MOVEit Transfer Vulnerability Key Points
– It is a Zero-day SQL injection vulnerability (CVE-2023-34362). It affects all versions of MOVEit transfer and poses a severe security risk.
– As of Monday evening, payroll service Zellis, the Canadian province of Nova Scotia, British Airways, the BBC, and UK retailer Boots were all known to have had data stolen through the attacks.
– “Any organisation that had the MOVEit web interface exposed to the internet should perform a forensic analysis of the system, irrespective of when the software was patched.” – Zellis
– “We aren’t seeing commodity threat actors or low-skill attackers throwing exploits here, but the exploitation of available high-value targets globally.” – Rapid7
– Microsoft is attributing attacks exploiting the vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site.
– Some businesses impacted by the MOVEit exploitation received extortion emails, many of which were scams.
– Read below for details explaining how to detect and remediate this threat.
MOVEit Hack: What’s Happened?
Developed by Ipswitch, a subsidiary of Progress Software Corporation, MOVEit Transfer facilitates secure file transfers through SFTP, SCP, and HTTP protocols.
In recent days, a significant security concern has emerged in MOVEit Transfer, a widely used secure file transfer service. The vulnerability, named CVE-2023-34362, was uncovered on May 31, 2023. It has already been exploited by malicious actors in real-world attacks, leading to unauthorised access, escalated privileges and data leaked within affected environments. The specific consequences vary based on the database engine in use, including MySQL, Microsoft SQL Server, or Azure SQL.
The vulnerability’s exploitation grants attackers the ability to glean information about the database structure and content, enabling them to infer sensitive data. Moreover, they can execute SQL statements that modify or delete elements of the database. This poses a significant risk to the integrity and confidentiality of the stored data. It has already been made public that information has been leaked from organisations following the exploitation of this vulnerability. Some data includes
Prompt action is crucial to mitigate the risks associated with this vulnerability.
Detecting the Vulnerability:
– Verify the existence of a file named human2.aspx in the wwwroot folder of the software.
– Pay close attention to any unexpected downloads or uploads of files from unknown IP addresses via log files. These activities should be reviewed to ensure they are legitimate and authorised.
– Examine the web server log files for any events that involve a GET request to the human2.aspx file. Additionally, be on the lookout for a large number of log entries or entries with significant data sizes, as this could indicate unexpected file downloads.
– Rapid7 suggests that data exfiltration can be detected by analysing the Windows Event File located at C:WindowsSystem32winevtLogsMOVEit.evtx. This file contains valuable information such as file names, file paths, file sizes, IP addresses, and usernames associated with downloads. This event log file can reveal instances of data exfiltration.
– Utilise the audit logs stored in the MOVEit database, which can be queried directly or through the software’s built-in reporting functionality. By examining these logs, administrators can generate a report of file download actions performed through the software, enabling them to identify potential data exfiltration incidents.
Remediating the Vulnerability:
– Progress Software strongly advises immediate application of the released patch. If not possible, disable all HTTP and HTTPS traffic to MOVEit Transfer to prevent unauthorised access. SFTP and FTP protocols can still function, and administrators can use Remote Desktop Protocol to connect. Cloud versions are automatically up to date.
– Delete suspicious files like “human2.aspx” or unknown .cmdline scripts. Analyse newly created or unfamiliar files in the MOVEit folder and check .cmdline files in Windows’ temporary folders.
– Remove unauthorised user accounts.
– After patching or blocking traffic, scan for compromise indicators. Reset service account credentials if evidence is found.
– Continuously monitor Progress’ Indicators of Compromise.
– 3B Data Security can help deploy EDR solutions for 24/7 monitoring of assets on the network.
– Check for user information leaked by the group on the Darkweb, or their site.
– We are also able to assist with monitoring domains and specific user credentials.
Has Your Organisation’s Data Been Compromised?
The best way to find out if you’ve been affected by the attack is by conducting a Compromise Assessment. Compromise Assessments can detect any sign of a compromise on your systems and networks.
At 3B Data Security, our Compromise Assessments are designed to identify hidden vulnerabilities and existing cyber threats that may have breached your defences.
Our team of specialised consultants are equipped with the latest knowledge and tools to identify vulnerabilities, potential breaches, and ongoing threats in your infrastructure. They’ll work closely with you to understand your organisation’s specific needs and tailor our assessment process accordingly.
Get peace of mind knowing that your organisation’s security is in expert hands. Contact us today find out more about our Compromise Assessments and how we can help your organisation detect, respond, recover from any type of cyber threat.