MOVEit Transfer is Progress Software’s managed file transfer solution, used by organizations for internal and external file-sharing purposes. Beginning on May 27, 2023, the Clop Ransomware group exploited a zero-day SQL injection vulnerability (CVE-2023-34362) which enabled them to execute commands on affected servers and ultimately steal data from the underlying databases. A broad set of industries have been affected, such as education, government agencies, banking, and healthcare.
Who Did It?
The Clop Ransomware Group took responsibility for the MOVEit Breach on June 6, 2023. This threat actor is also known as TA505, FIN11 and Lace Tempest. The group is financially motivated and Russian speaking. This adversary does not appear to target a particular industry, but instead focuses on conducting attacks with significant financial reward. This is not the first time this threat actor has targeted file transfer solutions. The threat actor targeted and exfiltrated data from Accellion File Transfer Appliance (FTA) devices in 2020 and 2021 and Fortra/Linoma Go Anywhere MFT servers in early 2023.
Why Target File Transfer Solutions?
File transfer solutions handle large amounts of information, a lot of which is sensitive and regulated. Exfiltrating this type of data is profitable for threat actors. MOVEit Transfer, for example, is an accredited file transfer solution that meets various compliance requirements for highly regulated industries. Exfiltrating this type of data is profitable for threat actors as it increases the likelihood the data is valuable to the victim and other malicious actors. Additionally, the breach’s scale is compounded by the tool’s function. File transfer solutions are used to transfer data within an organization and on behalf of others. Thus, the scope of Clop ransomware’s data exfiltration goes well beyond the number of organizations with MOVEit Transfer deployments, increasing the likelihood a party will pay the ransom.
Mapping of the Attack to the MITRE ATT&CK Framework
Organizations with MOVEit Transfer are encouraged to do the following to prevent further exploitation:
Patch the security vulnerabilities with MOVEit Transfer
Until the patches are installed, disable all HTTP and HTTPs traffic to the MOVEit Transfer application.
Additional action organizations can take:
Assess and implement secure supply chain and data sharing practices.
Maintain offline backups of data
Conduct tabletop exercises to test response and recovery plans
All organizations should consider testing their security controls against MITRE ATT&CK techniques. Organizations can utilize the MITRE ATT&CK mapping in this article to simulate an actual threat and test its organization’s preparedness.