MOVEit software exploit walks before it runs

Cl0p quietly tested the flaw for two years before launching the full exploit. Lesson: Look both ways before crossing.

Richi Jennings, Independent industry analyst, editor, and content strategist.

Update: MOVEit attack hits ‘several’ federal agencies, CISA confirms | Full coverage on Google News

Progress Software’s MOVEit file-transfer platform has been causing high-profile data leaks. The Cl0p ransomware group seems to have experimented with an RCE zero-day exploit as long ago as July 2021.

For two years, Cl0p quietly used the flaw to do reconnaissance on future victims, and then unleashed the full force of the exploit a couple of weeks ago. In this week’s Secure Software Blogwatch, we look both ways.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Treknobabble II (the wrath of can’t).

DON’T WALK

What’s the craic? Jessica Lyons Hardcastle reports — “MOVEit supply-chain attack”:

“CVE-2023-34362”
British Airways, the BBC, and UK pharmacy chain Boots are among the companies whose data has been compromised after miscreants exploited a critical vulnerability in deployments of the MOVEit document-transfer app. [The victims] were not hit directly. Instead, payroll services provider Zellis … admitted its MOVEit installation had been exploited, and as a result "a small number of our customers" … had their information stolen.
…
Zellis … customers include Sky, Harrods, Jaguar, Land Rover, Dyson, and Credit Suisse. [It] blamed the MOVEit vulnerability for the security breach. … The bug has since been assigned a CVE and is now tracked as CVE-2023-34362. [This] is now looking like yet another major supply chain attack.

But wait! There’s more. Jonathan Greig adds — “MOVEit announces second vulnerability”:

“CVE-2023-35036”
The company behind the popular MOVEit file transfer product has announced a second vulnerability within its software as more entities come forward to announce breaches. … The software company Progress said that since the discovery of the first vulnerability … the cybersecurity firm Huntress … has discovered a new issue.
…
Progress … warned that the new vulnerability could allow a hacker to gain unauthorized access to the MOVEit Transfer database. … All versions of the software are affected by the vulnerability, [CVE-2023-35036].

When was the first bug discovered? Scott Downie, Devon Ackerman, Laurie Iacono and Dan Cox think it’s likely “Since 2021”:

“July 2021”
Analysis of this exploitation has confirmed that threat actors are using this vulnerability to upload a web shell and exfiltrate data. [They] were likely experimenting with ways to exploit this particular vulnerability as far back as 2021. [We] found evidence of similar activity occurring … in some cases as early as July 2021.
…
[There was] a broad swath of activity associated with the vulnerability on or around May 27 and 28, 2023. … This time frame coincided with the observation of Memorial Day weekend in the U.S., reinforcing threat actors’ preference to launch major cyber exploitations during holiday weekends (e.g., the Kaseya supply chain attack on July 3, 2021).

So, two years ago? Jai Vijayan has more detail — “Cl0P Gang Sat on Exploit”:

“SQL injection”
The Cl0p ransomware group sat on [the] zero-day vulnerability … for nearly two years before starting to exploit it … with devastating effect. … The group periodically launched waves of malicious activity against vulnerable systems to test their access to organizations and to identity the ones to target.
…
Much of the malicious reconnaissance and testing activity in the early stages — in July 2021 — appears to have been manual in nature. But starting April 2022, Cl0p actors began using an automated mechanism for probing multiple organizations at the same time.
…
Reports of attack activity targeting a SQL injection vulnerability in MOVEit Transfer began surfacing on June 1. Researchers … found the threat actor exploiting the flaw to steal data [as] a precursor to ransom demands.

Wait. Pause. SQL injection? In 2023? Pier Reviewer blames siloed development:

Parameterising queries still isn’t done every time. Even where it is, dumb stuff happens.
The other week I was reviewing some code. DB interaction looked reasonable on the surface — all the queries were parameterised so it was safe, right? Wrong! They were calling stored procedures safely, but the SPs were then concatenating input and EXEC’ing it.
It’s a fairly common pattern, sadly: Java/.Net/whatever devs do their bit safely, but then the data team who write the SPs do random **** like it’s 1995. Neither team knows or understands what the other team is doing so you end up with trivially discoverable and exploitable SQLi.

