Ransomware gang exploits critical vulnerability in popular file transfer software

The Cybersecurity and Infrastructure Security Agency and the FBI released a joint cybersecurity advisory warning that one of the largest phishing and malspam distributors worldwide began exploiting a previously unknown vulnerability last month that can potentially impact public and private sector networks.

A ransomware gang called CL0P — otherwise known as TA505 — is exploiting a vulnerability in MOVEit, a popular solution developed by the company Progress Software that provides automated file transfers for sensitive data and enhanced workflow automation capabilities. The exploit is designed to steal data from underlying MOVEit databases, according to the advisory. 

The ransomware group has previously exploited vulnerabilities in similar campaigns that targeted file transfer software and databases earlier this year, including Accellion’s File Transfer Appliance and Fortra/Linoma’s GoAnywhere managed file transfer servers.

While the extent of the impact from the most recent attack remains unclear, the advisory said that, “due to the speed and ease TA505 has exploited this vulnerability, and based on their past campaigns, FBI and CISA expect to see widespread exploitation of unpatched software services in both private and public networks.”

CISA Executive Director for Cybersecurity Eric Goldstein said that the agency "remains in close contact with Progress Software and our partners at the FBI to understand prevalence within federal agencies and critical infrastructure." 

According to federal contracting databases, Progress Software products are in use at multiple federal agencies, including the Army, the Navy, the State Department, the Centers for Disease Control, the Bureau of Prisons and other entities.

Progress Software posted about the vulnerability late last month on its website and shut down components of its cloud service product while patching its services. The company has since restored services and said it is unaware of any data breaches associated with the vulnerability, but added that it was "extremely important" for MOVEit Transfer customers to take immediate action. 

The advisory recommends that customers take an inventory of all assets and data to help identify unauthorized devices and software on their networks, regularly patch and update their applications to the latest versions and conduct regular vulnerability assessments. Companies are also encouraged to only grant administrative privileges when necessary. 

TA505 has previously functioned as a major botnet operator that specializes in phishing attacks and financial fraud. Previous ransom notes that the group has sent to victims threatened to publish their stolen data on a public blog and sell the information on the dark web if the impacted companies declined to negotiate.

Mandiant, a cybersecurity firm and Google subsidiary, confirmed in an announcement that the earliest evidence of the exploitation occurred on May 27 and added that victim organizations "could potentially receive ransom emails in the coming days to weeks."