In chess, the threefold repetition rule states that a player may claim a draw if the same position occurs three times during the game. Whether this means that customers of the popular file transfer utility MOVEit Transfer can ask for their money back remains to be seen, but we do hope it signals the end of the game.
Let’s do a small recap first, because it’s easy to lose track here. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. We will use these CVE numbers where available.
- On May 31, 2023 Progress released a security bulletin about CVE-2023-34362, a vulnerability in MOVEIt Transfer that was being actively exploited. At the time we had a few details about how it was being exploited, but not by who.
- Over the next few days it became clear that the Cl0p ransomware group had been testing the vulnerability since July 2021 and decided to deploy it over the Memorial Day weekend. The first victims became known.
- A second vulnerability was found while new victims were still coming forward. After the first vulnerability was discovered, MOVEit's owner Progress Software partnered with third-party cybersecurity experts to conduct further detailed code reviews of the software and found CVE-2023-35036. Progress posted a new bulletin about it on June 9, 2023.
- On June 15, 2023, Progress published information about a third critical vulnerability which got listed as CVE-2023-35708 on June 16.
This latest vulnerability could lead to escalated privileges and potential unauthorized access to the environment.
Please note that it is very important to follow the instructions outlined in the latest advisory regarding the order in which the patches need to be applied and based on how many patches have already been applied.
The best advice provided by Progress is probably to disable all HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 to safeguard the environments while a patch is being prepared to address the vulnerabilities and in case even more of them come to the surface.
Meanwhile the Cybersecurity and Infrastructure Security Agency (CISA) says it’s providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications. Among the probably hundreds of victims are Payroll provider Zellis who serves British Airways and the BBC, oil giant Shell, several financial services organizations, insurance companies, and many others. Reportedly, two US Department of Energy (DOE) entities were also compromised.
Victims have been identified in the UK, US, Germany, Austria, Switzerland, Luxembourg, France, and the Netherlands. Organizations in the US make for most of the victims, but no ransom demands have been made of federal agencies according to a CISA spokesperson.
Cl0p re-emphasized that it was not going to use data stolen from government organizations with a message on its dark web site:
“We got a lot of emails about government data, we don't have it. We have completely deleted this information. We are only interested in business, everything related to the government has been deleted.”
We shouldn’t mistake this for altruism. It could be they are simply afraid of the consequences and because they are fully aware that governmental organizations are not allowed to pay the ransom anyway, so there is no profit to be made there.
Our own Cybersecurity Evangelist, Mark Stockley, has his doubts about Cl0p's methods:
"Cl0p's approach supposes that the US government would react more strongly to sensitive data being leaked than it would to multiple simultaneous breaches by the same criminal organisation. This ignores the fact that by using zero-days to attack hundreds of targets simultaneously, including parts of the federal government, Cl0p has already made itself ransomware's squeakiest wheel."
Stay tuned for future developments.
How to avoid ransomware
- Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
- Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
- Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
- Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
- Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
- Don’t get attacked twice. Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.
Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.