/MOVEit-Transfer

A repository for tracking events related to the MOVEit Transfer Cl0p Campaign

image

MOVEit Transfer Hacking Campaign Tracking

  • A repository for tracking events related to the MOVEit Transfer Hacking Campaign
  • Events mapped to the Diamond Model, plus resources and information

Event Summary Diagram

image

Publish Date Type Description Source
31 May Resource Initial Vendor Advisory, IOCs community.progress.com
1 June Resource IOCs, Sigma & YARA Rules by Nextron Systems twitter.com/cyb3rops
1 June Capabilities Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability since 27th Mary 2023, IOCs rapid7.com
1 June Infrastructure GreyNoise has observed scanning activity for the login page of MOVEit Transfer located at /human.aspx as early as March 3rd, 2023 greynoise.io
1 June Resource CrowdStrike shared FQL rules r/crowdstrike
1 June Capabilities Huntress analysis of the MOVEit Transfer vulnerability, IOCs huntress.com
1 June Capabilities TrustedSec MOVEit Transfer campaign analysis, IOCs trustedsec.com
2 June Resource YARA rules for the Web Shell github.com/AhmetPayaslioglu
2 June Resource Sigma rule for MOVEit exploitation github.com/tsale
2 June Resource MOVEit Web Shell Checker github.com/ZephrFish
2 June Information CVE-2023-34362 in MOVEit Transfer added to the NIST National Vulnerability Database nvd.nist.gov
2 June Capabilities Mandiant campaign analysis, IOCs, YARA rules mandiant.com
2 June Information CVE-2023-34362 in MOVEit Transfer added to the CISA Known Exploited Vulnerability (KEV) Database cisa.gov
2 June Adversary Microsoft formally attributed the MOVEit Transfer campaign to the threat group called CL0P (aka Lace Tempest, FIN11, TA505) twitter.com/MsftSecIntel
2 June Victim The University of Rochester mentions a "data breach, which resulted from a software vulnerability in a product provided by a third-party file transfer company, has affected the University and approximately 2,500 organizations worldwide." rochester.edu
5 June Resource Identifying Data Exfiltration in MOVEit Transfer Investigations crowdstrike.com
5 June Victim Austrian Financial Market Authority (FMA) files stolen from MOVEit software ots.at
5 June Victim Zellis' MOVEit Transfer breached, impacting British Airways, BBC, Boots, and Aer Lingus, potentially others therecord.media
5 June Adversary Clop ransomware claims responsibility for MOVEit extortion attacks bleepingcomputer.com
6 June Victim University of Rochester and the Government of Nova Scotia are the first known MoveIT victims in North America therecord.media
7 June Adversary Clop ransomware tells those affected to email them before 14 June or stolen data will be published BBC
7 June Adversary/Capabilities FBI & CISA joint advisory on CL0P, details about other TA505 campaigns, and other incidents such as the GoAnywhere attacks, IOCs, YARAs cisa.gov
7 June Victim/Capabilities SentinelOne's campaign analysis, hunting queries, IOCs sentinelone.com
7 June Victim Extreme Networks declares having learned that their instance of MOVEit Transfer tool was impacted by a malicious act computerweekly.com
8 June Capabilities Kroll's Timeline of the campaign (dating it back to 2021), IOCs kroll.com
9 June Resource Progress Software issues a new patch covering new vulnerabilities progress.com
9 June Victim Illinois government among victims of global ransomware attack chicagotribune.com
9 June Victim Minnesota Department of Education hit by cybersecurity attack cbsnews.com
9 June Victim HSE states no more than 20 people's data breached in cyber-attack hse.ie
9 June Capabilities Horizon3AI's analysis of the MOVEit Transfer campaign, accompanied by a Proof-of-Concept (PoC) for CVE-2023-34363, and IOCs horizon3.ai
12 June Victim Ofcom (the UK’s communications regulator) and Ernst & Young (EY), one of the 'Big 4' accounting firms bbc.co.uk