Recent searches
Search options
A bunch of people have alerted me to a vulnerability in #MoveIT, a secure file transfer app used heavily in the UK.
I did some digging and it looks like it’s a zero day under active exploitation. Not 100% on threat actor yet but it may be one of the ransomware/extortion groups.
Really serious, impacted orgs should shut down the server. Thread follows. #threatintel
#MoveIT Transfer looks like this, it’s an enterprise MFT solution. It looks like somebody has been stealing stuff.
If it turns out to be a ransomware group again this is will be the second enterprise MFT zero day in a year, cl0p went wild with GoAnywhere recently. Also their third MFT zero day.
I would recommend orgs who run #MoveIT Transfer do three things:
- Remove network connectivity/contain
- Check for newly created or altered .asp* files
- Retain a copy of all IIS logs and network data volume logs.
Webshells have been getting dropped. Microsoft Safety Scanner is a good tool to run. https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/safety-scanner-download
With #MoveIT Transfer, stuff I know so far:
- Huge US footprint, including US government. It's quite expensive, so mostly western enterprises.
- It's definitely a zero day, although vendor doesn't want to say it obvs.
- Every one online is still vulnerable. This includes some big banks etc.
- Webshells started being planted a few weeks ago, multiple incidents running at multiple orgs during that timeframe who detected activity.
Vendor appears pretty responsive and good so far.
One additional update on #MoveIT - I'm reliably told this incident also impacted their SaaS cloud offering of the same product. They may have to wordsmith around this.
More info about one of the #MoveIT webshells in this write up
YARA rule for that webshell https://github.com/AhmetPayaslioglu/YaraRules/blob/main/MOVEit_Transfer_Critical_Vulnerability.yara
Example file (0 AV detection still) https://www.virustotal.com/gui/file/387cee566aedbafa8c114ed1c6b98d8b9b65e9f178cf2f6ae2f5ac441082747a/summary
Just been on a quick call with industry peeps looking at what known attacker IPs were interacting with over the weekend - #MoveIT boxes in the US and SaaS.
It vuln itself allows RCE, not just webshells, so I think Mandiant and DART are gonna get some IR hours.
While I’m here - make sure MoveIT Transport is in a real DMZ. Your shit would still have been stolen but it stops them moving internally.
Can’t wait to read all the security vendor blogs saying they fully protect against this threat next week 
It looks like a significant amount of data exfiltration may have happened re #MoveIT. Another problem - it can use cloud bucket storage for data, and storage access keys got taken and need rotating: data access still possible in those situations.
There are conflicting signals re exploitation - while it’s clear a smash and grab happened at weekend, there’s signs exploit was used prior to weekend.
#MoveIT vendor has confirmed cloud SaaS offering was impacted. It’s refreshing to see a product owner really take ownership of a situation. (Obviously, I expect some ongoing wordsmithing for journalists longer term re cloud).
This is good technical blog. https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
#MoveIT Transport zero day issue has a CVE now under review - CVE-2023-34362.
HT @CyberLeech #CVE202334362
Transparency tweet for defenders: This weekend, I am doing internet scans of #MoveIT Transfer servers for vulnerable versions and planted webshells.
Microsoft are attributing the #moveIT zero day attacks to cl0p ransomware group.
I’ve been tracking this - there are a double digit number of orgs who had data stolen, that includes multiple US Government and banking orgs.
This is the third time Cl0p ransomware group have used a zero day in webapps for extortion in three years, btw. In all three cases they were products with security in the branding.
In terms of emerging threats, expect more of this while the west appears unable to accept the threat of ransomware groups.
#moveIT issue is unfolding fast.
British Airways and Boots (retailer) in UK have disclosed they had data breaches via moveIT. https://news.sky.com/story/bas-uk-staff-exposed-to-global-data-theft-spree-12896900
The BBC have also been breached via the #moveIT issue, staff data was taken. Payroll provider Zellis had their data stolen.
BBC report on their own breach, also implicate AerLingus (airline). https://www.bbc.co.uk/news/technology-65814104 #MOVEit
Just to be crystal clear on this one - orgs running #MoveIT Transfer should assume compromise, not just patch.
Cl0p did a smash and grab over the last holiday weekend across over a hundred large/prominent orgs.
Check for webshells. It’s not just human2, look for new files in the web root folder.
Cl0p drip feed victims on their portal over months, not days - this is the third time they’ve pulled a zero day heist like this.
Really good reporting on the #moveIT situation by @dangoodin - gives a run down of where we're at. https://arstechnica.com/information-technology/2023/06/mass-exploitation-of-critical-moveit-flaw-is-ransacking-orgs-big-and-small/
I don’t wanna say ransomware and extortion groups are outta control buttt #moveit https://www.bbc.co.uk/news/technology-65829726
@GossiTheDog HT @JasonBacon the man the myth the legend
@CyberLeech the one and only
@GossiTheDog @CyberLeech
Any thoughts on the files and data that is staged for sharing inside these compromised #MoveIT platforms that mostly unsuspecting end users might be downloading? Should we consider the integrity of this data be compromised?
@0x0ED @GossiTheDog Unfortunately (or fortunately) I/we don't actually use this service or currently have an instance we can test in.
Integrity should be questioned and confirmed as best as possible with known good. I'd hope that there would be logging of any modifications /writes being made to the files, might depend on the backend DB for verbosity though and whether the logs were centralized.