New MOVEit Transfer App Flaw Found in Cl0p Ransomware Mass Attack

Reading Time: ( Word Count: )

June 16, 2023

Progress Software revealed a new security MOVEit Transfer app flaw, marking the third flaw discovered. The Cl0p cybercrime gang has exploited this vulnerability to extort affected companies.

This newly identified flaw, currently lacking a CVE identifier, involves an SQL injection vulnerability. Exploiting this vulnerability could result in elevated privileges and unauthorized access to the system.

To protect their environments until a fix is available, Progress Software advises customers to turn off all HTTP and HTTPs traffic on ports 80 and 443 for MOVEit Transfer. The company is actively working on a patch to address this weakness. The cloud-managed file transfer solution has already been fully patched.

This disclosure follows Progress Software’s previous announcement of SQL injection vulnerabilities (CVE-2023-35036). These vulnerabilities could be leveraged to access the database content of the affected application.

The newly discovered vulnerabilities are in addition to CVE-2023-34362, which the Clop ransomware gang exploited as a zero-day in data theft attacks. Kroll, a security firm, reported that evidence indicates the Clop gang, also known as Lace Tempest by Microsoft, had been testing this exploit since July 2021.

MOVEit Transfer App Flaw

Read Also: “BatCloak Engine: Cybercriminals’ Undetectable Malware”

Coinciding with this development, the Cl0p actors published a list on their darknet leak portal, revealing 27 hacked companies that they claim were compromised using the MOVEit Transfer vulnerability. Among the victims are multiple U.S. federal agencies, including the Department of Energy, as reported by CNN.

“The number of potentially breached organizations so far is significantly higher than the initial count mentioned in Clop’s previous MFT exploitation campaign involving the Fortra GoAnywhere MFT,” stated ReliaQuest.

According to Censys, a web-based search platform, approximately 31% of the exposed hosts running MOVEit belong to the financial services industry. Healthcare constitutes around 16%, information technology around 9%, and government and military sectors around 8%. The majority of these servers, approximately 80%, are located in the United States.

Based on Kaspersky’s analysis of 97 families of malware spread via the malware-as-a-service (MaaS) business model between 2015 and 2022, ransomware holds the largest share at 58%. Information stealers follow at 24%, while botnets, loaders, and backdoors account for 18% of the distribution.

According to the Russian cybersecurity company, “Money is the root of all evil, including cybercrime.” Kaspersky also highlighted how MaaS schemes enable less technically skilled attackers to participate, thereby reducing the entry barrier for carrying out such attacks.

Saher Mahmood

Saher Mahmood


Saher is a cybersecurity researcher with a passion for innovative technology and AI. She explores the intersection of AI and cybersecurity to stay ahead of evolving threats.

Other interesting articles

Automated vs Manual Penetration Testing

Automated vs Manual Penetration Testing

Pentesting is largely divided into two methodologies: Automated vs Manual Penetration Testing. Both have ...
8 Steps in Penetration Testing You Should Know

8 Steps in Penetration Testing You Should Know

Mastering the art of penetration testing has become a critical ability for security experts to combat cyber ...
Spear Phishing vs Whaling: What is the Difference

Spear Phishing vs Whaling: What is the Difference

Spear phishing is a particularly devious type of phishing assault in which the individual targeted plays a ...
How Often Should Penetration Testing Be Done

How Often Should Penetration Testing Be Done

Penetration testing is a crucial technique that involves simulating a cyberattack on networks, computer systems, ...

Submit a Comment

Your email address will not be published. Required fields are marked *