Secure peace of mind with Cyber Legion—Your Trusted Cybersecurity Partner.

Speak With a Security Expert

Elevate your cybersecurity posture with our expert and strategic security solutions

Experience the assurance of CREST Certified Penetration Testing services

FAQ for MOVEit Transfer Vulnerabilities and CL0P Ransomware Gang

Frequently asked questions relating to vulnerabilities in MOVEit Transfer, including one that was exploited by the prolific CL0P ransomware gang.

Background

The Tenable Security Response Team has put together this blog to answer frequently Asked Questions (FAQ) regarding the MOVEit Transfer vulnerabilities and the CL0P ransomware gang.

FAQ

What is MOVEit Transfer?

MOVEit Transfer is a secure managed file transfer (MFT) software made by Progress Software that provides a centralized solution for a variety of organizations — including financial services, healthcare, information technology, government and the military — to securely share files.

When was the first vulnerability in MOVEit Transfer disclosed?

On May 31, Progress Software published its first advisory to address a “critical” SQL injection vulnerability in MOVEit Transfer.

How many vulnerabilities have been disclosed in MOVEit Transfer?

As of June 15, 2023, there were three Common Vulnerabilities and Exposures (CVEs) assigned for multiple flaws in MOVEit Transfer. Two of the three were zero-day vulnerabilities, though only one was exploited in the wild.

Are there patches available for all of the MOVEit Transfer vulnerabilities?

As of June 16, 2023, patches are available for the three CVEs found in MOVEit Transfer:

CVE
Fixed Versions
Release Date
CVE-2023-34362, CVE-2023-35036
MOVEit Transfer 2023.0.2 (15.0.2)MOVEit Transfer 2022.1.6 (14.1.6)MOVEit Transfer 2022.0.5 (14.0.5)MOVEit Transfer 2021.1.5 (13.1.5)MOVEit Transfer 2021.0.7 (13.0.7)
June 9, 2023
CVE-2023-35708
MOVEit Transfer 2023.03 (15.0.3)MOVEit Transfer 2022.1.7 (14.1.7)MOVEit Transfer 2022.0.6 (14.0.6)MOVEit Transfer 2021.1.6 (13.1.6)MOVEit Transfer 2021.0.8 (13.0.8)
June 16, 2023

Customers are advised to update to the latest versions of MOVEit Transfer.

Which CVE was exploited in the wild and who exploited it?

CVE-2023-34362, which was disclosed on May 31, was exploited in the wild by the CL0P ransomware gang. Reports suggest that the first evidence of confirmed exploitation was on May 27, 2023. However, there are reports that suggest CL0P may have kept this zero-day vulnerability in its pocket as far back as July 2021.

Who is CL0P?

CL0P is the name of a ransomware group associated with a threat actor known as TA505, CL0P was first observed in February 2019 as a variant of the CryptoMix ransomware family. It is currently one of the more prolific ransomware groups today that operates as ransomware-as-a-service (RaaS).

What is RaaS?

RaaS is a service model, just like software‐as‐a‐service. Instead of providing access to legitimate software applications, ransomware groups provide the malicious software (ransomware) and infrastructure necessary to facilitate ransomware attacks.

These RaaS groups rely on third parties, known as affiliates, to do the actual dirty work of gaining initial access into an organization before deploying the ransomware.

Is this the first time CL0P has targeted a file transfer solution?

No, CL0P has targeted at least two other file transfer solutions dating back to December 2020.

Application/Solution
Date Targeted
CVEs
Accellion File Transfer Appliance (FTA)
December 2020
CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
Fortra GoAnywhere Managed File Transfer (MFT)
January 2023
CVE-2023-0669
Progress MOVEit Secure MFT
May 2023
CVE-2023-34362

Why does CL0P target file transfer software?

Uncovering zero-day vulnerabilities in file transfer solutions like Progress MOVEit MFT, GoAnywhere MFT and Accellion FTA enables CL0P to steal data from potentially hundreds of organizations en masse. This emphasis on data theft allows CL0P to focus its effort on extorting businesses to pay the ransom demands by threatening to publish the stolen data on its data leak site.

