FAQ for MOVEit Transfer Vulnerabilities and CL0P Ransomware Gang
Frequently asked questions relating to vulnerabilities in MOVEit Transfer, including one that was exploited by the prolific CL0P ransomware gang.
Update June 21: This blog post has been updated to reflect the availability of our Tenable Research Advisory widget to identify assets vulnerable to the MOVEit Transfer flaws and dashboards to identify vulnerabilities across multiple file transfer solutions targeted by the CL0P ransomware gang.
Background
The Tenable Security Response Team has put together this blog to answer Frequently Asked Questions (FAQ) regarding the MOVEit Transfer vulnerabilities and the CL0P ransomware gang.
FAQ
What is MOVEit Transfer?
MOVEit Transfer is a secure managed file transfer (MFT) software made by Progress Software that provides a centralized solution for a variety of organizations — including financial services, healthcare, information technology, government and the military — to securely share files.
When was the first vulnerability in MOVEit Transfer disclosed?
On May 31, Progress Software published its first advisory to address a “critical” SQL injection vulnerability in MOVEit Transfer.
How many vulnerabilities have been disclosed in MOVEit Transfer?
As of June 15, 2023, there were three Common Vulnerabilities and Exposures (CVEs) assigned for multiple flaws in MOVEit Transfer. Two of the three were zero-day vulnerabilities, though only one was exploited in the wild.
| CVE | Description | Disclosed Date | Zero Day? |
|---|---|---|---|
| CVE-2023-34362 | Progress MOVEit Transfer SQL Injection Vulnerability | May 31, 2023 | Yes |
| CVE-2023-35036 | Progress MOVEit Transfer SQL Injection Vulnerabilities | June 9, 2023 | No |
| CVE-2023-35708 | Progress MOVEit Transfer Privilege Escalation Vulnerability | June 15, 2023 | Yes |
Are there patches available for all of the MOVEit Transfer vulnerabilities?
As of June 16, 2023, patches are available for the three CVEs found in MOVEit Transfer:
| CVE | Fixed Versions | Release Date |
|---|---|---|
| CVE-2023-34362 CVE-2023-35036 |
MOVEit Transfer 2023.0.2 (15.0.2) MOVEit Transfer 2022.1.6 (14.1.6) MOVEit Transfer 2022.0.5 (14.0.5) MOVEit Transfer 2021.1.5 (13.1.5) MOVEit Transfer 2021.0.7 (13.0.7) |
June 9, 2023 |
| CVE-2023-35708 | MOVEit Transfer 2023.03 (15.0.3) MOVEit Transfer 2022.1.7 (14.1.7) MOVEit Transfer 2022.0.6 (14.0.6) MOVEit Transfer 2021.1.6 (13.1.6) MOVEit Transfer 2021.0.8 (13.0.8) |
June 16, 2023 |
Customers are advised to update to the latest versions of MOVEit Transfer.
Which CVE was exploited in the wild and who exploited it?
CVE-2023-34362, which was disclosed on May 31, was exploited in the wild by the CL0P ransomware gang. Reports suggest that the first evidence of confirmed exploitation was on May 27, 2023. However, there are reports that suggest CL0P may have kept this zero-day vulnerability in its pocket as far back as July 2021.
Who is CL0P?
CL0P is the name of a ransomware group associated with a threat actor known as TA505, CL0P was first observed in February 2019 as a variant of the CryptoMix ransomware family. It is currently one of the more prolific ransomware groups today that operates as ransomware-as-a-service (RaaS).
What is RaaS?
RaaS is a service model, just like software‐as‐a‐service. Instead of providing access to legitimate software applications, ransomware groups provide the malicious software (ransomware) and infrastructure necessary to facilitate ransomware attacks.
These RaaS groups rely on third parties, known as affiliates, to do the actual dirty work of gaining initial access into an organization before deploying the ransomware.
Is this the first time CL0P has targeted a file transfer solution?
