Infosec in brief Security firms helping Progress Software dissect the fallout from a ransomware attack against its MOVEit file transfer suite have discovered more issues that the company said could be used to stage additional exploits.

Progress said the discovery was made by cybersecurity firm Huntress, which it had engaged to conduct a detailed code review of its systems. The newly discovered exploits are distinct from the issue reported earlier, and as such another patch for MOVEit Transfer and MOVEit Cloud have been issued to fix this latest discovered bug.

Progress gave no description of the newfound vulnerabilities and said a CVE number or numbers are pending.

The original attack – which targeted high-profile companies like British Airways, the BBC and Boots – exploits a SQL injection vulnerability in the MOVEit document transfer app to gain access to environments and exfiltrate data.

Clop, the Russian ransomware gang behind the MOVEit supply chain ransomware attack, likely knew about the bug as far back as 2021, claims risk analysis firm Kroll.

According to Kroll’s forensic review of Microsoft Internet Information Services logs from clients affected by Clop’s MOVEit attack, “observed activity consistent with MOVEit Transfer exploitation” was picked up in multiple client environments in April 2022, and in some as early as July ’21.

The 2021 attack was slow, taking place over a longer period of time (12 days as opposed to two hours in 2022), which Kroll believes suggests the exploit had only recently been discovered and was being tinkered with manually before an automated exploit was developed.

Clop has given MOVEit victims until June 14 to pay its ransom or it will leak stolen data online.

According to Progress, it hasn’t seen any indication that the new vulnerabilities have been exploited, but then again Progress didn’t know Clop had compromised its code way back in 2021 either.

AN0M: The FBI’s gift that keeps on giving

The FBI’s decision to seed a compromised secure messaging app into the criminal underworld five years ago is still paying dividends. US officials this week offered a $5 million reward for the apprehension of one of the duped criminals who sold access to the compromised comms system.

Swedish national Maximilian Rivkin is wanted in connection with conspiracy to participate in or attempting to participate in transnational organized crime. Rivkin was identified as an “administrator and influencer” on the encrypted messaging app AN0M, which unbeknownst to him was actually developed for the FBI to catch people like him and his customers.

The reward is being offered jointly with the Swedish Police Authority, who have charged Rivkin with narcotics smuggling and trafficking. Rivkin’s communications on AN0M intercepted by police also implicate him in money laundering, kidnapping, murder conspiracies “and other violent acts,” US officials said.

AN0M was developed for the FBI by a confidential source for just $180,000 and over the course of a three-year sting operation netted US authorities 32 tons of drugs, hundreds of firearms, dozens of automobiles and nearly $150 million. Australian authorities had similar success using AN0M, executing over 500 warrants and making 200-plus arrests that resulted in the seizure of more than AU$45 million and 3.7 tons of drugs.

Rivkin was identified as one of 17 administrators of AN0M by the Justice Department in 2021, and was charged by a California grand jury that same year with international conspiracy to participate in a racketeering enterprise.

Over the course of the sting, more than 12,000 AN0M-loaded phones were sold for $2,000 each to criminal syndicates operating around the world. Some 800 arrests have been made around the world in connection with the AN0M sting, though Rivkin remains at large.

If, as is alleged by his rap sheet, he’s responsible for selling compromised phones to international crime syndicates resulting in their downfall, it might be safer to surrender. ®