What is a data leak site?

A data leak site is a website controlled and operated by ransomware gangs that is typically hosted on the dark web and used to name and shame victim organizations with a threat to publish stolen data obtained through cyberattacks. CL0P operates a data leak site known as “CL0P^_-LEAKS” that has been in operation since early 2020.

Image Source: Tenable, June 2023

For more information on ransomware, including RaaS and data leak sites, please check out our Ransomware Ecosystem report.

How many organizations that use file transfer software have been compromised in these attacks?

Based on open source intelligence, CL0P managed to compromise over 50 organizations in the Accellion breach between 2020 and 2021, allegedly over 130 organizations in the GoAnywhere breach and reportedly in the “hundreds” with the MOVEit breach, according to a message from the gang on its CL0P^_-LEAKS data leak site.

Image Source: Tenable, June 2023

Is there any other information on CL0P and its attack on MOVEit Transfer customers?

Yes, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a #StopRansomware joint cybersecurity advisory (CSA) on June 7 (identified as AA23-158A) about CL0P and its exploitation of CVE-2023-34362 in MOVEit Transfer. It includes information on the group, the first vulnerability (CVE-2023-34362) as well as detection methods and indicators of compromise associated with the attack.

What are ways I/my organization can identify these vulnerabilities in MOVEit Transfer?

As of June 15, 2023, Tenable has released the following detection plugins and version check plugins for MOVEit Transfer. A version check plugin for CVE-2023-35708 will be released soon.

Plugin ID
Title
Severity
CVEs
Family
90190
“Progress MOVEit Transfer Installed (Windows)”
INFO

Windows
176735
“Progress MOVEit Transfer Web Interface Detection”
INFO

Service detection
176736
“Progress MOVEit Transfer FTP Detection”
INFO

FTP
176567
“Progress MOVEit Transfer < 2020.0 / 2020.1 / 2021.0 < 2021.0.6 / 2021.1.0 < 2021.1.4 / 2022.0.0 < 2022.0.4 / 2022.1.0 < 2022.1.5 / 2023.0.0 < 2023.0.1 Critical Vulnerability (May 2023)”
CRITICAL
CVE-2023-34362
Windows
177082
“Progress MOVEit Transfer < 2020.1.9 / 2021.0.x < 2021.0.7 / 2021.1.x < 2021.1.5 / 2022.0.x < 2022.0.5 / 2022.1.x < 2022.1.6 / 2023.0.x < 2023.0.2 Critical Vulnerability (June 2023)”
CRITICAL
CVE-2023-35036
Windows
177371
“Progress MOVEit Transfer < 2020.1.10 / 2021.0.x < 2021.0.8 / 2021.1.x < 2021.1.6 / 2022.0.x < 2022.0.6 / 2022.1.x < 2022.1.7 / 2023.0.x < 2023.0.3 Privilege Escalation”
CRITICAL
CVE-2023-35708
Windows

The following is a list of MITRE ATT&CK Techniques associated with the CL0P ransomware gang that has been mapped to Tenable attack path analysis techniques:

Technique ID
Description
Attack path technique
T1021.002
Remote Services: SMB/Windows Admin Shares
T1021.002_Windows
T1059.001
Command and Scripting Interpreter: PowerShell (Windows)
T1059.001_Windows
T1068
Exploitation for Privilege Escalation (Windows)
T1068_Windows

Is Tenable impacted by the MOVEit Transfer vulnerability used by CL0P?

No, Tenable does not utilize the MOVEit Transfer software.

Get more information

CVE-2023-34362: MOVEIt Transfer Critical Zero-Day Vulnerability Exploited in the Wild
Progress Software Security Center: MOVEit Transfer and MOVEit Cloud Vulnerability
Progress Software MOVEit Transfer Critical Vulnerability (CVE-2023-34362)
Progress Software MOVEit Transfer Critical Vulnerability (CVE-2023-35036)
Progress Software MOVEit Transfer Critical Vulnerability (CVE-2023-35708)

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

   Cyber Exposure Alerts 

​  

More To Explore