But this is a solved problem! bennett_cg requests we exit the grassed area:

The trouble with "solved problems" is that, eventually, the people who actually felt the pain from the problem aren't around anymore and their replacements never had a chance to learn about it the hard way. So the good practices seem like arcane verbosity and … get discarded.

What can we learn? apjr9 concludes that we’re going to see supply-chain exploits more frequently:

Networked apps are a huge security vulnerability. Your system security is only as good as the security of the least secure networked app running on it.
…
As OS and network security improves, attacks via networked apps are becoming common. Securing all the networked apps would be a huge cost to industry, so they are furiously trying to ignore the problem and have been for decades.

Is the only answer to only use your own software? No, argues Coppercloud:

Lol, no. … Unless transferring files is your literal entire business you probably want to trust experts instead of building your own, because you'll **** it up worse than they will. You can criticize MOVEit all you want … but be it MOVEit, OneDrive, DropBox, FTP … you're likely to be trusting someone else.

Meanwhile, if not MOVEit, then what should you use? This Anonymous Coward has a “better” suggestion:

We always transfer files via torrent sites. It's fast and you also get free backup service. Win!

And Finally:

More Treknobabble from Reina

Previously in And finally

You have been reading Secure Software Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or ssbw@richi.uk. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Wesley Tingey (via Unsplash; leveled and cropped)

Keep learning

Get up to speed on the state of software security with RL's Software Supply Chain Security Report 2026. Plus: See the the webinar to discussing the findings.
Learn why binary analysis is a must-have in the Gartner® CISO Playbook for Commercial Software Supply Chain Security.
Take action on securing AI/ML with our report: AI Is the Supply Chain. Plus: See RL's research on nullifAI and watch how RL discovered the novel threat.
Get the report: Go Beyond the SBOM. Plus: See the CycloneDX xBOM webinar.

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

Tags:AppSec & Supply Chain Security

MOVEit software exploit walks before it runs

Cl0p quietly tested the flaw for two years before launching the full exploit. Lesson: Look both ways before crossing.

Richi Jennings, Independent industry analyst, editor, and content strategist.

Update: MOVEit attack hits ‘several’ federal agencies, CISA confirms | Full coverage on Google News

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Treknobabble II (the wrath of can’t).

DON’T WALK

What’s the craic? Jessica Lyons Hardcastle reports — “MOVEit supply-chain attack”:

“CVE-2023-34362”
British Airways, the BBC, and UK pharmacy chain Boots are among the companies whose data has been compromised after miscreants exploited a critical vulnerability in deployments of the MOVEit document-transfer app. [The victims] were not hit directly. Instead, payroll services provider Zellis … admitted its MOVEit installation had been exploited, and as a result "a small number of our customers" … had their information stolen.
…
Zellis … customers include Sky, Harrods, Jaguar, Land Rover, Dyson, and Credit Suisse. [It] blamed the MOVEit vulnerability for the security breach. … The bug has since been assigned a CVE and is now tracked as CVE-2023-34362. [This] is now looking like yet another major supply chain attack.

But wait! There’s more. Jonathan Greig adds — “MOVEit announces second vulnerability”:

“CVE-2023-35036”
The company behind the popular MOVEit file transfer product has announced a second vulnerability within its software as more entities come forward to announce breaches. … The software company Progress said that since the discovery of the first vulnerability … the cybersecurity firm Huntress … has discovered a new issue.
…
Progress … warned that the new vulnerability could allow a hacker to gain unauthorized access to the MOVEit Transfer database. … All versions of the software are affected by the vulnerability, [CVE-2023-35036].

