PoC exploit for exploited MOVEit vulnerability released (CVE-2023-34362)

As more victim organizations of Cl0p gang’s MOVEit rampage continue popping up, security researchers have released a PoC exploit for CVE-2023-34362, the RCE vulnerability exploited by the Cl0p cyber extortion group to plunder confidential data.

CVE-2023-34362 PoC exploit released

Horizon3 security researchers have released proof-of-concept (PoC) exploit code for CVE-2023-34362, as well as technical root cause analysis of the flaw.

Rapid7 has released an analysis of the vulnerability and a full exploit chain for CVE-2023-34362.

With a PoC exploit publicly available, other attackers may try to use it to breach unpatched internet-facing systems.

As we previously reported, Progress Software and Huntress researchers have recently discovered another set of SQL injection vulnerabilities (CVE-2023-35036) affecting the MOVEit Transfer solution.

Fixes for CVE-2023-34362 and CVE-2023-35036 exists and enterprise IT admins should implement them quickly (if they haven’t already). Organizations using on-prem MOVEit Transfer or the cloud service (MOVEit Cloud) should check for evidence of compromise and data theft.

New confirmed victims

The list of confirmed victim oganizations is growing and now also includes:

• UK media watchdog Ofcom
• Accountancy firm Ernst & Young (EY) and Transport for London (a local government body responsible for most of the transport network in UK’s capital city)
• The Minnesota Department of Education
• The Illinois Department of Innovation & Technology

Ofcom says that a limited amount of information (some of it confidential) about certain companies they regulate was downloaded during the attack, along with personal data of 412 Ofcom employees. (The watchdog did not say whether their own MOVEit Transfer instance was compromised or whether the data was downloaded from the instance belonging to payroll and HR services provider Zellis.)

Transport for London told the BBC that one of its contractors had suffered a data breach, and that the stolen data did not include banking details or passenger data.

The Minnesota Department of Education (MDE) says they discovered the breach on May 31, after being notified by Progress Software about the vulnerability (CVE-2023-34362), and that the initial investigation found that 24 MDE files were accessed.

“These files contained information about approximately 95,000 names of students placed in foster care throughout the state, 124 students in the Perham School District who qualified for Pandemic Electronic Benefits Transfer (P-EBT), 29 students who were taking PSEO classes at Hennepin Technical College in Minneapolis, and five students who took a particular Minneapolis Public Schools bus route,” they shared.

The files contained names, dates of birth and county of placement, home addresses and parent/guardian name(s). “No financial information was included in any of the files in this data breach. To date there have been no ransom demands nor is MDE aware that the data has been shared or posted online.”

The Illinois Department of Innovation & Technology (DoIT) “believes a large number of individuals could be impacted” by the breach.

“DoIT is currently advising impacted agencies and will issue public notice of the incident as expeditiously as possible once DoIT finalizes a determination of all people impacted.”

The Cl0P gang claims to have already deleted the data they stole from government and police agencies and cities and that those entities won’t be extorted, but a promise coming from cyber crooks shouldn’t mean much.

Ryan McConechy, CTO at Barrier Networks, told Help Net Security that with confidential data belonging to Ofcom now in the hands of criminals, these individuals and organizations will be at a heightened risk of phishing scams.

“The attackers behind this breach have given organizations a deadline of this Wednesday to get in touch to discuss negotiations and a ransomware payment, but with the breach being so widely publicised, it is highly unlikely many organizations will take this bait,” he added.

“Firstly, this would harm their reputations among the wider public for engaging with Russian cybercriminals, while, secondly, the reality is this data is now in the hands of criminals, and whether a ransom is paid or not, there are never any guarantees it will be deleted. Instead, remediation action must be the priority, and this involves changing passwords on accounts, informing banks that data has been compromised and being extra vigilant for scams.”