MOVEit Transfer Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/moveit-transfer/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 28 Dec 2023 22:13:26 +0000 en-US hourly 1 https://wordpress.org/?v=77258 200474804 MOVEit Transfer Fixes a New Critical Vulnerability https://gridinsoft.com/blogs/vulnerability-moveit-transfer/ https://gridinsoft.com/blogs/vulnerability-moveit-transfer/#respond Tue, 11 Jul 2023 12:38:43 +0000 https://gridinsoft.com/blogs/?p=15857 After hundreds of companies were attacked with a 0-day vulnerability in MOVEit Transfer, the developer of this file transfer management product, Progress Software, promised to regularly release patches to provide a “predictable, simple, and transparent bug fixing process.” The first such package included patches for three vulnerabilities, including a critical one. MOVEit Vulnerabilities – The… Continue reading MOVEit Transfer Fixes a New Critical Vulnerability

The post MOVEit Transfer Fixes a New Critical Vulnerability appeared first on Gridinsoft Blog.

]]>
After hundreds of companies were attacked with a 0-day vulnerability in MOVEit Transfer, the developer of this file transfer management product, Progress Software, promised to regularly release patches to provide a “predictable, simple, and transparent bug fixing process.” The first such package included patches for three vulnerabilities, including a critical one.

MOVEit Vulnerabilities – The Post-Factum View

All this story started with a 0-day vulnerability (CVE-2023-34362) in MOVEit Transfer, which was discovered in early June 2023. All versions of MOVEit Transfer were affected by the problem. Researchers say that attacks with the exploitation of this vulnerability began as early as May 27, 2023.

Attackers used this vulnerability to deploy custom web shells on affected servers. This allowed them to list files stored on the server, download them, and steal account credentials and secrets. The latter included the AzureBlobStorageAccount, AzureBlobKey, and AzureBlobContainer settings. To simplify, all the attacks with that vulnerability was in fact a sophisticated SQL injection. The sophistication here is thanks to the unusual way of accessing the database – actually, through the 0-day breach.

As a result, Microsoft analysts linked the massive attacks to the Cl0p ransomware hack group (aka Lace Tempest, TA505, FIN11, or DEV-0950). And soon the hackers began to make demands, extorting ransoms from the affected companies. At the moment, according to Emsisoft experts, the number of companies-victims exceeds 230: at least 20 schools in the US and dozens of universities around the world were affected. In total, the leaks affected information about 17-20 million people.

MOVEit MFT Vulnerabilities Receive a Fix

MOVEit programs will receive service packs from Progress Software, including MOVEit Transfer and MOVEit Automation. The first one alreadyt got a patch that fixes for a critical SQL injection. It also contains fixes for two other, less serious vulnerabilities.

The critical issue has been identified as CVE-2023-36934 by the Trend Micro Zero Day Initiative. The developers report that it can be used without authentication, allowing an attacker to gain unauthorized access to the MOVEit Transfer database.

An attacker could send a specially crafted payload to the MOVEit Transfer application endpoint, which could modify and expose the contents of the MOVEit database.official security bulletin.

There are currently no reports of active exploitation of this breach by hackers. The second vulnerability is also a SQL injection and received the identifier CVE-2023-36932. Hackers actively use this one once they managed to bypass the authentication. Both SQL injections affect multiple versions of MOVEit Transfer, including 12.1.10 and later, 13.0.8 and later, 13.1.6 and later, 14.0.6 and later, 14.1.7 and later, and 15.0.3 and later.

The third issue addressed by patches this month was the CVE-2023-36933 vulnerability. This breach allows attackers to spontaneously terminate a program. Bug persists in MOVEit Transfer versions 13.0.8 and later, 13.1.6 and later, 14.0.6 and later, 14.1.7 and later, and 15.0.3 and later. Company recommends its clients to install updates for their versions, corresponding to the table below.