When was the first bug discovered? Scott Downie, Devon Ackerman, Laurie Iacono and Dan Cox think it’s likely “Since 2021”:

“July 2021”
Analysis of this exploitation has confirmed that threat actors are using this vulnerability to upload a web shell and exfiltrate data. [They] were likely experimenting with ways to exploit this particular vulnerability as far back as 2021. [We] found evidence of similar activity occurring … in some cases as early as July 2021.
…
[There was] a broad swath of activity associated with the vulnerability on or around May 27 and 28, 2023. … This time frame coincided with the observation of Memorial Day weekend in the U.S., reinforcing threat actors’ preference to launch major cyber exploitations during holiday weekends (e.g., the Kaseya supply chain attack on July 3, 2021).

So, two years ago? Jai Vijayan has more detail — “Cl0P Gang Sat on Exploit”:

“SQL injection”
The Cl0p ransomware group sat on [the] zero-day vulnerability … for nearly two years before starting to exploit it … with devastating effect. … The group periodically launched waves of malicious activity against vulnerable systems to test their access to organizations and to identity the ones to target.
…
Much of the malicious reconnaissance and testing activity in the early stages — in July 2021 — appears to have been manual in nature. But starting April 2022, Cl0p actors began using an automated mechanism for probing multiple organizations at the same time.
…
Reports of attack activity targeting a SQL injection vulnerability in MOVEit Transfer began surfacing on June 1. Researchers … found the threat actor exploiting the flaw to steal data [as] a precursor to ransom demands.

Wait. Pause. SQL injection? In 2023? Pier Reviewer blames siloed development:

Parameterising queries still isn’t done every time. Even where it is, dumb stuff happens.
The other week I was reviewing some code. DB interaction looked reasonable on the surface — all the queries were parameterised so it was safe, right? Wrong! They were calling stored procedures safely, but the SPs were then concatenating input and EXEC’ing it.
It’s a fairly common pattern, sadly: Java/.Net/whatever devs do their bit safely, but then the data team who write the SPs do random **** like it’s 1995. Neither team knows or understands what the other team is doing so you end up with trivially discoverable and exploitable SQLi.

But this is a solved problem! bennett_cg requests we exit the grassed area:

The trouble with "solved problems" is that, eventually, the people who actually felt the pain from the problem aren't around anymore and their replacements never had a chance to learn about it the hard way. So the good practices seem like arcane verbosity and … get discarded.

What can we learn? apjr9 concludes that we’re going to see supply-chain exploits more frequently:

Networked apps are a huge security vulnerability. Your system security is only as good as the security of the least secure networked app running on it.
…
As OS and network security improves, attacks via networked apps are becoming common. Securing all the networked apps would be a huge cost to industry, so they are furiously trying to ignore the problem and have been for decades.

Is the only answer to only use your own software? No, argues Coppercloud:

Lol, no. … Unless transferring files is your literal entire business you probably want to trust experts instead of building your own, because you'll **** it up worse than they will. You can criticize MOVEit all you want … but be it MOVEit, OneDrive, DropBox, FTP … you're likely to be trusting someone else.

Meanwhile, if not MOVEit, then what should you use? This Anonymous Coward has a “better” suggestion:

We always transfer files via torrent sites. It's fast and you also get free backup service. Win!

And Finally:

More Treknobabble from Reina

Previously in And finally

Image sauce: Wesley Tingey (via Unsplash; leveled and cropped)

Keep learning

Get up to speed on the state of software security with RL's Software Supply Chain Security Report 2026. Plus: See the the webinar to discussing the findings.
Learn why binary analysis is a must-have in the Gartner® CISO Playbook for Commercial Software Supply Chain Security.
Take action on securing AI/ML with our report: AI Is the Supply Chain. Plus: See RL's research on nullifAI and watch how RL discovered the novel threat.
Get the report: Go Beyond the SBOM. Plus: See the CycloneDX xBOM webinar.

Tags:AppSec & Supply Chain Security

MOVEit software exploit walks before it runs

Cl0p quietly tested the flaw for two years before launching the full exploit. Lesson: Look both ways before crossing.

DON’T WALK

And Finally:

Keep learning

Spectra Assure Free Trial

MOVEit software exploit walks before it runs

Cl0p quietly tested the flaw for two years before launching the full exploit. Lesson: Look both ways before crossing.

DON’T WALK

And Finally:

Keep learning

Spectra Assure Free Trial