Progress Software disclosed on the 31st of May a critical vulnerability in MOVEit Transfer — CVE-2023-34362, an SQL-injection vulnerability in the MOVEit web-application interface that allows pre-authentication remote-code-execution against the underlying database server (Progress Software security advisory). The CL0P ransomware-and-data-extortion operators have, on subsequent investigation by Mandiant and others, been mass-exploiting the vulnerability since at least the 27th of May — before disclosure — against MOVEit Transfer instances internet-exposed by customer organisations (Mandiant on UNC4857 / CL0P MOVEit campaign, June). The campaign has produced data-exfiltration against hundreds of customer organisations and is the largest single CL0P campaign of the year by victim count.
The technical content. MOVEit Transfer is a managed-file-transfer product — used by customer organisations for secure file transfer of business documents, customer-data exchanges with partners, and similar workflows. The web-application interface used for management and monitoring contained the SQL-injection vulnerability. The CL0P operators' exploit chain extracts the database contents (which include files-in-transit and metadata about the customer organisation's file-transfer activity), exfiltrates the extracted data, and follows up with extortion demands threatening publication of the exfiltrated data. The pattern is consistent with CL0P's 2020-2023 operational history of exploiting managed-file-transfer products specifically — Accellion FTA in 2021, GoAnywhere MFT in early 2023, MOVEit Transfer now.
The deployment population. MOVEit Transfer is widely deployed in regulated industries (financial services, healthcare, government) where managed-file-transfer with audit-trail and compliance-grade controls is operationally needed. The internet-exposed MOVEit Transfer population is, on Shodan and Censys data, several thousand instances globally. The CL0P operators appear to have run mass-internet-scanning against the population, identified vulnerable instances, and exploited at scale during the disclosure window. The downstream-customer-impact population is therefore in the hundreds of organisations directly, with secondary impact (the customer organisations whose data was being transferred through the MOVEit instances at affected operator-customers) being substantially larger. The disclosure-cadence has been ongoing through June with new affected customer-organisations being publicly identified continuously.
For the customer-portfolio response. The customer-portfolio MOVEit usage audit completed within 24 hours of disclosure. The manufacturer's overseas operations use MOVEit Transfer for partner-data-exchange in two of the global sites; the affected instances were patched on the 1st of June, the post-incident hunt activity has produced no indicators of active exploitation, the customer-organisation operational status is clean. None of the other customer-portfolio organisations use MOVEit. The wider customer-side concern is the second-degree exposure — many of the customer-portfolio organisations use vendors and partners who use MOVEit, and the audit-and-coordination work to identify any data-of-concern that may have been exposed through partner-side compromise has been continuous through June.
The wider strategic point. The CL0P mass-exploitation against managed-file-transfer products is the third major such campaign in 28 months. The pattern is operationally instructive — managed-file-transfer products are, by their nature, internet-exposed (the web-management interfaces are often required to be reachable for partner-organisation interaction), they handle sensitive content (the files in transit are often customer-data, financial-data, or other regulated content), and they have historically not received the security-engineering attention that more visibly-exposed customer-facing surfaces have received. The CL0P operators have effectively demonstrated that this product category is a high-value-per-vulnerability target. The defensive disciplines that respond to this — careful inventory of any internet-exposed managed-file-transfer products, restrictive network-segmentation that limits the blast-radius of any compromise of those products, and elevated patching-and-monitoring posture against this product category specifically — are operationally tractable and are now being incorporated into customer-organisation programme work.
For the GDPR-and-NIS2 regulatory implications, the MOVEit-driven downstream-customer disclosures are going to produce substantial regulatory-engagement activity through Q3-Q4. The customer-organisation breach-notification posture across the affected population is being exercised at scale. The aggregate regulatory-cost across the affected population is going to be substantial; the precedent value for the regulatory-enforcement environment will be informative.
I will return to this. The MOVEit cleanup will continue for months.