Vulnerable versions Corrected version Documentation Release Notes
MOVEit Transfer 2023.0.x (15.0.x) MOVEit Transfer 2023.0.4 (15.0.4) MOVEit 2023 Upgrade MOVEit Transfer 2023.0.4
MOVEit Transfer 2022.1.x (14.1.x) MOVEit Transfer 2022.1.8 (14.1.8) MOVEit 2022 Upgrade MOVEit Transfer 2022.1.8
MOVEit Transfer 2022.0.x (14.0.x) MOVEit Transfer 2022.0.7 (14.0.7) MOVEit 2022 Upgrade MOVEit Transfer 2022.0.7
MOVEit Transfer 2021.1.x (13.1.x) MOVEit Transfer 2021.1.7 (13.1.7) MOVEit 2021 Upgrade MOVEit Transfer 2021.1.7
MOVEit Transfer 2021.0.x (13.0.x) MOVEit Transfer 2021.0.9 (13.0.9) MOVEit 2021 Upgrade MOVEit Transfer 2021.0.9
MOVEit Transfer 2020.1.6+ (12.1.6) Special Service Pack available MOVEit Transfer 2020.1SP MOVEit Transfer 2020.1.7
MOVEit Transfer 2020.0.x+ (12.0.x) Update to a supported version Upgrade/Migration Guide N/A

The post MOVEit Transfer Fixes a New Critical Vulnerability appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/vulnerability-moveit-transfer/feed/ 0 15857
The Number of Companies Affected by Attacks on Vulnerabilities in MOVEit Transfer Increased https://gridinsoft.com/blogs/vulnerability-in-moveit-transfer/ https://gridinsoft.com/blogs/vulnerability-in-moveit-transfer/#respond Fri, 30 Jun 2023 11:42:50 +0000 https://gridinsoft.com/blogs/?p=15629 The consequences of exploiting a 0-day vulnerability in MOVEit Transfer’s file transfer management solution continue to spread. The total number of affected companies has already exceeded 100, and Siemens Energy and Schneider Electric are now among the victims who confirmed the compromise. Let me remind you that it all started with a 0-day vulnerability (CVE-2023-34362)… Continue reading The Number of Companies Affected by Attacks on Vulnerabilities in MOVEit Transfer Increased

The post The Number of Companies Affected by Attacks on Vulnerabilities in MOVEit Transfer Increased appeared first on Gridinsoft Blog.

]]>
The consequences of exploiting a 0-day vulnerability in MOVEit Transfer’s file transfer management solution continue to spread. The total number of affected companies has already exceeded 100, and Siemens Energy and Schneider Electric are now among the victims who confirmed the compromise.

Let me remind you that it all started with a 0-day vulnerability (CVE-2023-34362) in the MOVEit Transfer file transfer management solution, which was discovered in early June 2023. All versions of MOVEit Transfer were affected by the problem, and it was reported that attacks on them began as early as May 27, 2023.

Attackers used this vulnerability to deploy custom web shells on affected servers, allowing them to list files stored on the server, download files, and steal Azure Blob Storage account credentials and secrets, including the AzureBlobStorageAccount, AzureBlobKey, and AzureBlobContainer settings.

As a result, Microsoft analysts linked the massive attacks to the Clop ransomware hack group (aka Lace Tempest, TA505, FIN11, or DEV-0950). Soon the hackers began to make demands and extort ransoms from the affected companies.

To date, hundreds of companies have been known to have been compromised during the attacks. Over the past weeks, the break-in has been confirmed by many victims. Among them: Zellis, a UK-based payroll and HR solution provider whose customers include Sky, Harrods, Jaguar, Land Rover, Dyson and Credit Suisse. Due to the Zellis hack, the data of the Irish airline Aer Lingus, British Airways, the BBC, and the British pharmacy chain Boots were compromised.

Also leaked data affected the University of Rochester, the government of Nova Scotia, the authorities of the US states of Missouri and Illinois, BORN Ontario, Ofcam, Extreme Networks and the American Therapeutic Society.

This week the list of victims continued to expand. So, representatives of the University of California at Los Angeles (UCLA) reported about the attack and data leakage. Representatives of the educational institution said that they had already notified the FBI about the incident and involved third-party security experts in the case to investigate the attack and understand what data was affected.

Also attacks on a bug in MOVEit Transfer affected Siemens Energy, a Munich-based energy company that employs 91,000 people worldwide. While no data leak has yet taken place at this time, Clop has already listed Siemens Energy as one of the victims on its dark web site, and company representatives have confirmed to the media that they were hacked in recent Clop attacks.

Siemens Energy emphasizes that no important data was stolen and the company’s business operations were not affected.

vulnerability in MOVEit Transfer

Together with Siemens Energy, another industrial giant was added to the Clop website – the French Schneider Electric, which is engaged in power engineering and manufactures equipment for the energy sub-complexes of industrial enterprises, civil and residential construction facilities, data centers, and so on.

