Attacks

MOVEit Vulnerability: Active Exploitation by CL0P Ransomware

The MOVEit vulnerability stands out as a zero-day threat currently being exploited by the CL0P Ransomware Group and others. While numerous zero-day vulnerabilities lurk in the shadows of our digital environments, this one has stepped into the spotlight for causing significant breaches in large and critical enterprises including software firms high up in the supply chain. The escalating exploitation of this vulnerability underscores its significance, compelling organizations to take swift, robust action in response.

What Is the MOVEit Vulnerability?

This vulnerability, categorized as CVE-2023-34362 by MITRE, is a recent discovery in the MOVEit software. MOVEit is designed to facilitate secure file and data transfers. Unfortunately, it harbors a SQL injection vulnerability that is highly exploitable and undermines the very security it was intended to provide.

The risk from this vulnerability is significant, with a criticality rating of 9.8 according to MITRE. Attackers who exploit it can execute arbitrary code, escalate privileges, and insert ransomware. In some instances, the inclusion of a file named ‘human2.aspx’ was observed to generate persistence.

On June 7th, 2023, CISA alongside the FBI released a joint advisory announcing that the Cl0p Ransomware Group was actively exploiting this vulnerability.

Furthermore, a second (CVE-2023-35036) and third (CVE-2023-35708) MOVEit vulnerability was later discovered. These vulnerabilities can also lead to privilege escalation, but at the time of writing, their severity is uncertain.

Who Is Affected by the MOVEit Vulnerability?

According to the CL0P Ransomware Group, this is an ‘exceptional’ exploit that has reportedly been used to compromise hundreds of companies, including banks, universities, and multinationals. The exploit has also been linked to recent attacks on various federal agencies, including energy sector entities.

In the following wave of attacks, the following U.S. entities have been compromised by CL0P Ransomware, according to CL0P’s own leaks website: Colorado Department of Health Care Policy & Financing, University of Rochester, Minnesota Department of Education, Oregon Department of Transportation (ODOT), U.S. Department of Agriculture, United States Office of Personnel Management (OPM), American Board of Internal Medicine (ABIM), University of Georgia, Johns Hopkins University, and others.

Any system using the MOVEit software that hasn’t patched the vulnerability is at risk. Particularly, if your infrastructure incorporates MOVEit for ‘Secure Managed File Transfer,’ it’s essential to take action. According to ‘IoT search engine’  Shodan Report, at least 2,500 networks are potentially exposed to the MOVEit vulnerability, the majority of which are located in the USA.

Source: Shodan Report

Recommended Actions Following MOVEit Exploitation

In response to the vulnerability, the provider has released some remediation steps and security recommendations, which are available on their community forum. But for a comprehensive approach to security, consider these security measures:

  1. Assess and Identify Necessary Services: By identifying services and applications that are essential for daily operations, it becomes possible to reduce the attack surface. Implement secure remote access protocols such as VPN or SDP, limit user access, and enhance authentication methods like multi-factor authentication.
  2. Implement Continuous Vulnerability Remediation: Regularly scan for vulnerabilities, patch them promptly, and ensure your systems are up-to-date.
  3. Deploy Multi-factor Authentication: Enhance your system’s security by requiring multi-factor authentication for all logins. This not only verifies user identities but also protects against unauthorized access.
  4. Monitor the Network Intentionally and Continuously: The truth will always be in the network. Regardless of any protection strategy in place, all organizations must develop the ability to detect threats in the network and make sense of them, as this gives them the ability to respond quickly and minimize the impact of attacks.

Beyond these steps, Lumu’s support can offer a last security layer, helping to assess your security posture and provide tools to correct it in time, as shown in our recent Davivienda case study.

Finally, always remember: a single vulnerability shouldn’t undermine your entire security strategy. Maintain a comprehensive cybersecurity approach that covers all bases, from robust identity access management to proactive vulnerability management. This will ensure resilience against the MOVEit vulnerability and many other zero-day vulnerabilities.

Recent Posts

  • Blog

Lumu & the MSP Community: 2024 in Review

Reading Time: 4 minsLumu has worked hand-in-hand with MSPs throughout a year that consolidated the…

4 days ago
  • Blog

Reflecting on 2024: Lumu’s Innovations in SecOps

Reading Time: 5 minsLumu’s 2024 SecOps advancements focus on automation and smarter threat detection, with…

6 days ago
  • Attacks

Lumu’s Detection & Response to a Real-World DNS Tunneling Attack

Reading Time: 7 minsThis is the story of a serious DNS tunneling attack on a…

1 week ago
  • Events

Cybersecurity Insights for MSPs: Lessons from IT Nation Connect 2024

Reading Time: 4 minsDiscover the top insights from Lumu’s pre-conference workshop at IT Nation Connect,…

4 weeks ago
  • Stories

Cybersecurity Trends 2025 and Beyond: Navigating AI-Driven Evasion Techniques and Autonomous Threats for Resilient Defense

Reading Time: 2 minsAs we move into 2025, AI-driven evasion and autonomous threats will redefine…

1 month ago
  • Trends

CISA Reveals How 12 Ransomware Gangs are Bypassing EDRs

Reading Time: 7 minsEndpoint Detection and Response (EDR) has a critical role in most companies’…

2 months ago