No, CL0P has targeted at least two other file transfer solutions dating back to December 2020.
| Application/Solution | Date Targeted | CVEs |
|---|---|---|
| Accellion File Transfer Appliance (FTA) | December 2020 | CVE-2021-27101 CVE-2021-27102 CVE-2021-27103 CVE-2021-27104 |
| Fortra GoAnywhere Managed File Transfer (MFT) | January 2023 | CVE-2023-0669 |
| Progress MOVEit Secure MFT | May 2023 | CVE-2023-34362 |
Why does CL0P target file transfer software?
Uncovering zero-day vulnerabilities in file transfer solutions like Progress MOVEit MFT, GoAnywhere MFT and Accellion FTA enables CL0P to steal data from potentially hundreds of organizations en masse. This emphasis on data theft allows CL0P to focus its effort on extorting businesses to pay the ransom demands by threatening to publish the stolen data on its data leak site.
What is a data leak site?
A data leak site is a website controlled and operated by ransomware gangs that is typically hosted on the dark web and used to name and shame victim organizations with a threat to publish stolen data obtained through cyberattacks. CL0P operates a data leak site known as “CL0P^_-LEAKS” that has been in operation since early 2020.
Image Source: Tenable, June 2023
For more information on ransomware, including RaaS and data leak sites, please check out our Ransomware Ecosystem report.
How many organizations that use file transfer software have been compromised in these attacks?
Based on open source intelligence, CL0P managed to compromise over 50 organizations in the Accellion breach between 2020 and 2021, allegedly over 130 organizations in the GoAnywhere breach and reportedly in the “hundreds” with the MOVEit breach, according to a message from the gang on its CL0P^_-LEAKS data leak site.
Image Source: Tenable, June 2023
Is there any other information on CL0P and its attack on MOVEit Transfer customers?
Yes, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a #StopRansomware joint cybersecurity advisory (CSA) on June 7 (identified as AA23-158A) about CL0P and its exploitation of CVE-2023-34362 in MOVEit Transfer. It includes information on the group, the first vulnerability (CVE-2023-34362) as well as detection methods and indicators of compromise associated with the attack.
What are ways I/my organization can identify these vulnerabilities in MOVEit Transfer?
As of June 15, 2023, Tenable has released the following detection plugins and version check plugins for MOVEit Transfer. A version check plugin for CVE-2023-35708 will be released soon.
| Plugin ID | Title | Severity | CVEs | Family |
|---|---|---|---|---|
| 90190 | "Progress MOVEit Transfer Installed (Windows)" | INFO | - | Windows |
| 176735 | "Progress MOVEit Transfer Web Interface Detection" | INFO | - | Service detection |
| 176736 | "Progress MOVEit Transfer FTP Detection" | INFO | - | FTP |
| 176567 | "Progress MOVEit Transfer < 2020.0 / 2020.1 / 2021.0 < 2021.0.6 / 2021.1.0 < 2021.1.4 / 2022.0.0 < 2022.0.4 / 2022.1.0 < 2022.1.5 / 2023.0.0 < 2023.0.1 Critical Vulnerability (May 2023)" | CRITICAL | CVE-2023-34362 | Windows |
| 177082 | "Progress MOVEit Transfer < 2020.1.9 / 2021.0.x < 2021.0.7 / 2021.1.x < 2021.1.5 / 2022.0.x < 2022.0.5 / 2022.1.x < 2022.1.6 / 2023.0.x < 2023.0.2 Critical Vulnerability (June 2023)" | CRITICAL | CVE-2023-35036 | Windows |
| 177371 | "Progress MOVEit Transfer < 2020.1.10 / 2021.0.x < 2021.0.8 / 2021.1.x < 2021.1.6 / 2022.0.x < 2022.0.6 / 2022.1.x < 2022.1.7 / 2023.0.x < 2023.0.3 Privilege Escalation" | CRITICAL | CVE-2023-35708 | Windows |
The following is a list of MITRE ATT&CK Techniques associated with the CL0P ransomware gang that has been mapped to Tenable attack path analysis techniques:
| Technique ID | Description | Attack path technique |
|---|---|---|
| T1021.002 | Remote Services: SMB/Windows Admin Shares | T1021.002_Windows |
| T1059.001 | Command and Scripting Interpreter: PowerShell (Windows) | T1059.001_Windows |
| T1068 | Exploitation for Privilege Escalation (Windows) | T1068_Windows |
In addition to our plugins, customers can also leverage our Tenable Research Advisory widget in Tenable Vulnerability Management (formerly Tenable.io) to identify assets that contain missing patches or that have applied patches:
For example, the image below includes a list of assets with missing patches using the Tenable Research Advisory widget:
In addition to identifying the MOVEit Transfer vulnerabilities outlined in this blog post, Tenable Research has put together dashboards in both Tenable Vulnerability Management and Tenable Security Center (formerly Tenable.sc) that includes known vulnerabilities across multiple file transfer solutions that have been targeted by the CL0P ransomware gang over the last three years.
