Blog Post
June 8, 2023
An attack exploiting CVE-2023-34362, a zero-day vulnerability in the MOVEit file transfer software, was disclosed at the start of June, with additional victims still being uncovered. The vulnerability is an SQL injection vulnerability that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database.
The attack was carried out by at least one threat actor who gained unauthorized access to the software and stole sensitive data from affected organizations. Microsoft attributes the attack to the Lace Tempest group, the group behind the Clop ransomware operation. So far, the list of known victims includes the BBC, British Airways, Boots, the University of Rochester, and the provincial government of Nova Scotia in Canada.
On the Clop website, the group claimed responsibility for the exploit and the attack, also saying they are the only group which performed such an attack.
Clop has provided victims of the attack until June 14th to contact them and negotiate an extortion payment, after which the name of the victim and their data will be posted on the Clop website.
As additional victims continue to be revealed, it is worth noting that Clop has attacked over 100 known victims this year, with most victims coming from the healthcare and computer services industries (8% each), followed by financial services organizations (7%).
The vulnerability has been patched by Progress Software as of June 2nd, however evidence suggests attackers have started exploiting the vulnerability on May 27th, so organizations which have been compromised before the patch are not retroactively protected.
If you use MoveIT file transfer software, it is important to check your systems for signs of compromise and to implement the patch as soon as possible. Progress Software published a security bulletin, available at https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023. The bulletin includes recommended remediation steps, and possible indicators of compromise.
According to Shodan’s data, there are currently slightly more than 2500 devices on the internet exposed to CVE-2023-34362. The devices are located mostly in the US (73% of affected devices), followed by the United Kingdom (5%), with the third most affected country being Germany (4.5%).
Greynoise scanning data shows that scanning for exposed MOVEit servers started being noticeable on June 1st, and reached a peak on June 4th, before greatly decreasing on June 5th and 6th, meaning attackers are finding this exploit less profitable.