Recently, due to the MOVEit zero-day vulnerability, a data leak incident involving 890 schools using the US non-profit education organization National Student Clearinghouse (NSC) services has become a hot topic. Threat actors have gained access to the MOVEit Managed File Transfer server and exfiltrated various personal information including names, birth dates, contact information, Social Security Numbers (SSN), and even obtained school records such as registration status and degree information at educational institutions.
NSC is an organization that provides services to over 22,000 high schools and 3,600 universities, meaning the scope of this data leak is very extreme, affecting over 50,000 people.
Finding Servers Exposed to MOVEit Zero-Day Exploits
MOVEit is a software that provides Managed File Transfer (MFT) solutions. It is also a tool used by many organizations, such as government and financial institutions, for managing and sharing large amounts of sensitive data.
Progress Software, the publisher of MOVEit solutions, announced that the MOVEit zero-day vulnerability CVE-2023-34362 was exploited by the Clop ransomware group in May. Although a vulnerability patch was provided on the same day as the announcement, a large amount of information had already been leaked, with the United States Department of Energy (DOE), accounting firm PwC, and British Airways reporting data leak damages one after another. Currently, the total number of organizations affected by MOVEit zero-day alone is estimated to be over 2,000. Since most affected organizations are related to subcontractors or collaborating suppliers that use MOVEit, the damage structure is complicated, making it difficult to respond to this vulnerability.
The following is the result of searching for MOVEit related servers within Criminal IP Asset Search.
Search Query: “MOVEit”
More than 70,000 MOVEit related servers were searched, and in particular, many servers with the Data Leak tag were found.
The Data Leak tag in Criminal IP indicates websites where credentials, including authentication information, have been detected in banners. This tag signifies that many MOVEit servers, which are at risk of data leakage, have been identified.
You can additionally opt to only search for MOVEit servers with the Data Leak tag by searching for “MOVEit” tag: Data Leak tag filter.
Statistics on Countries Using Servers Related to MOVEit
Here are the statistics of countries using MOVEit related servers using the Criminal IP Element Analysis feature.
It appears that a total of 71 countries are using servers related to the exposed MOVEit servers. Among them, Canada had the highest number with 8,715, followed by the United States with 8,403, and Singapore with 8,035.
The main countermeasures for MOVEit zero-day vulnerability CVE-2023-34362 are as follows. Detailed instructions can be found in the Progress Software article.
- Disable all HTTP and HTTPS traffic to your MOVEit Transfer environment
- Delete unauthorized files and user accounts
- Restore HTTP and HTTPS traffic after applying recommended security patches
- Enable Multi-Factor Authentication (MFA)
Check out our article on APT33 Password Spraying Attacks.
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Create a free Criminal IP account today to access the search results cited in the report and search for more extensive threat Intelligence.
Source: Criminal IP (https://www.criminalip.io)
Related Article(s): https://blog.criminalip.io/2023/09/22/apt33/