Tenable Vulnerability Management Dashboard:
Tenable Security Center Dashboard:
We have also published the following blog posts with more information on both of the dashboards:
Is Tenable impacted by the MOVEit Transfer vulnerability used by CL0P?
No, Tenable does not utilize the MOVEit Transfer software.
Get more information
- CVE-2023-34362: MOVEIt Transfer Critical Zero-Day Vulnerability Exploited in the Wild
- Progress Software Security Center: MOVEit Transfer and MOVEit Cloud Vulnerability
- Progress Software MOVEit Transfer Critical Vulnerability (CVE-2023-34362)
- Progress Software MOVEit Transfer Critical Vulnerability (CVE-2023-35036)
- Progress Software MOVEit Transfer Critical Vulnerability (CVE-2023-35708)
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Change Log
Update June 21: This blog post has been updated to reflect the availability of our Tenable Research Advisory widget to identify assets vulnerable to the MOVEit Transfer flaws and dashboards to identify vulnerabilities across multiple file transfer solutions targeted by the CL0P ransomware gang.
Related Articles
Cybersecurity Snapshot: Latest MITRE ATT&CK Update Offers Security Insights on GenAI, Identity, Cloud and CI/CD
April 26, 2024Check out what’s new in Version 15 of the MITRE ATT&CK knowledge base of adversary tactics, techniques and procedures. Plus, learn the latest details about the Change Healthcare breach, including the massive scope of the data exfiltration. In addition, why AI cyberthreats aren’t impacting CISOs’ budgets. And much more!
CVE-2024-20353, CVE-2024-20359: Frequently Asked Questions About ArcaneDoor
April 25, 2024Frequently asked questions about CVE-2024-20353 and CVE-2024-20359, two vulnerabilities associated with “ArcaneDoor,” the espionage-related campaign targeting Cisco Adaptive Security Appliances.
CVE-2024-4040: CrushFTP Virtual File System (VFS) Sandbox Escape Vulnerability Exploited
April 23, 2024A zero-day vulnerability in CrushFTP was exploited in the wild against multiple U.S. entities prior to fixed versions becoming available as the vendor recommends customers upgrade as soon as possible.
Cybersecurity Snapshot: Latest MITRE ATT&CK Update Offers Security Insights on GenAI, Identity, Cloud and CI/CD
April 26, 2024Check out what’s new in Version 15 of the MITRE ATT&CK knowledge base of adversary tactics, techniques and procedures. Plus, learn the latest details about the Change Healthcare breach, including the massive scope of the data exfiltration. In addition, why AI cyberthreats aren’t impacting CISOs’ budgets. And much more!
CVE-2024-20353, CVE-2024-20359: Frequently Asked Questions About ArcaneDoor
April 25, 2024Frequently asked questions about CVE-2024-20353 and CVE-2024-20359, two vulnerabilities associated with “ArcaneDoor,” the espionage-related campaign targeting Cisco Adaptive Security Appliances.
CVE-2024-4040: CrushFTP Virtual File System (VFS) Sandbox Escape Vulnerability Exploited
April 23, 2024A zero-day vulnerability in CrushFTP was exploited in the wild against multiple U.S. entities prior to fixed versions becoming available as the vendor recommends customers upgrade as soon as possible.
- Exposure Management
- Vulnerability Management
- Exposure Management
- Vulnerability Management