Schneider Electric said that after the news of the vulnerability in MOVEit Transfer, the company “quickly deployed available tools to protect data and infrastructure.” Currently, the company’s security specialists are investigating the consequences of the incident and Clop’s claims of data theft.

In addition to the listed technology giants, to the list of victims of hackers has recently been added:

  1. the New York City Department of Education, which admitted that Clop stole documents containing confidential information from 45,000 students;
  2. Oregon and Louisiana state authorities, from whom hackers stole data on millions of driver’s licenses.

The post The Number of Companies Affected by Attacks on Vulnerabilities in MOVEit Transfer Increased appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/vulnerability-in-moveit-transfer/feed/ 0 15629
New critical vulnerabilities found in MOVEit Transfer https://gridinsoft.com/blogs/new-vulnerabilities-in-moveit-transfer/ https://gridinsoft.com/blogs/new-vulnerabilities-in-moveit-transfer/#respond Thu, 15 Jun 2023 10:43:00 +0000 https://gridinsoft.com/blogs/?p=15307 It became known that during the audit in the solution for managing file transfer MOVEit Transfer, new critical vulnerabilities were discovered. Previously, due to the exploitation of a 0-day vulnerability in MOVEit Transfer, hundreds of companies have already been compromised, and hacking has affected such giants as British Airways and the BBC. Background A 0-day… Continue reading New critical vulnerabilities found in MOVEit Transfer

The post New critical vulnerabilities found in MOVEit Transfer appeared first on Gridinsoft Blog.

]]>
It became known that during the audit in the solution for managing file transfer MOVEit Transfer, new critical vulnerabilities were discovered. Previously, due to the exploitation of a 0-day vulnerability in MOVEit Transfer, hundreds of companies have already been compromised, and hacking has affected such giants as British Airways and the BBC.

Background

A 0-day vulnerability (CVE-2023-34362) in the MOVEit Transfer file transfer management solution was discovered in early June 2023. All versions of MOVEit Transfer were affected by the problem, and it was reported that attacks on them began as early as May 27, 2023. The bug was a SQL injection that leads to remote code execution. For example, exploitation of a vulnerability can lead to privilege escalation and give third parties unauthorized access to the MOVEit Transfer environment.

Attackers used the vulnerability to deploy custom web shells on affected servers, allowing them to list files stored on the server, download files, and steal Azure Blob Storage account credentials and secrets, including the AzureBlobStorageAccount, AzureBlobKey, and AzureBlobContainer settings. Microsoft analysts have linked these attacks to the Clop ransomware hack group (aka Lace Tempest, TA505, FIN11, or DEV-0950). This group is known for the fact that Clop ransomware operators leaked data from two universities.

MOVEit Developers React to Vulnerabilities

It soon became known that a total of hundreds of companies were compromised during the attacks, and the hack was confirmed by the Irish airline Aer Lingus, British Airways, the BBC and the British pharmacy chain Boots. Now MOVEit Transfer developers have warned customers about new critical vulnerabilities in their file transfer management product. New bugs were found during a security audit, which, after massive attacks, was carried out by experts from the Huntress company.

According to the manufacturer, the new vulnerabilities are SQL injections and affect all versions of MOVEit Transfer, allowing unauthenticated attackers to hack Internet-accessible servers, changing or stealing user information.

All MOVEit Transfer customers must install the new patch released on June 9, 2023. The investigation is still ongoing, but at this time we have found no signs of exploitation of these newly discovered vulnerabilities.the company added.

The developers note that all MOVEit Cloud clusters have already received fresh fixes that have protected them from potential attack attempts.

It is also worth noting that a PoC exploit for the original zero-day vulnerability (CVE-2023-34362) appeared recently, which began massive attacks on MOVEit Transfer clients. The exploit, as well as a detailed technical analysis of the vulnerability and a list of indicators of compromise that network defenders can use to detect the exploitation of a bug on vulnerable servers, were published by researchers from Horizon3. Information security experts warn that after the release of this exploit, more attackers are likely to use it in attacks or create their own versions to attack unpatched servers still available on the Internet.

