Exploitation of MOVEit Vulnerability by CL0P Ransomware Gang

At the beginning of June, the American security watchdog CISA urged to patch a zero-day vulnerability in MOVEit, a managed file transfer (MFT) service popular with banks, businesses, government agencies and other large organizations. The exploit, known as CVE-2023-34362, allows an attacker to perform an SQL injection within the software, allowing this actor to escalate his or her privileges and siphon off data. Behind the attacks is the Russia-linked CL0P ransomware gang, which is demanding millions in ransom from their many victims.
The MOVEit vulnerability is a serious threat, as it comes into contact with all kinds of customer data and sensitive data of employees. On May 31 of this year, Progress announced to customers that there was a threat, after which more and more clarity emerged about the nature of the cyber incident.
The active exploitation of MOVEit was claimed by the CL0P ransomware gang, which reported to numerous parties that they had their hands on or deleted sensitive data. The gang has targeted mainly government agencies and critical infrastructure such as banks and energy companies on an international level, including Deutsche Bank, Schneider Electric and American universities (such as UCLA and Washington State University). However, there was also variety due to the inclusion of PBI Research and Radisson Hotels America, among others.
In the Netherlands, the fire started on June 8, when Landal GreenParks announced that it was affected by the MOVEit vulnerability. Data from 12,000 customers would have fallen into the wrong hands. According to this company, it would not have involved financial data, reservation information or passwords. Leaking names and e-mail addresses does, however, increase the phishing risk.
Since the publication of MOVEit, a number of Dutch victims have been reviewed. TomTom, Shell and ING have been exposed to an attack by CL0P. According to the former, there were no leaks that could have a “negative material impact on TomTom or its customers.” Shell has some help to offer in that regard, although it claims there is no evidence of damage to Shell’s IT systems.

What Can Be Done?

The best way to protect yourself against the MOVEit vulnerability is to patch the exploit as soon as possible. Progress Software has released a patch for the vulnerability, which should be applied as soon as possible. It is also important to keep an eye on the security of the software stack. This means that organizations should regularly check their software for vulnerabilities and patch them as soon as possible.
In addition, organizations should also take measures to protect themselves against ransomware. This includes regularly backing up data and keeping it in a secure location. This way, organizations can restore their data in the event of an attack. In addition, organizations should also take measures to protect their networks, such as using firewalls, antivirus software and other security measures.

Conclusion

The MOVEit vulnerability is a serious threat to organizations worldwide, as it can be exploited to gain access to sensitive data. Organizations should take measures to protect themselves against the vulnerability, such as patching the exploit and taking measures to protect their networks. In addition, organizations should also take measures to protect themselves against ransomware, such as regularly backing up data and keeping it in a secure location.