{"id":95472,"date":"2023-07-13T05:49:00","date_gmt":"2023-07-13T05:49:00","guid":{"rendered":"https:\/\/cloudnewshub.com\/?p=95472"},"modified":"2023-07-13T05:49:00","modified_gmt":"2023-07-13T05:49:00","slug":"one-month-after-moveit-new-vulnerabilities-found-as-more-victims-are-named","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=95472","title":{"rendered":"One month after MOVEit: New vulnerabilities found as more victims are named"},"content":{"rendered":"<div><img decoding=\"async\" src=\"http:\/\/cloudnewshub.com\/wp-content\/uploads\/2023\/07\/one-month-after-moveit-new-vulnerabilities-found-as-more-victims-are-named.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p>Although much of the initial panic surrounding <a href=\"https:\/\/www.techtarget.com\/searchsecurity\/news\/366539035\/Zero-day-vulnerability-in-MoveIt-Transfer-under-attack\">the late-May breach of Progress Software\u2019s MOVEit file transfer tool has subsided<\/a>, Clop &#8211; the ransomware operation behind the attack &#8211; continues to leak victims&#8217; details. Pertinently for security teams on the frontline, Progress itself continues to disclose more vulnerabilities in the product, some of which appear to be under active exploitation.<\/p>\n<p>On 6 July, Progress <a href=\"https:\/\/community.progress.com\/s\/article\/MOVEit-Transfer-Service-Pack-July-2023\">released the first in a planned series of service packs<\/a> for MOVEit Transfer and MOVEit Automation, designed to provide a \u201cpredictable, simple and transparent process for product and security fixes.\u201d<\/p>\n<p>The pack contains fixes for three newly-disclosed CVEs. In numerical order, these are:<\/p>\n<ul class=\"default-list\">\n<li><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-36932\">CVE-2023-36932<\/a>, multiple SQL injection vulnerabilities in the MOVEit Transfer web app that could allow an authenticated attacker access to the MOVEit Transfer database, credited to cchav3z of HackerOne, Nicolas Zillo of CrowdStrike, and hoangha2, hoangnx and duongdpt (Q5Ca) of Viettel Cyber Security\u2019s VCSLAB;<\/li>\n<li><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-36933\">CVE-2023-36933<\/a>, a vulnerability that enables an attacker to invoke a method that results in an unhandled exception, causing MOVEit Transfer to quit unexpectedly, credited to jameshorseman of HackerOne;<\/li>\n<li><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-36934\">CVE-2023-36934<\/a>, another SQL injection vulnerability with a similar impact to the first, credited to Guy Lederfein of Trend Micro via the Zero Day Initiative.<\/li>\n<\/ul>\n<p>Christopher Budd, <a href=\"https:\/\/www.sophos.com\/en-us\/x-ops\">Sophos X-Ops<\/a> director of threat research, said that Sophos released detections for intrusion prevention system (IPS) signatures for its products earlier this week, and for at least one of the flaws, has seen \u201csome very limited evidence\u201d of exploitation.<\/p>\n<p>\u201cWhat this means is if you\u2019re a MOVEit customer and you haven\u2019t applied that service pack, even if you deployed the previously released patches, you need to get that service pack deployed as well,\u201d he told Computer Weekly.<\/p>\n<p>Budd added that he has observed before how, when one high-profile vulnerability is disclosed, attacked and fixed, people think they are now protected and their attention starts to wane, even if other vulnerability disclosures follow, which they often do.<\/p>\n<p>\u201cThey think, okay, well, I applied the patch a month and a half ago so I\u2019m done, it\u2019s fine. And that\u2019s not the case,\u201d he said.<\/p>\n<p>\u201cThe good news is there\u2019s no indication that this new [flaw] that we\u2019ve seen evidence of attacks against is widespread, but the fact that people are apparently starting to target it means that\u2019s the next wave.<\/p>\n<p>\u201cIt\u2019s important for people to try to get ahead of that wave and be sure they apply not just the patches that have been released, but the service pack that brings them fully up to date. If you haven\u2019t applied that service pack, today is a good day to do so.\u201d<\/p>\n<p>Budd said there was not yet enough evidence to attribute this latest malicious activity to Clop or any other threat actor, but noted that the mere fact that there is any evidence of exploitation at all suggests there may be more to come.<\/p>\n<p>He also advised users of any file transfer product \u2013 not just MOVEit \u2013 to adopt a state of heightened alert, Clop having historically favoured vulnerabilities in such tools. He noted that in many organisations, file transfer utilities are often used on an ad hoc basis by people who have not cleared it with the IT or security teams \u2013 so-called shadow IT &#8211; so even if security professionals do not believe their organisations are exposed, they should still look into the matter as they may find something surprising.