We like to MOVEit: A wake-up call for cybersecurity

Imagine a world where businesses are shielded by an impenetrable fortress, safeguarding their sensitive files as they traverse the digital landscape. MOVEit, the renowned secure file transfer software, offers businesses worldwide a cybersecurity fortress, protecting their sensitive files during transit and mitigating all sorts of vulnerability. Trusted by organizations globally, MOVEit ensures the secure exchange of confidential data, providing peace of mind in an interconnected world.

However, even the strongest fortresses can face unexpected challenges. Recently, MOVEit found itself at the center of a high-profile hack, serving as a stark reminder of the ever-evolving threats lurking in the digital realm.

The discovery of a zero-day vulnerability exploit in the MOVEit file transfer product, developed by Ipswitch (a subsidiary of Progress), was unveiled on May 31st, causing widespread concern and attention. This software is extensively used by major organizations worldwide, impacting renowned names like British Airways, Aer Lingus, the BBC, and UK retailer Boots.

Despite initial hopes of the exploitation coming to an end, a new development has emerged, adding another layer to the incident. As recently reported by The Register, a separate set of exploits has been discovered, distinct from the previously reported issue. In response, Progress has released additional patches for MOVEit Transfer and MOVEit Cloud to address this latest bug.

No specific details about the newly found vulnerabilities have been provided by Progress at this time. The assignment of CVE numbers is still pending. The initial attack exploited a SQL injection vulnerability in the MOVEit document transfer application, enabling unauthorized access to environments and data exfiltration.

Clop has set a deadline of June 14 for MOVEit victims to pay the ransom, threatening to leak the stolen data online. While Progress states that there have been no indications of the new vulnerabilities being exploited, it is worth noting that the company was previously unaware of Clop compromising its code back in 2021 as well.

via GIPHY

Exploring the critical cybersecurity vulnerability in MOVEit Transfer

Cybersecurity experts revealed that their telemetry indicated other potential victims, including banks and sectors within the US government. The vulnerability, tracked as CVE-2023-34362, has been added to CISA’s list of known exploited vulnerabilities, urging federal agencies to apply available patches promptly.

CVE-2023-34362, still awaiting a complete analysis according to a NIST report, refers to an SQL injection vulnerability in the MOVEit Transfer web application. Exploiting this vulnerability, hackers can gain insights into the database structure and content and execute SQL statements to delete database elements on vulnerable systems.

On June 1, hackers introduced a file named “human2.aspx” on the targeted device, observed by the Cyble Global Sensor Intelligence (CGSI) network. This backdoor enabled the exchange of malicious commands and exploitation. The critical vulnerability present in MOVEit Transfer facilitated the large-scale downloading of data from susceptible organizations. Alarmingly, over 2,500 publicly accessible instances of MOVEit Transfer were discovered to be vulnerable.

According to a Tenable report based on a Shodan query, as of June 2, 2023, there were 2,526 publicly accessible instances of MOVEit Transfer potentially vulnerable. The majority of these instances were located in the United States (73.4%), followed by the United Kingdom (5%) and Germany (4.6%).

Microsoft’s tweet on June 5 revealed that the cybercriminal group Lace Tempest was already exploiting the critical vulnerability in MOVEit Transfer. Interestingly, this group was also associated with the Cl0p ransomware group’s extortion website.

It is noteworthy that Cl0p ransomware previously exploited the Fortra GoAnywhere MFT RCE vulnerability (CVE-2023-0669), targeting global corporations like P&G and Hitachi, as well as city administrations and regional governments.

Every version of MOVEit Transfer is believed to be affected by this vulnerability, emphasizing the urgency for organizations to apply the recently released patch. The supply chain attack, as per Microsoft Threat Intelligence, was attributed to the cybercriminal group Cl0p, which is believed to operate from Russia.

