JUNE 8, 2023

The Zero-Day Attack on the MOVEit File Transfer Software

MOVEit encrypts data at rest and in motion and provides IT security controls for sensitive business data. It is used by both the public and private sector, as well as individuals for personal use.

A zero-day vulnerability, dubbed CVE-2023-34362, has been discovered in the file transfer tool. The severity of this threat is still under investigation. As such, it does not have an assigned CVSS score as of this writing.

When it was first discovered the zero day had already been exploited by a threat actor known to be operating the Clop ransomware extortion site. In this article, we cover what is currently known.

The What

CVE-2023-34362 is a SQL injection vulnerability in MOVEit Transfer’s web application that allows malicious individuals to gain access to MOVEit Transfer’s database without the need for authentication.

MOVEit is often used to transfer sensitive data, such as employee PII. By exploiting this vulnerability, attackers can use this private information for a multitude of purposes, including selling it on the dark web or using the data to extort breached organizations.

The Who

The threat actors behind this attack are believed to be members of the notorious threat group FIN11, also known as Lace Tempest. This threat group is not new to this type of attack. Just last month FIN11 stole millions of patient records using a vulnerability in the GoAnyware file transfer software. In July 2021, they exploited a vulnerability in the file transfer software formerly known as Accellion.

FIN11 is believed to have strong ties to the (presumably) Russian ransomware group Clop. FIN11 has published stolen data on Clop’s leak website in the past and is likely to do it again if they find the recently stolen data worthy of extortion.

The Victims

The breach is believed to have affected numerous organizations. Only a few have come forward to date. Among the proclaimed victims is Zellis, a UK-based payroll and HR solutions provider with multiple clients of its own, a fact that only enlarges the pool of potential victims. Among Zellis’ clients are the BBC and British Airways, both of whom have also come forward as victims of the breach. The British airline giant also confirmed that some of its employees’ data had been stolen during the attack but did not disclose how many of its’ 35,000 employees were affected.

As the breach is very recent, and the wounds are relevantly fresh, it is likely that more victims will come forward soon, willingly or otherwise.

What’s next?

There are currently more than 3K exposed servers. We recommend that organizations scan their environment for the IOCs and patch the vulnerable versions immediately:

2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1).

Deep Instinct is following these events closely and will update this post as new details become available.

See the CISA Advisory issued on June 7, 2023 here.