<\/p>\n<section class=\"section main-article-chapter\" data-menu-title=\"Intense times\">\n<h3 class=\"section-title\"><i class=\"icon\" data-icon=\"1\"><\/i>Intense times<\/h3>\n<p>The initial MOVEit incident has now claimed close to 300 victims and has likely affected the data of at least 17 million people. Victims are to be found all over the world, although the highest numbers are now in the US, with over 190 confirmed, Germany with 28, Canada with 21 and the UK with 17 \u2013 notably the BBC, Boots and British Airways, which were <a href=\"https:\/\/www.computerweekly.com\/news\/366539413\/Victims-of-MOVEit-SQL-injection-zero-day-mount-up\">some of the first named victims in June<\/a>.<\/p>\n<p>Some of the most recent organisations &#8220;named and shamed&#8221; by the Clop ransomware operation include real estate firm Jones Lang LaSalle, hotel chain Radisson, and GPS specialist TomTom.<\/p>\n<blockquote class=\"main-article-pullquote\">\n<p><figure> Candidly, a lot of people are just overwhelmed &#8211; victims, law enforcement, response companies. It\u2019s been pretty intense <\/figure><figcaption> <strong>Charles Carmakal, Mandiant<\/strong> <\/figcaption><i class=\"icon\" data-icon=\"z\"><\/i> <\/p>\n<\/blockquote>\n<p>Charles Carmakal, CTO at the consulting business of Google Cloud-owned <a href=\"https:\/\/www.mandiant.com\/\">Mandiant<\/a>, who has been deeply involved in incident response following the MOVEit attacks, said: \u201cThere are so many victims that are impacted by MOVEit, either directly or indirectly, that it\u2019s been really impactful and it\u2019s keeping a lot of people busy. Candidly, a lot of people are just overwhelmed &#8211; victims, law enforcement, response companies. It\u2019s been pretty intense.\u201d<\/p>\n<p>The MOVEit incident has been particularly notable for the fact that Clop never deployed actual ransomware and no victims appear to have been affected by data encryption \u2013 merely data theft and extortion.<\/p>\n<p>Carmakal explained that in their perfect scenario, a gang like Clop would prefer to be able to use encryption to exert so much pressure that their victims feel there is no alternative but to pay. However, thinking about the MOVEit attack from Clop\u2019s perspective, given the number of vulnerable organisations and the need to hit as many as possible before the initial zero-day was made public, it likely made more sense to just conduct smash-and-grab raids.<\/p>\n<p>\u201c<a href=\"https:\/\/www.computerweekly.com\/news\/365534861\/Clop-ransomware-booms-in-March-as-Fortra-zero-day-pays-off-for-gang\">The [previous] campaign against Forta GoAnywhere was very lucrative for [Clop]<\/a>,\u201d he said. \u201cI know a lot of victim organisations paid. I think they felt that to be stealing data and only stealing data they would make a lot of money.\u201d<\/p>\n<p>Carmakal said a lot of MOVEit victims have paid, but equally a great many have not, although Budd said that Sophos has observed no payments among victims it has worked with.<\/p>\n<p>Clop is also facing challenges itself. \u201cThey\u2019re a small team,\u201d said Carmakal. \u201cIt\u2019s hard for a big team to handle this much data, so for a small team to handle this much data, many victims and all the infrastructure they have had to set up to host the volume of data that they\u2019ve stolen &#8211; it\u2019s got to be tough.<\/p>\n<p>\u201cThey are making some mistakes and will likely make more. One of the things we are advising our clients is there are certain rules that this group abides by \u2013 they do things in a certain way \u2013 but the caveat is that this time things may be a little different because the threat actors overwhelmed themselves. There could be a number of reasons for the actor to do things that may not be intended or might be accidental, but that\u2019s just a byproduct of them being overwhelmed by the sheer volume of data they have and the number of victims they have.\u201d<\/p>\n<p>One very notable difference observed is the fact that instead of reaching out directly to their victims, Clop asked victims to reach out to it, something that has not really been seen before and may be read as an indication that someone, somewhere, is trying to lighten their workload. The fact that English is not the gang\u2019s first language is also likely complicating things.