vendor doesn't want to say it obvs.
- Every one online is still vulnerable. This includes some big banks etc.
- Webshells started being planted a few weeks ago, multiple incidents running at multiple orgs during that timeframe who detected activity.
Vendor appears pretty responsive and good so far.
One additional update on #MoveIT - I'm reliably told this incident also impacted their SaaS cloud offering of the same product. They may have to wordsmith around this.
More info about one of the #MoveIT webshells in this write up
YARA rule for that webshell https://github.com/AhmetPayaslioglu/YaraRules/blob/main/MOVEit_Transfer_Critical_Vulnerability.yara
Example file (0 AV detection still) https://www.virustotal.com/gui/file/387cee566aedbafa8c114ed1c6b98d8b9b65e9f178cf2f6ae2f5ac441082747a/summary
Just been on a quick call with industry peeps looking at what known attacker IPs were interacting with over the weekend - #MoveIT boxes in the US and SaaS.
It vuln itself allows RCE, not just webshells, so I think Mandiant and DART are gonna get some IR hours.
While I’m here - make sure MoveIT Transport is in a real DMZ. Your shit would still have been stolen but it stops them moving internally.
Can’t wait to read all the security vendor blogs saying they fully protect against this threat next week 🤣
It looks like a significant amount of data exfiltration may have happened re #MoveIT. Another problem - it can use cloud bucket storage for data, and storage access keys got taken and need rotating: data access still possible in those situations.
There are conflicting signals re exploitation - while it’s clear a smash and grab happened at weekend, there’s signs exploit was used prior to weekend.
#MoveIT vendor has confirmed cloud SaaS offering was impacted. It’s refreshing to see a product owner really take ownership of a situation. (Obviously, I expect some ongoing wordsmithing for journalists longer term re cloud).
This is good technical blog. https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
#MoveIT Transport zero day issue has a CVE now under review - CVE-2023-34362.
HT @CyberLeech #CVE202334362
Transparency tweet for defenders: This weekend, I am doing internet scans of #MoveIT Transfer servers for vulnerable versions and planted webshells.
Mandiant write up on #MoveIT https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft
Microsoft are attributing the #moveIT zero day attacks to cl0p ransomware group.
I’ve been tracking this - there are a double digit number of orgs who had data stolen, that includes multiple US Government and banking orgs.
This is the third time Cl0p ransomware group have used a zero day in webapps for extortion in three years, btw. In all three cases they were products with security in the branding.
In terms of emerging threats, expect more of this while the west appears unable to accept the threat of ransomware groups.
#moveIT issue is unfolding fast.
British Airways and Boots (retailer) in UK have disclosed they had data breaches via moveIT. https://news.sky.com/story/bas-uk-staff-exposed-to-global-data-theft-spree-12896900
The BBC have also been breached via the #moveIT issue, staff data was taken. Payroll provider Zellis had their data stolen.
BBC report on their own breach, also implicate AerLingus (airline). https://www.bbc.co.uk/news/technology-65814104 #MOVEit
Just to be crystal clear on this one - orgs running #MoveIT Transfer should assume compromise, not just patch.
Cl0p did a smash and grab over the last holiday weekend across over a hundred large/prominent orgs.
Check for webshells. It’s not just human2, look for new files in the web root folder.
Cl0p drip feed victims on their portal over months, not days - this is the third time they’ve pulled a zero day heist like this.
Really good reporting on the #moveIT situation by @dangoodin - gives a run down of where we're at. https://arstechnica.com/information-technology/2023/06/mass-exploitation-of-critical-moveit-flaw-is-ransacking-orgs-big-and-small/
I don’t wanna say ransomware and extortion groups are outta control buttt #moveit https://www.bbc.co.uk/news/technology-65829726
DHS joint advisory on Cl0p (note I wouldn’t get too hung up on many of the IOCs as they’re unrelated to this #moveIT incident) http://go.dhs.gov/4ut
Somebody asked me an interesting question earlier regarding #moveIT - why aren't US orgs disclosing breaches?
Really simple - they don't have to due to lack of data protection law, or they're trying to cover it up via payment to cl0p.
A majority of the victims, from scanning, are in the US - Europe is actually a small minority.
There’s another vulnerability in #moveIT. No patch yet. Allows remote code execution. I’d recommend closing the web interface until there’s a patch. Update: patch out. https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability
Patch for new (old) #moveIT vulnerability out now. No CVE allocated yet. https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-CVE-Pending-Reserve-Status-June-9-2023
Illinois Department of Innovation & Technology (DoIT) believe information was stolen using #moveIT https://ltgov.illinois.gov/news/press-release.26572.html
Minnesota Department of Education say information stolen using #moveIT https://content.govdelivery.com/accounts/MNMDE/bulletins/35f2559
Another #moveIT, this time in Canada HT @brett https://www.cbc.ca/news/canada/nova-scotia/ns-government-cyberattack-data-personal-information-criminal-1.6871682
EY - auditor Ernst & Young - have started informing clients of data breach with #moveIT. I understand payroll and tax data impacted. #threatintel
(Tooting this again as I accidentally deleted it, UI sucks).
EY and OFCOM (UK gov regulator) have disclosed to the BBC they have been hit by cl0p via #moveIT https://www.bbc.co.uk/news/technology-65877210
Shell oil, Transport for London have confirmed they were impacted by #moveIT zero day. Cl0p have started posting victim names. https://therecord.media/shell-impacted-in-clop-ransomware-attack
Shell Oil were hit with a ransomware group breach via a zero day in Accellion MFT product in 2021, so they moved to MoveIT: https://www.zdnet.com/article/oil-giant-shell-discloses-data-breach-linked-to-accellion-fta-vulnerability/
In 2023 they’ve been hit with a zero day by a ransomware group in their MoveIT MFT: https://therecord.media/shell-impacted-in-clop-ransomware-attack
Ransomware groups are out of control.
CNN and Washington Post confirming something in this Mastodon thread from two weeks ago - multiple US gov orgs hit via #MoveIT. https://www.cnn.com/2023/06/15/politics/us-government-hit-cybeattack/index.html
There is another new vulnerability in #moveIT. No patch. Shut them down again. HT @brett https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023
Several of the orgs in the Ransomware Task Force are impacted by the cl0p incident, as is one of the Joint Ransomware Task Force. (This toot is sponsored by those trying to shut down discussion about it). #moveIT
Yesterday's new #moveIT vulnerability has been allocated CVE-2023-35708. Patch is out now. #CVE202335708
PWC are one of the cl0p #moveIT victims. I count over 65 so far. https://www.afr.com/technology/embattled-consulting-firm-pwc-swept-up-in-global-cyber-breach-20230619-p5dhlz
EMSI tracking 514 #moveIT victim orgs, at 36m people impacted with PII. https://www.emsisoft.com/en/blog/44123/unpacking-the-moveit-breach-statistics-and-analysis/
Brian Clark@GossiTheDog wow. That’s a lotta impact. Surprised the TA can even handle that many negotiations