Lessons from the past

Known for their involvement in ransomware-as-a-service (RaaS) activities, Cl0p has recently transitioned to a pure extortion approach. The group was also linked to attacks on Fortra’s GoAnywhere MFT product, which resulted in successful breaches of over 130 organizations, according to the group’s own estimates.

In 2020, the Cl0p ransomware group executed a targeted assault on Accellion’s outdated file transfer appliance, acquiring massive quantities of data from over 100 affiliated companies. With a demand for a US$10 million ransom, they gradually divulged the stolen information, leading to breaches of privacy and data leaks.

Here’s more information on the group and its activities as reported by BBC News:

According to David Bicknell, Principal Analyst of Thematic Intelligence at GlobalData, the ingenuity behind these attacks surpasses the capabilities of most enterprises to prevent them. Instead, organizations can focus on building resilience and mitigating the risks. These attacks have been tried and tested more than many realize.

Bicknell also emphasizes the importance of efforts by security specialists, including companies, researchers, security vendors, and governments, to limit hackers’ use of artificial intelligence (AI) for offensive purposes. The events surrounding these attacks highlight how security researchers can manipulate AI software, bypassing safety restraints and potentially leading to future AI-driven cyberattacks.

Rajesh Muru, Principal Analyst and Global Enterprise Cybersecurity Lead at GlobalData, emphasizes that this incident serves as a prime example of inadequate risk management within company supply chains. While compliance guidelines like NIST address some cybersecurity risks, users and suppliers lack sophisticated enough initiatives to drive visibility across the complete supply chain. As a result, end-user enterprises often lack visibility into the security posture across the entire supply chain, leaving them with limited time to react when incidents occur.

“This often leads to end-user enterprises not having visibility on the security posture across the complete supply chain and, more importantly, sufficient time to react,” said Muru. “The irony of all of this is that Progress very much sells on the premise of secure transferability of sensitive data with MOVEit. The product itself has strong security features, covering cryptographic tamper-evident Logging, Regulatory/Compliance Support (PCI, HIPAA, SOC2, GDPR), and Gateway Reverse Proxy.”

However, the recent attack raises questions about vulnerabilities and potential adversarial machine learning attacks in an increasingly interconnected world.

Amy DeCarlo, Principal Analyst of Global IT Hosted and Managed Services at GlobalData, highlights how the Clop group exploited a vulnerability in MOVEit to access personal identifiable information (PII), such as names, addresses, and banking information. This incident is part of a growing trend of doxware attacks, where attackers threaten to publish the information instead of encrypting data for ransom.

“Prevention is critical. Organizations need to make sure they are running the most current anti-virus software. Another important defense is end-user education. Attackers often use phishing and other social engineering tactics to breach an enterprise,” DeCarlo added.

Strengthening cybersecurity in an interconnected world

Commenting on the incident,  Amit Yoran, Chairman and CEO of Tenable, points out that the move by the Russian cyber gang Cl0p to demand negotiation of the ransom isn’t surprising, as many organizations end up paying.

“Organizations that use MOVEit software should assume risk and engage in incident response to determine the potential impact, if any,” said Yoran. “Russia’s cyberwar is changing the way criminals launch their attacks, and now we’re seeing the widespread effect this is having on critical national infrastructure, as hungry cyber criminals exploit vulnerabilities.” This is just the start of organizations revealing they’ve been impacted, and it is expected to see many more businesses and governments impacted, especially those not aggressively addressing known vulnerabilities.

“Vulnerabilities are disclosed every day, with threat actors just waiting to see if they can be weaponized and monetized. Instead of waiting to be attacked and then responding, it’s vital that security teams take a proactive approach by improving their cyber hygiene. The need to proactively manage risk to the business has never been more critical nor more obvious,” said Yoran.

As the cybersecurity landscape evolves, the battle against cyberattacks becomes increasingly challenging. The incidents surrounding MOVEit and similar attacks underscore the importance of continuous vigilance, collaboration among security specialists, and the adoption of proactive measures to safeguard sensitive data in an interconnected world.

---

---

---

---