Cymulate has been closely following the recent string of attacks by the cl0p Advanced Persistant Threat (APT) group leveraging the recent vulnerability found in the MoveIT application from Progress Software. Originally published on June 1st as a CVE, the vulnerability involves a weakness against SQL Injection attacks in the MoveIT platform, which is often visible to the outside world to facilitate inter-organizational file transfers. The Cybersecurity & Infrastructure Security Agency (CISA) – the US Federal cybersecurity agency – released an Advisory on June 1st to alert US Federal and State governments about the likelihood of attack with this vulnerability.
The United Kingdom began reporting incursions of the cl0p APT group on June 7th and 8th using exploits against the vulnerability in MoveIT after the ransomware group publicly stated that Government agency systems had been compromised, including systems used by British Airways and the British Broadcasting Company (BBC). The statements from cl0p included ultimatums for these organizations to pay the ransom or risk extensive downtime and data compromise.
On June 15th, Cymulate was able to confirm that at least one US Federal Agency, the Department of Energy, was partially compromised by the cl0p APT group through the use of the MoveIT vulnerability. See also, Christian Vasquez of CyberScoopNews, Poitico, and the Electronic Frontier Foundation. As this attack is ongoing, the extent of the compromise, and the potential that other Agencies were also successfully attacked is not yet fully known. CISA has not provided comment on this ongoing attack activity beyond referring to their Advisory of June 1st. This escalation of activity indicates that private and public organizations in the US are likely to see scanning traffic and active attempts to perform ransomware attacks against critical infrastructure in the coming days and weeks.
Shortly after the UK attacks were confirmed, Cymulate created and released an Immediate Threat Assessment to allow organizations who use the Cymulate Breach and Attack Simulation (BAS) platform to confirm that security controls are able to recognize the Indicators of Compromise involved in the attacks seen so far. This Immediate Threat Assessment includes the known executables and other file components as well as the known Command and Control (C2) IP addresses/URL’s used by the group for this specific attack.
Cymulate customers who use MoveIT by Progress Software are strongly encouraged to run the existing Immediate Threat Assessment as soon as possible, and to closely watch the Immediate Threats Assessment feed for new variants as they are discovered. MoveIT customers should also immediately review the Advisory from CISA and take steps to mitigate against the exploitability of this vulnerability, then re-test with Cymulate to confirm the mitigation has had the desired impact.
As with any emergent threat activity known to be in active use by threat actors, Cymulate will continue to monitor the situation and update the Cymulate Platform with additional simulation objects such as
Immediate Threat Assessments as the situation warrants.
