FAQ for MOVEit Transfer Vulnerabilities and CL0P Ransomware Gang
Frequently asked questions relating to vulnerabilities in MOVEit Transfer, including one that was exploited by the prolific CL0P ransomware gang.
Background
The Tenable Security Response Team has put together this blog to answer frequently Asked Questions (FAQ) regarding the MOVEit Transfer vulnerabilities and the CL0P ransomware gang.
FAQ
What is MOVEit Transfer?
MOVEit Transfer is a secure managed file transfer (MFT) software made by Progress Software that provides a centralized solution for a variety of organizations — including financial services, healthcare, information technology, government and the military — to securely share files.
When was the first vulnerability in MOVEit Transfer disclosed?
On May 31, Progress Software published its first advisory to address a “critical” SQL injection vulnerability in MOVEit Transfer.
How many vulnerabilities have been disclosed in MOVEit Transfer?
As of June 15, 2023, there were three Common Vulnerabilities and Exposures (CVEs) assigned for multiple flaws in MOVEit Transfer. Two of the three were zero-day vulnerabilities, though only one was exploited in the wild.
Are there patches available for all of the MOVEit Transfer vulnerabilities?
As of June 16, 2023, patches are available for the three CVEs found in MOVEit Transfer:
| CVE | Fixed Versions | Release Date |
|---|---|---|
| CVE-2023-34362 CVE-2023-35036 |
MOVEit Transfer 2023.0.2 (15.0.2) MOVEit Transfer 2022.1.6 (14.1.6) MOVEit Transfer 2022.0.5 (14.0.5) MOVEit Transfer 2021.1.5 (13.1.5) MOVEit Transfer 2021.0.7 (13.0.7) |
June 9, 2023 |
| CVE-2023-35708 | MOVEit Transfer 2023.03 (15.0.3) MOVEit Transfer 2022.1.7 (14.1.7) MOVEit Transfer 2022.0.6 (14.0.6) MOVEit Transfer 2021.1.6 (13.1.6) MOVEit Transfer 2021.0.8 (13.0.8) |
June 16, 2023 |
Customers are advised to update to the latest versions of MOVEit Transfer.
Which CVE was exploited in the wild and who exploited it?
CVE-2023-34362, which was disclosed on May 31, was exploited in the wild by the CL0P ransomware gang. Reports suggest that the first evidence of confirmed exploitation was on May 27, 2023. However, there are reports that suggest CL0P may have kept this zero-day vulnerability in its pocket as far back as July 2021.
Who is CL0P?
CL0P is the name of a ransomware group associated with a threat actor known as TA505, CL0P was first observed in February 2019 as a variant of the CryptoMix ransomware family. It is currently one of the more prolific ransomware groups today that operates as ransomware-as-a-service (RaaS).
What is RaaS?
RaaS is a service model, just like software‐as‐a‐service. Instead of providing access to legitimate software applications, ransomware groups provide the malicious software (ransomware) and infrastructure necessary to facilitate ransomware attacks.
These RaaS groups rely on third parties, known as affiliates, to do the actual dirty work of gaining initial access into an organization before deploying the ransomware.
Is this the first time CL0P has targeted a file transfer solution?
No, CL0P has targeted at least two other file transfer solutions dating back to December 2020.
| Application/Solution | Date Targeted | CVEs |
|---|---|---|
| Accellion File Transfer Appliance (FTA) | December 2020 | CVE-2021-27101 CVE-2021-27102 CVE-2021-27103 CVE-2021-27104 |
| Fortra GoAnywhere Managed File Transfer (MFT) | January 2023 | CVE-2023-0669 |
| Progress MOVEit Secure MFT | May 2023 | CVE-2023-34362 |
Why does CL0P target file transfer software?
Uncovering zero-day vulnerabilities in file transfer solutions like Progress MOVEit MFT, GoAnywhere MFT and Accellion FTA enables CL0P to steal data from potentially hundreds of organizations en masse. This emphasis on data theft allows CL0P to focus its effort on extorting businesses to pay the ransom demands by threatening to publish the stolen data on its data leak site.
What is a data leak site?
A data leak site is a website controlled and operated by ransomware gangs that is typically hosted on the dark web and used to name and shame victim organizations with a threat to publish stolen data obtained through cyberattacks. CL0P operates a data leak site known as “CL0P^_-LEAKS” that has been in operation since early 2020.
Image Source: Tenable, June 2023
For more information on ransomware, including RaaS and data leak sites, please check out our Ransomware Ecosystem report.
How many organizations that use file transfer software have been compromised in these attacks?
Based on open source intelligence, CL0P managed to compromise over 50 organizations in the Accellion breach between 2020 and 2021, allegedly over 130 organizations in the GoAnywhere breach and reportedly in the “hundreds” with the MOVEit breach, according to a message from the gang on its CL0P^_-LEAKS data leak site.
Image Source: Tenable, June 2023
Is there any other information on CL0P and its attack on MOVEit Transfer customers?
Yes, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a #StopRansomware joint cybersecurity advisory (CSA) on June 7 (identified as AA23-158A) about CL0P and its exploitation of CVE-2023-34362 in MOVEit Transfer. It includes information on the group, the first vulnerability (CVE-2023-34362) as well as detection methods and indicators of compromise associated with the attack.
What are ways I/my organization can identify these vulnerabilities in MOVEit Transfer?
As of June 15, 2023, Tenable has released the following detection plugins and version check plugins for MOVEit Transfer. A version check plugin for CVE-2023-35708 will be released soon.
| Plugin ID | Title | Severity | CVEs | Family |
|---|---|---|---|---|
| 90190 | “Progress MOVEit Transfer Installed (Windows)” | INFO | – | Windows |
| 176735 | “Progress MOVEit Transfer Web Interface Detection” | INFO | – | Service detection |
| 176736 | “Progress MOVEit Transfer FTP Detection” | INFO | – | FTP |
| 176567 | “Progress MOVEit Transfer < 2020.0 / 2020.1 / 2021.0 < 2021.0.6 / 2021.1.0 < 2021.1.4 / 2022.0.0 < 2022.0.4 / 2022.1.0 < 2022.1.5 / 2023.0.0 < 2023.0.1 Critical Vulnerability (May 2023)” | CRITICAL | CVE-2023-34362 | Windows |
| 177082 | “Progress MOVEit Transfer < 2020.1.9 / 2021.0.x < 2021.0.7 / 2021.1.x < 2021.1.5 / 2022.0.x < 2022.0.5 / 2022.1.x < 2022.1.6 / 2023.0.x < 2023.0.2 Critical Vulnerability (June 2023)” | CRITICAL | CVE-2023-35036 | Windows |
| 177371 | “Progress MOVEit Transfer < 2020.1.10 / 2021.0.x < 2021.0.8 / 2021.1.x < 2021.1.6 / 2022.0.x < 2022.0.6 / 2022.1.x < 2022.1.7 / 2023.0.x < 2023.0.3 Privilege Escalation” | CRITICAL | CVE-2023-35708 | Windows |
The following is a list of MITRE ATT&CK Techniques associated with the CL0P ransomware gang that has been mapped to Tenable attack path analysis techniques:
Is Tenable impacted by the MOVEit Transfer vulnerability used by CL0P?
No, Tenable does not utilize the MOVEit Transfer software.
Get more information
Join Tenable’s Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
