By: Mastercard Security Research Team

Multiple high-profile targets, including federal government agencies in the United States, have been hit by a recent wave of cyberattacks, exploiting a vulnerability in MOVEit, a widely used file-transfer application. The Russian-speaking CL0P (or CLOP) ransomware group has taken credit for attacks, proclaiming they have information on hundreds of impacted companies. As of June 15, 2023, at 1:00PM ET, the CL0P leaks site has claimed at least 27 victims.


What Happened?

On June 7, 2023, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) shared that the Russian-speaking CL0P Ransomware Gang has been exploiting this weakness to steal data. CL0P had similarly exploited vulnerabilities in other systems in the past. The FBI and CISA are urging organizations to take preventive measures to decrease the chances and potential impact of ransomware attacks like these. CL0P first appeared in 2019. The ransomware group is a globally significant phishing and malspam distributor, and uses large-scale phishing campaigns to steal, encrypt, and publish victim data. It is estimated that CL0P has compromised over 3,000 U.S. organizations and 8,000 worldwide since 2019.

About the vulnerabilities

On May 31, 2023, Progress Software discovered a new vulnerability in their MOVEit Transfer and MOVEit Cloud software. MOVEit is typically used by businesses and organizations across various sectors such as healthcare, finance, retail, and government, among others, that need to securely transfer sensitive data and automate file-based business workflows.

The vulnerability (CVE-2023-34362) allowed attackers to gain unauthorized access to MOVEit Transfer and MOVEit Cloud environments. While mitigation steps and a security patch were released within 48 hours, hackers had already exploited this vulnerability in many organizations and have continued to find and attack those with unpatched instances.

While the earlier disclosed exploits were widely reported, the situation remains dynamic. On June 15, 2023, additional vulnerabilities were disclosed forcing Progress Software to recommend that “all MOVEit Transfer customers to immediately take down their HTTP and HTTPs traffic to safeguard their environments while the patch is finalized.”

Who Has Been Impacted?

According to the National Cyber Security Centre (NCSC), several major UK-based organizations including Ofcom, Transport for London, BBC, Boots and British Airways have been impacted. Additionally, on June 15, 2023, CNN reported that several US federal government agencies, along with other major institutions and organizations, have fallen victim to exploitation of the MOVEit software vulnerabilities. Victims include the US Department of Energy, Georgia’s state-wide university system, and the Johns Hopkins University and its health system, which stated that "sensitive personal and financial information," including health billing records, may have been stolen.

What Should Users of MOVEit Do?

The FBI and CISA provided recommendations to mitigate cyber threats from CL0P including:

  • Asset Inventory: Take an inventory of assets and data, identifying authorized and unauthorized devices and software.
  • Privilege Management: Only grant admin privileges and access when necessary and establish a software allow list that executes only legitimate applications.
  • Network Monitoring: Monitor network ports, protocols, and services, and activate security configurations on network infrastructure devices such as firewalls and routers.
  • Patch Management: Regularly patch and update software and applications to their latest versions and conduct regular vulnerability assessments.

Progress Software has provided additional recommended remediations to prevent exploitation of the MOVEit vulnerability which can be found here.

How Can RiskRecon Help?

RiskRecon by Mastercard has supplied its customers reports of assets that currently have the MOVEit Transfer solution exposed to the internet. These reports contain information on all exposed MOVEit Transfer assets in their customer portfolio. It is important to note that the assets identified in this report are potentially vulnerable and should be verified with the asset owner.

It is critical that organizations understand their assets, establish a patching cadence, and continuously monitor third, fourth, and nth parties for different risks. Exploitation of the MOVEit vulnerabilities reinforces the importance of regularly patching software. It is also a vital reminder that third-party suppliers are held to the same standards. Mastercard tools like RiskRecon enable not only own enterprise vulnerability management, but also robust third-party risk and asset management.

To see how RiskRecon can help keep you safe from this and other cyber threats...REQUEST A DEMO.