Article Update: Since the initial disclosure of the MOVEit zero-day vulnerability, the situation has evolved with significant updates and revelations surrounding the exploitation and the widespread impact of the security vulnerability.
When an application or service that an organization relies on develops an unknown security flaw, the risks of cyberattacks rise dramatically. Hackers exploit these vulnerabilities, known as zero-days, to access unauthorized systems, perform data breaches, and steal personal information. This last week, a new zero-day vulnerability was exploited, affecting hundreds of companies worldwide.
What Happened?
On May 31st, 2023, Progress Software published an advisory to alert their customers of a zero-day vulnerability within their MOVEit Transfer and MOVEit Cloud applications. This vulnerability was actively exploited by attackers and compromised their internet-facing servers. The vulnerability (CVE-2023-34362) involves a critical SQL injection weakness that permits malicious escalation of privileges and unauthorized access to systems. According to a forum community post by a Progress Software representative, “Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements”. After the discovery of the zero-day, Progress Software announced two new vulnerabilities in the file transfer product that require urgent remediation in the following weeks.
With more than 1,700 companies and over 3.5 million users worldwide, MOVEit Transfer is one of the largest managed file transfer ecosystems in the world. Some of the largest companies in the world use MOVEit Transfer including ChaseBank, BlueCross, Disney, and the Department of Homeland Security.
The exploitation of the MOVEit Transfer vulnerability began during the U.S. Memorial Day weekend, around May 27th (this vulnerability wasn’t discovered by Progress Software until May 31st). The attackers took advantage of this security flaw and holiday weekend to introduce a webshell program onto servers. The name of the webshell uploaded was “human2.aspx” which is very similar to the legitimate MOVEit file named “human.aspx.” In doing so, the hackers gained unauthorized access, enabling them to view, download files, and extract sensitive information from Azure Blob Storage containers, which are commonly utilized by businesses and customers for cloud-based data storage and management.
Who is Responsible?
Following the discovery of the vulnerability, Microsoft was able to trace the attack back to the Lace Tempest group, a ransomware operator best known for its subgroup, Cl0p, that runs an extortion website. Cl0p is a Russian ransomware gang that has been active since 2019 and has been linked to a wide range of activities in the cybercrime ecosystem. The Cl0p group confirmed their involvement on June 5th by publishing a statement regarding this attack on their blog. On June 16th, the U.S. Justice Department issued a reward of up to $10 million for any information on the whereabouts of Clop ransomware actors.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) published a joint advisory regarding the active exploitation of the recently disclosed critical flaw in the MOVEit Transfer application to drop ransomware. Since the vulnerability was identified, Progress Software has released a patch but according to CISA, the Cl0p gang has continued to target systems that are still not updated.
What Is the Damage?
Companies are still scrambling to evaluate what data has been compromised. According to The Hacker News, the Cl0p gang may have been aware of and testing the MOVEit Transfer vulnerability since 2021. In the attacks from July 2021, it appeared that the attackers were conducting manual testing, based on how long the activity lasted. The attackers seemed to switch to automated tools in subsequent activity, which lasted anywhere from a few seconds to minutes.
Payroll service provider Zellis, a company using the MOVEit software, confirmed on June 9th that data belonging to its UK clients (including BBC, British Airways, and Boots) was stolen. Data including home addresses, national insurance numbers, and bank details was taken in the breach.
CISA Director Jen Easterly stated that “several” federal agencies were impacted but would not state specifically how many. It is confirmed that at least three federal U.S. agencies – the Department of Energy, Department of Agriculture, and the Office of Personnel Management – were impacted.
The cyberattack also impacted various state governments in the United States including the Minnesota Department of Education, revealing that the personal data of over 95,000 students had been breached. The Illinois Department of Technology also stated that Cl0p went after various Illinois state agencies. A representative from the state of Illinois stated, “DoIT’s investigation is ongoing and the full extent of this incident is still being determined, but DoIT believes a large number of individuals could be impacted”. The Louisiana Office of Motor Vehicles also announced that they believe all Louisianians with a state-issued driver’s license, ID or car registration likely had their data exposed to threat actors (over 6 million residents). This led to two class action lawsuits being made against Progress Software in Louisiana, alleging the company’s negligence led to the breach, putting their personal financial data at risk. The Oregon DMV released a similar statement and a press release explaining that its MOVEit Transfer data breach impacted approximately 3,500,000 Oregonians with an ID or driver’s license.
As time goes on, we are learning more and more about who is impacted by this breach. As of July 5th, 196 organizations and over 17.5 million individuals have been revealed to be impacted by this vulnerability. Security company Censys said they examined organizations exposed to the internet who use MOVEit Transfer and found that 31% of the hosts running MOVEit are in the financial services industry, 16% in healthcare, 9% in information technology, and 8% in government and military.
Nearly 30% of the companies they observed have over 10,000 employees, indicating that the service is used in a variety of large organizations – the vast majority of which are based in the United States.
With so many organizations in the education sector hit by the zero-day, Brett Callow, a threat analyst at Emsisoft, claims that “it’s possible that pretty much every school in the US will also have been impacted, either directly or indirectly”.
What Should I Do?
In response to this threat, all organizations that are using MOVEit Transfer should take immediate action. Organizations using MOVEit Transfer should upgrade affected systems immediately.
In situations where upgrades cannot be performed, the system should be taken offline until it can be upgraded. Both CISA and Mandiant provide in-depth steps to mitigate cyber threats from CL0P ransomware. If there are signs of MOVEit on the networks, businesses should follow the mitigation guidelines on Progress’s website and initiate an investigation for evidence of any attack. As of June 12th, Progress has also released a second patch for organizations to deploy once the first patch is applied.
The severity and scale of this incident underscores the importance of taking proactive measures to mitigate risks associated with zero-day vulnerabilities and far-reaching software supply chains. In order to prepare for and reduce the effectiveness of zero-day threats to your organization, there are several practices all organizations should consider.
First and foremost, it is vital that vendor agreements are reviewed to include provisions obligating the vendor to notify you of any actual or attempted security incident within a reasonable time period. Implementing a Defense-in-Depth strategy by combining multiple security measures, such as firewalls, antivirus solutions, intrusion prevention systems, secure configurations, and secure coding practices, adds layers of protection against zero-day vulnerabilities. With proactive threat hunting techniques, organizations can identify and respond to potential zero-day attacks before they cause significant damage.
Furthermore, effective asset management practices including maintaining an accurate and up-to-date inventory, classifying assets based on their criticality, and implementing strong access controls allows organizations to have visibility into their valuable resources and can allocate appropriate security measures. Asset management aids in identifying vulnerabilities, implementing timely patches, and monitoring critical assets for any signs of compromise.
In parallel, all organizations must consider implementing SaaS security solutions to identify potential attack surfaces if compromised. Organizations need to identify the assets involved in their SaaS environment, including hardware, software, data, and third-party services. Strong IAM practices are also essential in order to understand the “blast radius” of a zero-day. In addition, data discovery tools are a must for organizations to identify and protect sensitive data. Data discovery helps organizations proactively safeguard their data, preventing unauthorized access, and identifying what data has been exposed in the event of a zero-day.
All of these security measures are recommended to all Consortium Networks clients and associates to remediate effects of the MOVEit zero-day and best protect themselves from similar attacks in the future.