Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Search

Cyber ​​catastrophe in sight? The new Bug on MOVEit has an Online PoC Exploit

RHC Dark Lab : 27 June 2024 00:26

In the realm of cybersecurity, vulnerabilities constantly represent a significant risk for businesses and institutions. Many system administrators may recall CVE-2023-34362 from last year, a catastrophic vulnerability in Progress MOVEit Transfer that shook the industry, affecting high-profile victims like the BBC and the FBI.

Sensitive data was leaked and destroyed as the cl0p ransomware gang exploited zero-day vulnerabilities to steal data, leaving a trail of chaos. Today, a new threat emerges on the horizon: the CVE-2024-5806 vulnerability.

The Past: CVE-2023-34362

CVE-2023-34362 (https://nvd.nist.gov/vuln/detail/CVE-2023-34362) represents one of the most critical vulnerabilities that hit Progress MOVEit Transfer, a widely used software for secure file transfer. Discovered and disclosed in 2023, this vulnerability had a significant impact on several high-profile organizations, including the BBC and the FBI.

Description of CVE-2023-34362

SCORSO DEL 25% SUL CORSO NIS2 FINO AL 31 DICEMBRE!
La direttiva NIS2 rappresenta una delle novità più importanti per la sicurezza informatica in Europa, imponendo nuovi obblighi alle aziende e alle infrastrutture critiche per migliorare la resilienza contro le cyber minacce. Con scadenze stringenti e penalità elevate per chi non si adegua, comprendere i requisiti della NIS2 è essenziale per garantire la compliance e proteggere la tua organizzazione.

Accedi alla pagina del corso condotto dall'Avv. Andrea Capelli sulla nostra Academy e segui l'anteprima gratuita.

Per un periodo limitato, potrai utilizzare il COUPON NIS-84726 che ti darà diritto ad uno sconto del 20% sul prezzo di copertina del corso
Per ulteriori informazioni, scrivici ad [email protected] oppure scrivici su Whatsapp al 379 163 8765 

Supporta RHC attraverso:


Ti piacciono gli articoli di Red Hot Cyber? Non aspettare oltre, iscriviti alla newsletter settimanale per non perdere nessun articolo.

CVE-2023-34362 is classified as a “Remote Code Execution” (RCE) vulnerability. This type of vulnerability allows a remote attacker to execute arbitrary code on the target system without the need for authentication. Specifically, in the case of CVE-2023-34362, the flaw resided in inadequate handling of HTTP requests by the MOVEit Transfer software.

Exploitation Mechanism of CVE-2023-34362

The vulnerability could be exploited by sending specially crafted HTTP requests to the MOVEit Transfer server. These malicious requests were able to bypass security controls and execute arbitrary commands with the privileges of the server execution process. This type of attack could be used to install malware, steal data, or further compromise the internal network of the organization.

Impact and Damage Caused by CVE-2023-34362

The impact of CVE-2023-34362 was devastating. The vulnerability was exploited by the cl0p ransomware gang, which used this flaw to conduct large-scale attacks. The consequences of these attacks included:

  • Data Theft: Highly sensitive and confidential data was stolen from numerous organizations, including the BBC and the FBI.
  • Data Destruction: Some compromised data was destroyed, causing significant losses.
  • Service Disruption: The operations of many organizations were disrupted, causing service interruptions and economic losses.

The Return to the Past: The Discovery of CVE-2024-5806

Recently, a new vulnerability in Progress MOVEit Transfer has been identified, classified as CVE-2024-5806. This vulnerability has been labeled as an ‘Improper Authentication’ weakness, a problem that allows attackers to bypass authentication mechanisms and gain unauthorized access to sensitive data. This type of vulnerability is particularly concerning as it can be exploited to severely compromise data security. More details: https://nvd.nist.gov/vuln/detail/CVE-2024-5806

Availability of a Proof of Concept (POC) for the Exploit

To further aggravate the situation, a Proof of Concept (POC) for exploiting CVE-2024-5806 has emerged. The availability of a POC means that attackers have a working example of how to exploit the vulnerability, increasing the risk of real attacks.

The POC can be used as a basis to develop more sophisticated and targeted attack tools, making the vulnerability an imminent threat.

The Risk of a New Attack by cl0p

Considering the recent history, a spontaneous question arises: will the cl0p ransomware actor exploit this vulnerability again? The cl0p gang, known for using the CVE-2023-34362 vulnerability for devastating attacks, might see CVE-2024-5806 as a new opportunity.

With their proven experience and the availability of a POC, there is a high risk that cl0p or similar groups might attempt to exploit this new security flaw.

The cl0p Ransomware Gang

Cl0p is one of the most feared and sophisticated ransomware gangs in the cybersecurity landscape. This criminal group is known for conducting devastating attacks against numerous high-profile organizations using advanced techniques and critical vulnerabilities like CVE-2023-34362 in Progress MOVEit Transfer. Cl0p ransomware is widely believed to have origins in Russia or former Soviet Union countries. Evidence indicates that the group members speak Russian and operate in time zones compatible with this region. However, like many cybercriminal activities, the exact geographic location of the group’s members can be challenging to determine with certainty.

Techniques, Tactics, and Procedures (TTPs)

The cl0p ransomware gang uses a set of highly sophisticated techniques, tactics, and procedures to conduct their attacks. Below are the main TTPs associated with the group:

  • Exploiting Zero-Day Vulnerabilities: Cl0p is known for exploiting vulnerabilities that have not yet been publicly disclosed (zero-day) to penetrate victims’ systems. A relevant example is CVE-2023-34362 in Progress MOVEit Transfer.
  • Phishing and Spear-Phishing: They use targeted phishing campaigns to gain initial access to systems, often sending emails that appear legitimate but contain malicious links or attachments.
  • Lateral Movement: Once access to a network is obtained, Cl0p moves laterally to compromise additional systems using tools like Mimikatz to extract credentials and gain privileged access.
  • Data Exfiltration: Before encrypting data, the group exfiltrates sensitive information, which they use as leverage to extort additional payments by threatening to publish the stolen data.
  • Double Extortion: Cl0p practices double extortion, demanding a ransom both for decrypting the files and to avoid the publication of the exfiltrated data.
  • Ransomware Deployment: Finally, Cl0p distributes ransomware through the compromised network, encrypting files and making them inaccessible until the ransom is paid.

Conclusion

The discovery of the CVE-2024-5806 vulnerability in Progress MOVEit Transfer represents a serious risk to the security of business information. The presence of a POC for the exploit further increases the threat, making it crucial for organizations to take immediate preventive measures. The possibility that the cl0p ransomware group might exploit this new vulnerability cannot be excluded, making vigilance and preparation even more important. Cybersecurity is an ongoing battle, and only through prevention and rapid response can companies protect their most valuable assets: data.

RHC Dark Lab
RHC Dark Lab is a group of experts from the Red Hot Cyber community dedicated to Cyber Threat Intelligence led by Pietro Melillo. Participating in the collective, Sandro Sana, Alessio Stefan, Raffaela Crisci, Vincenzo Di Lello, Edoardo Faccioli. Their mission is to spread knowledge about cyber threats to improve the country's awareness and digital defences, involving not only specialists in the field but also ordinary people. The aim is to disseminate Cyber Threat Intelligence concepts to anticipate threats.