Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

FAQ for MOVEit Transfer Vulnerabilities and CL0P Ransomware Gang

Frequently asked questions relating to vulnerabilities in MOVEit Transfer, including one that was exploited by the prolific CL0P ransomware gang.

Frequently asked questions relating to vulnerabilities in MOVEit Transfer, including one that was exploited by the prolific CL0P ransomware gang.

Update June 21: This blog post has been updated to reflect the availability of our Tenable Research Advisory widget to identify assets vulnerable to the MOVEit Transfer flaws and dashboards to identify vulnerabilities across multiple file transfer solutions targeted by the CL0P ransomware gang.

View Change Log

Background

The Tenable Security Response Team has put together this blog to answer Frequently Asked Questions (FAQ) regarding the MOVEit Transfer vulnerabilities and the CL0P ransomware gang.

FAQ

What is MOVEit Transfer?

MOVEit Transfer is a secure managed file transfer (MFT) software made by Progress Software that provides a centralized solution for a variety of organizations — including financial services, healthcare, information technology, government and the military — to securely share files.

When was the first vulnerability in MOVEit Transfer disclosed?

On May 31, Progress Software published its first advisory to address a “critical” SQL injection vulnerability in MOVEit Transfer.

How many vulnerabilities have been disclosed in MOVEit Transfer?

As of June 15, 2023, there were three Common Vulnerabilities and Exposures (CVEs) assigned for multiple flaws in MOVEit Transfer. Two of the three were zero-day vulnerabilities, though only one was exploited in the wild.

Are there patches available for all of the MOVEit Transfer vulnerabilities?

As of June 16, 2023, patches are available for the three CVEs found in MOVEit Transfer:

CVE Fixed Versions Release Date
CVE-2023-34362
CVE-2023-35036
MOVEit Transfer 2023.0.2 (15.0.2)
MOVEit Transfer 2022.1.6 (14.1.6)
MOVEit Transfer 2022.0.5 (14.0.5)
MOVEit Transfer 2021.1.5 (13.1.5)
MOVEit Transfer 2021.0.7 (13.0.7)
June 9, 2023
CVE-2023-35708 MOVEit Transfer 2023.03 (15.0.3)
MOVEit Transfer 2022.1.7 (14.1.7)
MOVEit Transfer 2022.0.6 (14.0.6)
MOVEit Transfer 2021.1.6 (13.1.6)
MOVEit Transfer 2021.0.8 (13.0.8)
June 16, 2023

Customers are advised to update to the latest versions of MOVEit Transfer.

Which CVE was exploited in the wild and who exploited it?

CVE-2023-34362, which was disclosed on May 31, was exploited in the wild by the CL0P ransomware gang. Reports suggest that the first evidence of confirmed exploitation was on May 27, 2023. However, there are reports that suggest CL0P may have kept this zero-day vulnerability in its pocket as far back as July 2021.

Who is CL0P?

CL0P is the name of a ransomware group associated with a threat actor known as TA505, CL0P was first observed in February 2019 as a variant of the CryptoMix ransomware family. It is currently one of the more prolific ransomware groups today that operates as ransomware-as-a-service (RaaS).

What is RaaS?

RaaS is a service model, just like software‐as‐a‐service. Instead of providing access to legitimate software applications, ransomware groups provide the malicious software (ransomware) and infrastructure necessary to facilitate ransomware attacks.

These RaaS groups rely on third parties, known as affiliates, to do the actual dirty work of gaining initial access into an organization before deploying the ransomware.

Is this the first time CL0P has targeted a file transfer solution?

No, CL0P has targeted at least two other file transfer solutions dating back to December 2020.

Application/Solution Date Targeted CVEs
Accellion File Transfer Appliance (FTA) December 2020 CVE-2021-27101
CVE-2021-27102
CVE-2021-27103
CVE-2021-27104
Fortra GoAnywhere Managed File Transfer (MFT) January 2023 CVE-2023-0669
Progress MOVEit Secure MFT May 2023 CVE-2023-34362

Why does CL0P target file transfer software?

Uncovering zero-day vulnerabilities in file transfer solutions like Progress MOVEit MFT, GoAnywhere MFT and Accellion FTA enables CL0P to steal data from potentially hundreds of organizations en masse. This emphasis on data theft allows CL0P to focus its effort on extorting businesses to pay the ransom demands by threatening to publish the stolen data on its data leak site.

What is a data leak site?

