31 May |
Resource |
Initial Vendor Advisory, IOCs |
community.progress.com |
1 June |
Resource |
IOCs, Sigma & YARA Rules by Nextron Systems |
twitter.com/cyb3rops |
1 June |
Capabilities |
Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability since 27th Mary 2023, IOCs |
rapid7.com |
1 June |
Infrastructure |
GreyNoise has observed scanning activity for the login page of MOVEit Transfer located at /human.aspx as early as March 3rd, 2023 |
greynoise.io |
1 June |
Resource |
CrowdStrike shared FQL rules |
r/crowdstrike |
1 June |
Capabilities |
Huntress analysis of the MOVEit Transfer vulnerability, IOCs |
huntress.com |
1 June |
Capabilities |
TrustedSec MOVEit Transfer campaign analysis, IOCs |
trustedsec.com |
2 June |
Resource |
YARA rules for the Web Shell |
github.com/AhmetPayaslioglu |
2 June |
Resource |
Sigma rule for MOVEit exploitation |
github.com/tsale |
2 June |
Resource |
MOVEit Web Shell Checker |
github.com/ZephrFish |
2 June |
Information |
CVE-2023-34362 in MOVEit Transfer added to the NIST National Vulnerability Database |
nvd.nist.gov |
2 June |
Capabilities |
Mandiant campaign analysis, IOCs, YARA rules |
mandiant.com |
2 June |
Information |
CVE-2023-34362 in MOVEit Transfer added to the CISA Known Exploited Vulnerability (KEV) Database |
cisa.gov |
2 June |
Adversary |
Microsoft formally attributed the MOVEit Transfer campaign to the threat group called CL0P (aka Lace Tempest, FIN11, TA505) |
twitter.com/MsftSecIntel |
2 June |
Victim |
The University of Rochester mentions a "data breach, which resulted from a software vulnerability in a product provided by a third-party file transfer company, has affected the University and approximately 2,500 organizations worldwide." |
rochester.edu |
5 June |
Resource |
Identifying Data Exfiltration in MOVEit Transfer Investigations |
crowdstrike.com |
5 June |
Victim |
Austrian Financial Market Authority (FMA) files stolen from MOVEit software |
ots.at |
5 June |
Victim |
Zellis' MOVEit Transfer breached, impacting British Airways, BBC, Boots, and Aer Lingus, potentially others |
therecord.media |
5 June |
Adversary |
Clop ransomware claims responsibility for MOVEit extortion attacks |
bleepingcomputer.com |
6 June |
Victim |
University of Rochester and the Government of Nova Scotia are the first known MoveIT victims in North America |
therecord.media |
7 June |
Adversary |
Clop ransomware tells those affected to email them before 14 June or stolen data will be published |
BBC |
7 June |
Adversary/Capabilities |
FBI & CISA joint advisory on CL0P, details about other TA505 campaigns, and other incidents such as the GoAnywhere attacks, IOCs, YARAs |
cisa.gov |
7 June |
Victim/Capabilities |
SentinelOne's campaign analysis, hunting queries, IOCs |
sentinelone.com |
7 June |
Victim |
Extreme Networks declares having learned that their instance of MOVEit Transfer tool was impacted by a malicious act |
computerweekly.com |
8 June |
Capabilities |
Kroll's Timeline of the campaign (dating it back to 2021), IOCs |
kroll.com |
9 June |
Resource |
Progress Software issues a new patch covering new vulnerabilities |
progress.com |
9 June |
Victim |
Illinois government among victims of global ransomware attack |
chicagotribune.com |
9 June |
Victim |
Minnesota Department of Education hit by cybersecurity attack |
cbsnews.com |
9 June |
Victim |
HSE states no more than 20 people's data breached in cyber-attack |
hse.ie |
9 June |
Capabilities |
Horizon3AI's analysis of the MOVEit Transfer campaign, accompanied by a Proof-of-Concept (PoC) for CVE-2023-34363, and IOCs |
horizon3.ai |
12 June |
Victim |
Ofcom (the UK’s communications regulator) and Ernst & Young (EY), one of the 'Big 4' accounting firms |
bbc.co.uk |