MOVEit Transfer is a managed file transfer (MFT) solution that allows the enterprise to securely transfer files between business partners and customers using SFTP, SCP, and HTTP-based uploads.
On the same day, a researcher at Huntress — managed cyber security platform confirmed the vulnerability in MOVEit with the SQL injection that allows an attacker to upload/exfiltrate files.
Later on Sunday - Microsoft linked the Clop ransomware gang to recent attacks exploiting a zero-day vulnerability in the MOVEit Transfer platform to steal data from organizations.
Microsoft Threat Intelligence team tweeted —
"Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site,"
Today, Huntress researcher updated their research and exploit with the ability to Remote Code Execution and ransomware. In the blog post, Huntress wrote -
"Huntress has fully recreated the attack chain exploiting MOVEit Transfer software. To the best of our knowledge, currently, no one else has publicly done so."
"We have uncovered that the initial phase of the attack, SQL injection, opens the door for even further compromise -- specifically, arbitrary code execution."
The researcher has also shared the video POC of the exploit showing the exploit to receive shell access with Meterpreter, escalate to NT AUTHORITY\SYSTEM, and detonate a cl0p ransomware payload.
The MOVEit Transfer exploitation is not just SQL injection(👀)
— John Hammond (@_JohnHammond) June 6, 2023
We uncovered the very last stage of the attack chain to drop human2.aspx ultimately ends up gaining remote code execution ‼
We fully recreated the attack chain with a demo achieving a reverse shell & ransomware! pic.twitter.com/dPQX80wLQ8
Huntress detailed the exploit stating that any unauthenticated adversary could trigger an exploit that instantly deploys ransomware or performs any other malicious action. Malicious code would run under the MOVEit service account user moveitsvc, which is in the local administrators group. The attacker could disable antivirus protections, or achieve any other arbitrary code execution.
"The behavior that the industry observed, adding a human2.aspx webshell, is not necessary for attackers to compromise the MOVEit Transfer software. It's "an option" that this specific threat chose to deploy for persistence, but the attack vector offers the ability to detonate ransomware right away. Some have already publicly reported to attackers pivoting to other file names." — further they added.
Clop Ransomware Took Responsibility
After Microsoft attributed the Clop Ransomware group for the exploitation of the MOVEit bug, now Bleeping Computer reported that Clop ransomware is behind the MOVEit Transfer data-theft attacks, where a zero-day vulnerability was exploited to breach multiple companies' servers and steal data.
The Clop representative further confirmed that they started exploiting the vulnerability on May 27th, during the long US Memorial Day holiday, as previously disclosed by Mandiant.
Furthermore, the ransomware gang told BleepingComputer that they had deleted any data stolen from governments, the military, and children's hospitals during these attacks.
Victims of Clop's MOVEit data-theft attacks
As we have reported earlier major UK companies have been targeted with the MOVEit hack and the first to report the breach came from Zellis, a UK payroll and HR solution provider.
In the list of victims BBC, British Airways, Boots, and Aer Lingus have also confirmed the Zellis breach impacted them.