A data leak site is a website controlled and operated by ransomware gangs that is typically hosted on the dark web and used to name and shame victim organizations with a threat to publish stolen data obtained through cyberattacks. CL0P operates a data leak site known as “CL0P^_-LEAKS” that has been in operation since early 2020.

Image Source: Tenable, June 2023

For more information on ransomware, including RaaS and data leak sites, please check out our Ransomware Ecosystem report.

How many organizations that use file transfer software have been compromised in these attacks?

Based on open source intelligence, CL0P managed to compromise over 50 organizations in the Accellion breach between 2020 and 2021, allegedly over 130 organizations in the GoAnywhere breach and reportedly in the “hundreds” with the MOVEit breach, according to a message from the gang on its CL0P^_-LEAKS data leak site.

Image Source: Tenable, June 2023

Is there any other information on CL0P and its attack on MOVEit Transfer customers?

Yes, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a #StopRansomware joint cybersecurity advisory (CSA) on June 7 (identified as AA23-158A) about CL0P and its exploitation of CVE-2023-34362 in MOVEit Transfer. It includes information on the group, the first vulnerability (CVE-2023-34362) as well as detection methods and indicators of compromise associated with the attack.

What are ways I/my organization can identify these vulnerabilities in MOVEit Transfer?

As of June 15, 2023, Tenable has released the following detection plugins and version check plugins for MOVEit Transfer. A version check plugin for CVE-2023-35708 will be released soon.

Plugin ID Title Severity CVEs Family
90190 "Progress MOVEit Transfer Installed (Windows)" INFO - Windows
176735 "Progress MOVEit Transfer Web Interface Detection" INFO - Service detection
176736 "Progress MOVEit Transfer FTP Detection" INFO - FTP
176567 "Progress MOVEit Transfer < 2020.0 / 2020.1 / 2021.0 < 2021.0.6 / 2021.1.0 < 2021.1.4 / 2022.0.0 < 2022.0.4 / 2022.1.0 < 2022.1.5 / 2023.0.0 < 2023.0.1 Critical Vulnerability (May 2023)" CRITICAL CVE-2023-34362 Windows
177082 "Progress MOVEit Transfer < 2020.1.9 / 2021.0.x < 2021.0.7 / 2021.1.x < 2021.1.5 / 2022.0.x < 2022.0.5 / 2022.1.x < 2022.1.6 / 2023.0.x < 2023.0.2 Critical Vulnerability (June 2023)" CRITICAL CVE-2023-35036 Windows
177371 "Progress MOVEit Transfer < 2020.1.10 / 2021.0.x < 2021.0.8 / 2021.1.x < 2021.1.6 / 2022.0.x < 2022.0.6 / 2022.1.x < 2022.1.7 / 2023.0.x < 2023.0.3 Privilege Escalation" CRITICAL CVE-2023-35708 Windows

The following is a list of MITRE ATT&CK Techniques associated with the CL0P ransomware gang that has been mapped to Tenable attack path analysis techniques:

Technique ID Description Attack path technique
T1021.002 Remote Services: SMB/Windows Admin Shares T1021.002_Windows
T1059.001 Command and Scripting Interpreter: PowerShell (Windows) T1059.001_Windows
T1068 Exploitation for Privilege Escalation (Windows) T1068_Windows

In addition to our plugins, customers can also leverage our Tenable Research Advisory widget in Tenable Vulnerability Management (formerly Tenable.io) to identify assets that contain missing patches or that have applied patches:

For example, the image below includes a list of assets with missing patches using the Tenable Research Advisory widget:

In addition to identifying the MOVEit Transfer vulnerabilities outlined in this blog post, Tenable Research has put together dashboards in both Tenable Vulnerability Management and Tenable Security Center (formerly Tenable.sc) that includes known vulnerabilities across multiple file transfer solutions that have been targeted by the CL0P ransomware gang over the last three years.

Tenable Vulnerability Management Dashboard:

Tenable Security Center Dashboard:

We have also published the following blog posts with more information on both of the dashboards:

Is Tenable impacted by the MOVEit Transfer vulnerability used by CL0P?

No, Tenable does not utilize the MOVEit Transfer software.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Change Log

Update June 21: This blog post has been updated to reflect the availability of our Tenable Research Advisory widget to identify assets vulnerable to the MOVEit Transfer flaws and dashboards to identify vulnerabilities across multiple file transfer solutions targeted by the CL0P ransomware gang.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training