A spree initiated by a financially-motivated ransomware group that actively exploited a zero-day vulnerability in Progress Software’s MOVEit file transfer service to steal customers’ data is afoot.

Exploits have been underway for at least four months, according to Trustwave, and the compromise of MOVEit databases has resulted in at least one follow-on attack that has ensnared multiple downstream victims.

Some large, well known organizations came forward June 5 to disclose the personal identifiable information of their employees was compromised. This occurred after Zellis, a payroll provider based in the U.K. that uses MOVEit, was attacked via the vulnerability. 

The Clop ransomware group, also known as TA505, published a statement on its dark web site on June 6 claiming to have exploited the MOVEit vulnerability to exfiltrate data from hundreds of organizations.

With investigations underway, cyber authorities, threat hunters and security researchers from many firms are on guard and anticipate more victims.

“Due to the speed and ease TA505 has exploited this vulnerability, and based on their past campaigns, FBI and CISA expect to see widespread exploitation of unpatched software services in both private and public networks,” the Cybersecurity and Infrastructure Security Agency and FBI said June 7 in a joint advisory.

High-profile victims come forward

The follow-on attack impacted eight Zellis customers thus far, including British Airways and the BBC.

“We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them,” a Zellis spokesperson said via email.

A British Airways spokesperson said the airline is notifying employees whose PII was compromised and a spokesperson for the BBC said the media company is investigating the extent of the breach.

The government of Nova Scotia, which uses the MOVEit file transfer service, said it discovered the PII of residents was compromised after Progress informed the Canadian province of the vulnerability on June 1.

Progress declined to say how many companies currently use MOVEit or how many victims it’s aware of to date.

The company said it has hundreds of thousands of customers, including 1,700 software companies and 3.5 million developers, according to a filing with the Securities and Exchange Commission for the fiscal first quarter ending Feb. 28.

Progress estimates MOVEit Transfer and MOVEit Cloud accounted for less than 4% of its annual revenue, according to an 8-K filed with the SEC on May 30.

The file transfer service has customers across highly regulated industries, exemplifying the potential damage among government, finance and healthcare organizations.

How the zero-day unraveled

The vulnerability, which was first disclosed by Progress on May 31 and assigned CVE-2023-34362 on June 2, impacts on-premises and cloud-based versions of MOVEit.

The vendor issued a patch for on-premises versions of MOVEit and patched cloud test servers on June 1.

“We have also implemented a series of third-party validations to ensure the patch has corrected the exploit,” a Progress spokesperson said.

The company said it’s not aware of any active exploits of the vulnerability prior to last week.

"We have publicly disclosed our understanding of the timeline in our Form 8-K filing. This is an ongoing investigation and based on the intelligence sharing within the security community and what we currently know,” a Progress spokesperson said.

Progress continues to encourage on-premises customers of MOVEit to apply the patch as soon as possible. 

As of June 7, researchers at Censys observed more than 2,600 hosts exposed to the internet currently running the service.

All hands on deck

CISA, CrowdStrike, Mandiant, Microsoft, Huntress and Rapid7 are all assisting Progress with incident response and ongoing investigations, the company said.

This is the third high-profile, actively exploited zero-day vulnerability currently linked to a file-transfer service this year. Clop is responsible for two of these supply-chain attacks, including a zero-day vulnerability in Fortra’s GoAnywhere file-transfer service the group exploited in March.

Clop was also responsible for the zero-day exploit driven campaign against the Accellion file transfer devices in 2020 and 2021. “In recent campaigns beginning 2021, Clop preferred to rely mostly on data exfiltration over encryption,” federal authorities said in the advisory.

Prior to Clop’s latest spree of attacks, CISA and the FBI estimated the threat actor group has compromised more than 3,000 U.S.-based organizations and 8,000 organizations based elsewhere.

The period of active exploitation prior to discovery remains a moving target, as security researchers continue to uncover previously unknown attacks linked to the SQL injection vulnerability and subsequently discovered vulnerability.

“Trustwave has seen activity of source IPs recently exploiting the MOVEit application since at least February,” Spencer Ingram, Trustwave’s SVP of operations, said via email.

“While we cannot specifically attribute these to specific threat actors, we do have multiple ongoing investigations. Since the situation is evolving and our investigations remain ongoing, we’re unable to comment further at this time,” Ingram said.

Mandiant Consulting CTO Charles Carmakal declined to say how many victims the incident response firm is currently aware of at this time, but previously described evidence of mass exploitation and broad data theft.

“The threat actor opportunistically downloaded data from compromised MOVEit instances. They will primarily leverage the stolen data to coerce victims to pay an extortion demand in exchange for a promise to not publish the data online,” Carmakal said via email.

“Mandiant does not consider this to be a cascading software supply chain attack,” which is how the incident response firm described the supply chain attack against 3CX in March and the resulting attack against Trading Technologies in April, Carmakal said.

“However, these MOVEit security incidents could certainly lead to security incidents at other organizations,” Carmakal said.

Researchers track ongoing threat activity

Researchers are split on what threat actor is responsible for the attacks, but every attribution includes links to Clop ransomware or an affiliate.

Mandiant attributes the attacks to a new threat cluster it identifies as UNC4857, a group that has previously exploited zero-day vulnerabilities in file transfer systems and used tailored web shells for data exfiltration.

Microsoft attributed the attacks to Clop, a group it identifies as Lace Tempest under its new threat actor naming taxonomy.

There’s also new evidence from Huntress, which recreated the attack chain exploiting the vulnerability in MOVEit, asserting the web shell indicator of compromise previously shared by Progress and security researchers is not necessary to compromise the software.

Progress corroborated these findings in an update on June 9. The series of SQL injection vulnerabilities were assigned CVE-2023-35036 on Sunday.

“As part of these code reviews, cybersecurity firm Huntress has helped us to uncover additional vulnerabilities that could potentially be used by a bad actor to stage an exploit. These newly discovered vulnerabilities are distinct from the previously reported vulnerability shared on May 31,” Progress said in a statement.

“The investigation is ongoing, but currently, we have not seen indications that these newly discovered vulnerabilities have been exploited,” the company said.

The vendor released a patch for the newly discovered vulnerabilities on June 9 and advised all customers to apply the patch.

“We have yet to see any further post-exploitation like ransomware or lateral movement, but uncovering the arbitrary code execution attack vector means that there is potential for other effects or attacks,” John Hammond, senior security researcher at Huntress, said via email.

“This could lead to ransomware, cryptomining, or any other threat without specifically creating a backdoor,” Hammond said.

The attacks against MOVEit and its customers underscores the fact exploited vulnerabilities remain the No. 1 root cause of ransomware attacks, according to John Shier, field CTO at Sophos.

“Any organization that is using — or has supply chain partners that use — the MOVEit Transfer software need to immediately disable the software, isolate any machines that may still be running it from the rest of the network, apply the patch and investigate for potential compromise,” Shier said.