<\/p>\n<p>\u201cThe proactive outreach could well reflect the fact that in this series of attacks Clop has been more successful than they had anticipated,\u201d said Budd. \u201cWe often talk about cyber crime as a business \u2013 they may be facing a genuine business problem, which is that they have more victims than they have the infrastructure to support. I don\u2019t mean this flippantly by any means, but this may well be the cyber crime equivalent of the helpdesk getting swamped over the holidays.\u201d<\/p>\n<\/section>\n<section class=\"section main-article-chapter\" data-menu-title=\"Trouble for Clop?\">\n<h3 class=\"section-title\"><i class=\"icon\" data-icon=\"1\"><\/i>Trouble for Clop?<\/h3>\n<p>A little over two years ago, <a href=\"https:\/\/www.techtarget.com\/searchsecurity\/news\/252500684\/DarkSide-The-ransomware-gang-that-took-down-a-pipeline\">the DarkSide ransomware attack on Colonial Pipeline<\/a>, which wrought havoc across a swathe of US states and elevated cyber security to respectable dinner party conversation, so incensed the US authorities that it spelled doom for the gang that poked the hornets\u2019 nest.<\/p>\n<p>While ordinary people have not felt the impact of the MOVEit attack at the petrol pumps like they did with Colonial Pipeline, the sheer scale and breadth of the incident has brought Clop global government and media attention, and in the security research community a suggestion that the crew has taken a step too far is gaining traction.<\/p>\n<p>\u201cThere are a lot of eyes on them right now. There are a lot of people that are upset and some of those people have the authority to take action, whether it&#8217;s to seize infrastructure or put people on a no-fly list or pick people up when they travel to certain countries. They&#8217;ve definitely attracted a lot of attention, much more than probably what they were hoping to pick up,\u201d said Carmakal.<\/p>\n<p>Budd took a similar view: \u201cThere is a certain top of the bell curve that threat actors in the ransomware space want to try to aim for. You want to maximise success but if you are too successful you gain the bad kind of attention, you make yourself so much of a nuisance and so much of a threat that you end up marshalling more forces in response to you than you might want. This could well be one of those moments.\u201d<\/p>\n<p>Will the gang face any repercussions? Carmakal said that even though the US and Russia are barely on speaking terms right now, there are still things that can be done to interfere with Clop\u2019s infrastructure, and law enforcement agencies such as the FBI <a href=\"https:\/\/www.computerweekly.com\/news\/252529648\/Hive-ransomware-gang-taken-down-after-FBI-hacks-back\">have set a precedent for offensive &#8220;hacking back&#8221; operations against cyber criminals<\/a>.<\/p>\n<p>Don\u2019t forget, he added, that in 2021 when multiple Clop operatives were arrested, <a href=\"https:\/\/www.computerweekly.com\/news\/252502541\/Cl0p-ransomware-gang-clapped-in-irons-assets-seized\">they were caught in Ukraine, not Russia<\/a>.<\/p>\n<p>So Clop\u2019s members should be looking over their shoulders, but as <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/microsoft-notorious-fin7-hackers-return-in-clop-ransomware-attacks\/\">their links to other cyber criminal operations<\/a> so aptly demonstrate, even if MOVEit proves a step too far for the gang and it becomes impossible to carry on, it can almost certainly be guaranteed that the same people behind the operation will eventually resurface in a different guise. The Biblical adage that there is &#8220;nothing new under the sun&#8221; has never been applied so aptly as to the cyber security world.<\/p>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>Although much of the initial panic surrounding the late-May breach of Progress Software\u2019s MOVEit file transfer tool has subsided, Clop &#8211; the ransomware operation behind the attack &#8211; continues to leak victims&#8217; details. Pertinently for security teams on the frontline, Progress itself continues to disclose more vulnerabilities in the product, some of which appear to [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":95473,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[533],"tags":[],"class_list":["post-95472","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/95472","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=95472"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/95472\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/95473"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=95472"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=95472"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=95472"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}