At the end of May 2023, Kroll received multiple reports that a zero-day vulnerability in MOVEit Transfer secure file transfer web application (CVE-2023-34362) was being actively exploited to gain access to MOVEit servers.
In this blog post, we aggregate key Kroll guidance on this security issue and the steps your organisation should take in response.
Responding to the MOVEit Transfer vulnerability
Kroll recently observed threat actors using the zero-day vulnerability in MOVEit Transfer secure file transfer web application (CVE-2023-34362) to upload a web shell, exfiltrate data and initiate intrusion lifecycles, or move laterally to other areas of the network. Following this, the Clop ransomware group publicly claimed responsibility.
Kroll forensic review identified activity indicating that the Clop threat actors were likely experimenting with ways to exploit this particular vulnerability as far back as 2021. Kroll provided guidance on steps to mitigate risks associated with this critical vulnerability, which allows attackers to gain unauthenticated access to MOVEit Transfer servers.
Our findings illustrate the sophisticated knowledge and planning that go into mass exploitation events such as those exploiting the MOVEit Transfer vulnerability. According to these observations, the Clop threat actors potentially had an exploit for the MOVEit Transfer vulnerability prior to the GoAnywhere MFT secure file transfer tool exploitation in February 2023, but chose to execute the attacks sequentially rather than in parallel.
Since its public statement claiming responsibility for the MOVEit Transfer attacks, the Clop ransomware group has updated its threat actor website, instructing users of MOVEit Transfer products to contact them via email.
Further background information about the vulnerability is available here.
Further information about the Clop Group’s involvement is available here.
MOVEit Transfer vulnerability – recommendations
Patches for supported MOVEit Transfer versions have been released and are available from the MOVEit website located here.
Supported versions are listed via this link.
Recommendations from MOVEit Transfer can be found here, which advise impacted users to:
- Disable HTTP and HTTPS traffic to their MOVEit Transfer environment
- Check for indicators of unauthorised access in the last 30 days
- Apply patches as they become available
- Immediately disable HTTP and HTTPS access as described above until a patch can be installed.
- MOVEit Administrators should look in the “C:\MOVEit Transfer\wwwroot\” directory for suspicious .aspx files such as “human2.aspx”.
Please note that this vulnerability is under active exploitation and our experts are continuing to investigate it. Stay up to date with the Kroll Cyber blog for further updates as our team uncovers more details.
How Kroll can help
Kroll can conduct rapid and actionable MOVEit specific scans of external IP address ranges to identify issues requiring focus and potential further investigation. We can also assist in inventorying various systems, applications and software using MOVEit in the environment. Our specialist practitioners are also available to provide support with firewall, application and network traffic log analysis, as well as checking for both successful and unsuccessful exploitation attempts.
Our team can search for the presence of known Indicators of Compromise (IoCs) that are being actively collected by our threat intelligence, incident response findings and managed detection services. In relation to digital forensics and incident response, Kroll can be engaged to investigate and contain network compromises and active maliciousness, as well as investigate network intrusions and threat actors who have successfully exploited the MOVEit vulnerability to compromise a victim network.