Hackers have been sitting on MOVEit bug for 2 years

Cl0p hackers have been sitting on a zero-day vulnerability in the MOVEit Transfer application for two years, cybersecurity analyst Kroll claims.

The MOVEit Transfer zero-day flaw exploitation campaign has been attributed to the Cl0p ransomware gang. It has already directly (or via third party) affected companies like payroll provider Zellis, the BBC, and British Airways, among others.

Threat actors have been using the flaw to exfiltrate data. According to Kroll, hackers were likely experimenting on how to exploit this particular vulnerability as far back as 2021.

“According to these observations, the Cl0p threat actors potentially had an exploit for the MOVEit Transfer vulnerability prior to the GoAnywhere MFT secure file transfer tool exploitation in February 2023 but chose to execute the attacks sequentially instead of in parallel,” Kroll explained.

Experts observed a “broad swath of activity” during the Memorial Day weekend in the US (May 27th and 28th). Threat actors often enjoy launching major exploitation campaigns during weekends, with Log4j, and the Kaseya supply chain attack being among the most prominent examples.

According to experts at Kroll, the exploit was available and tested in July 2021, and April 2022.

“Even though immediate action is needed and the MOVEit vulnerability is under aggressive exploitation, it’s important to keep a level head. Yes, patch as soon as possible but also consider existing detections and your ability to respond should something suspicious happen,” Kroll said.

Cybersecurity company SentinelOne said the exploitation was most likely opportunistic. However, some sectors are impacted more than others. The company observed attacks against over 20 organizations in the following sectors:

  • Aviation, Transportation & Logistics
  • Entertainment
  • Financial Services & Insurance
  • Healthcare, Pharmaceuticals & Biotechnology
  • Managed Information Technology Service Providers (MSP)
  • Managed Security Service Providers (MSSP)
  • Manufacturing & Building Materials
  • Mechanical Engineering
  • Print & Digital Media
  • Technology
  • Utilities & Public Services

“Organizations using MOVEit Transfer should upgrade affected systems immediately. In situations where upgrades cannot be performed, the system should be taken offline until it can be upgraded. Ensure your security team can access and analyze application logs from servers that run MOVEit Transfer, including Microsoft IIS logs,” the analyst suggested.