New critical vulnerabilities found in MOVEit Transfer

The post New critical vulnerabilities found in MOVEit Transfer appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/new-vulnerabilities-in-moveit-transfer/feed/ 0 15307
Clop Attacks on MOVEit Transfer Affected British Airways, BBC and More https://gridinsoft.com/blogs/clop-moveit-transfer/ https://gridinsoft.com/blogs/clop-moveit-transfer/#respond Mon, 12 Jun 2023 11:36:26 +0000 https://gridinsoft.com/blogs/?p=15267 According to security researchers, the Clop ransomware group has been looking for a way to exploit a vulnerability in MOVEit Transfer since 2021. Hackers say hundreds of companies have been compromised in recent attacks, with Irish airline Aer Lingus, British Airways, the BBC and British pharmacy chain Boots already confirmed the hack. What is MOVEit… Continue reading Clop Attacks on MOVEit Transfer Affected British Airways, BBC and More

The post Clop Attacks on MOVEit Transfer Affected British Airways, BBC and More appeared first on Gridinsoft Blog.

]]>
According to security researchers, the Clop ransomware group has been looking for a way to exploit a vulnerability in MOVEit Transfer since 2021. Hackers say hundreds of companies have been compromised in recent attacks, with Irish airline Aer Lingus, British Airways, the BBC and British pharmacy chain Boots already confirmed the hack.

What is MOVEit 0-day breach?

A 0-day vulnerability (CVE-2023-34362) in the MOVEit Transfer file transfer management solution became known in late May. All versions of MOVEit Transfer were affected by the problem, and it was reported that attacks on them began as early as May 27, 2023.

The bug itself was a SQL injection that leads to remote code execution. For example, exploitation of a vulnerability can lead to privilege escalation and give third parties unauthorized access to the MOVEit Transfer environment. Attackers used the vulnerability to deploy custom web shells on affected servers, allowing them to list files stored on the server, download files, and steal Azure Blob Storage account credentials and secrets, including the AzureBlobStorageAccount, AzureBlobKey, and AzureBlobContainer settings.

The week before, Microsoft analysts linked these attacks to the Clop ransomware hack group (aka Lace Tempest, TA505, FIN11, or DEV-0950). Among other things, this group is known for the fact that Clop ransomware operators leaked data from two universities.

Old vulnerability

As experts from the information security company Kroll now report, it seems that hackers have been looking for ways to exploit the mentioned zero-day vulnerability long before the start of mass attacks, and more precisely since 2021.

Kroll’s review of the Microsoft Internet Information Services (IIS) logs of affected clients found evidence of similar activity occurring in several client environments in the past year (April 2022), and in some cases as late as July 2021.the researchers wrote.

They also discovered that attackers were testing different ways to collect and steal sensitive data from compromised MOVEit Transfer servers back in April 2022.

Kroll observed activity related to the exploitation of a vulnerability in MOVEit Transfer that occurred on April 27, 2022, May 15-16, 2023, and May 22, 2023. This indicates that the attackers were checking access to organizations and extracting information from MOVEit Transfer, likely using automated tools.the report says.

Automated malicious activity increased markedly on May 15, 2023, right before the start of massive attacks on the 0-day vulnerability.

Clop and MOVEit Transfer
Victim data collection

Since similar activity was performed manually in 2021, experts believe that the attackers knew about the bug for a long time, but were preparing the necessary tools to automate mass attacks.

Victims of the attack

Hackers told reporters this past weekend that the vulnerability allowed them to break into MOVEit Transfer servers owned by “hundreds of companies.” Although after that the media urged not to take the word of the hackers, unfortunately, some victims have already confirmed the fact of compromise.

Zellis, a UK-based payroll and HR solution provider whose customers include Sky, Harrods, Jaguar, Land Rover, Dyson and Credit Suisse, was one of the first to confirm the breach and leak of customer data.

Some major Zellis customers have already made official statements about the hack. Among them: government agencies in Nova Scotia (including the Health Authority, which uses MOVEit to exchange confidential and classified information), the University of Rochester, British Airways and the BBC, which reported the theft of employees’ personal information and that there were other Zellis customers among the victims – Irish airline Aer Lingus and the British pharmacy chain Boots.

Currently, Clop has not yet begun to publish information stolen from companies. On their dark web site, the attackers gave the victims until June 12, stating that if the companies do not contact them and start negotiations on the payment of a ransom by that time, data leaks will follow.

Clop and MOVEit Transfer

The post Clop Attacks on MOVEit Transfer Affected British Airways, BBC and More appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/clop-moveit-transfer/feed/ 0 15267