When an application or service that an organization relies on develops an unknown security flaw, the risks of cyberattacks rise dramatically. Hackers exploit these vulnerabilities, known as zero-days, to access unauthorized systems, perform data breaches, and steal personal information. This last week, a new zero-day vulnerability was exploited, affecting hundreds of companies worldwide.
What Happened?
On May 31st, 2023, Progress Software published an advisory to alert their customers of a zero-day vulnerability within their MOVEit Transfer and MOVEit Cloud applications. This vulnerability was actively exploited by attackers and compromised their internet-facing servers. The vulnerability (CVE-2023-34362) involves a critical SQL injection weakness that permits malicious escalation of privileges and unauthorized access to systems. According to a forum community post by a Progress Software representative, “Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements”.
With more than 1,700 companies and over 3.5 million users worldwide, MOVEit Transfer is one of the largest managed file transfer ecosystems in the world. Some of the largest companies in the world use MOVEit Transfer including ChaseBank, BlueCross, Disney, and the Department of Homeland Security.
The exploitation of the MOVEit Transfer vulnerability began during the U.S. Memorial Day weekend, around May 27th (this vulnerability wasn’t discovered by Progress Software until May 31st). The attackers took advantage of this security flaw and holiday weekend to introduce a webshell program onto servers. The name of the webshell uploaded was “human2.aspx” which is very similar to the legitimate MOVEit file named “human.aspx.” In doing so, the hackers gained unauthorized access, enabling them to view, download files, and extract sensitive information from Azure Blob Storage containers, which are commonly utilized by businesses and customers for cloud-based data storage and management.
Who is Responsible?
Following the discovery of the vulnerability, Microsoft was able to trace the attack back to the Lace Tempest group, a ransomware operator best known for its subgroup, Cl0p, that runs an extortion website. Cl0p is a Russian ransomware gang that has been active since 2019 and has been linked to a wide range of activities in the cybercrime ecosystem. The Cl0p group confirmed their involvement on June 5th by publishing a statement regarding this attack on their blog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) published a joint advisory regarding the active exploitation of the recently disclosed critical flaw in the MOVEit Transfer application to drop ransomware. Since the vulnerability was identified, Progress Software has released a patch but according to CISA, the Cl0p gang has continued to target systems that are still not updated.
What Is the Damage?
Companies are still scrambling to evaluate what data has been compromised. According to The Hacker News, the Cl0p gang may have been aware of and testing the MOVEit Transfer vulnerability since 2021. In the attacks from July 2021, it appeared that the attackers were conducting manual testing, based on how long the activity lasted. The attackers seemed to switch to automated tools in subsequent activity, which lasted anywhere from a few seconds to minutes.
Payroll service provider Zellis, a company using the MOVEit software, confirmed on June 9th that data belonging to its UK clients (including BBC, British Airways, and Boots) was stolen. Data including home addresses, national insurance numbers, and bank details was taken in the breach.
The cyberattack also impacted the Minnesota Department of Education in the United States, revealing that the personal data of over 95,000 students had been breached. The Illinois Department of Technology also stated that Cl0p went after various Illinois state agencies. A representative from the state of Illinois stated, “DoIT’s investigation is ongoing and the full extent of this incident is still being determined, but DoIT believes a large number of individuals could be impacted”. As investigations continue, we will have a better understanding of the damage resulting from this zero-day vulnerability. The repercussions of this zero-day vulnerability are expected to be felt across the globe for months to come, leaving a lasting impact that will be felt far and wide.
What Should I Do?
In response to this threat, all organizations that are using MOVEit Transfer should take immediate action. Organizations using MOVEit Transfer should upgrade affected systems immediately.
In situations where upgrades cannot be performed, the system should be taken offline until it can be upgraded. Both CISA and Mandiant provide in-depth steps to mitigate cyber threats from CL0P ransomware. If there are signs of MOVEit on the networks, businesses should follow the mitigation guidelines on Progress’s website and initiate an investigation for evidence of any attack. As of June 12th, Progress has also released a second patch for organizations to deploy once the first patch is applied.
The severity and scale of this incident underscores the importance of taking proactive measures to mitigate risks associated with zero-day vulnerabilities and far-reaching software supply chains. In order to prepare for and reduce the effectiveness of zero-day threats to your organization, there are several practices all organizations should consider.
First and foremost, it is vital that vendor agreements are reviewed to include provisions obligating the vendor to notify you of any actual or attempted security incident within a reasonable time period. Implementing a Defense-in-Depth strategy by combining multiple security measures, such as firewalls, antivirus solutions, intrusion prevention systems, secure configurations, and secure coding practices, adds layers of protection against zero-day vulnerabilities. With proactive threat hunting techniques, organizations can identify and respond to potential zero-day attacks before they cause significant damage.
Furthermore, effective asset management practices including maintaining an accurate and up-to-date inventory, classifying assets based on their criticality, and implementing strong access controls allows organizations to have visibility into their valuable resources and can allocate appropriate security measures. Asset management aids in identifying vulnerabilities, implementing timely patches, and monitoring critical assets for any signs of compromise.
In parallel, all organizations must consider implementing SaaS security solutions to identify potential attack surfaces if compromised. Organizations need to identify the assets involved in their SaaS environment, including hardware, software, data, and third-party services. Strong IAM practices are also essential in order to understand the “blast radius” of a zero-day. In addition, data discovery tools are a must for organizations to identify and protect sensitive data. Data discovery helps organizations proactively safeguard their data, preventing unauthorized access, and identifying what data has been exposed in the event of a zero-day.
All of these security measures are recommended to all Consortium Networks clients and associates to remediate effects of the MOVEit zero-day and best protect themselves from similar attacks in the future.