{"id":31887,"date":"2023-07-11T16:43:33","date_gmt":"2023-07-11T14:43:33","guid":{"rendered":"https:\/\/www.kaspersky.co.za\/blog\/?p=31887"},"modified":"2023-07-11T16:48:03","modified_gmt":"2023-07-11T14:48:03","slug":"moveit-transfer-attack-protection","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.za\/blog\/moveit-transfer-attack-protection\/31887\/","title":{"rendered":"The MOVEit hack and its aftermath"},"content":{"rendered":"

If you\u2019re unfamiliar with the corporate file-sharing app MOVEit Transfer, it\u2019s still worth studying how it was hacked \u2013 if only for its sheer scale: hundreds of organizations were affected, including, among many others, Shell, the New York State Education Department, the BBC<\/a>, Boots, Aer Lingus, British Airways, several large healthcare providers across the globe, the University of Georgia, and Heidelberger Druck. Both ironically and sadly, MOVEit Transfer<\/a> is touted as \u201cSecure Managed File Transfer Software for the Enterprise\u201d by its creators, Ipswitch (now part of a company named Progress). It\u2019s a managed file transfer (MFT) system that helps employees share large files with contractors via SFTP, SCP and HTTP, offered as a cloud or on-premise solution.<\/p>\n

The series of incidents represents a cautionary tale for everyone in charge of information security at an organization.<\/p>\n

How MOVEit Transfer was hacked<\/h2>\n

Without going into every twist and turn of MOVEit users\u2019 turbulent one-and-a-half-months, we\u2019ll cover the key events.<\/p>\n

Reports about suspicious activity on the networks of many organizations that used MOVEit Transfer started surfacing on May 27, 2023. According to an investigation, malicious actors were taking advantage of an unknown vulnerability to steal data by running SQL queries.<\/p>\n

On May 31, Progress released their first security bulletin<\/a>, which summarized the fixes that had been released up to that point and recommended remediation steps. The company originally believed the issue was limited to on-premise installations, but it was later found that the cloud version of MOVEit was affected as well<\/a>. MOVEit Cloud was temporarily shut down<\/a> for patching and investigations. Rapid7 researchers counted<\/a> a total of 2500 vulnerable on-premise servers.<\/p>\n

On June 2, the vulnerability was assigned the identifier CVE-2023-34362<\/a> and a CVSS score of 9.8 (out of 10). Incident researchers attributed<\/a> the threat to the cl0p ransomware group. Researchers at Kroll reported on June 9 that the MOVEit exploit likely had been in testing since 2021<\/a>. Investigations made it apparent that the cyberattack chain did not necessarily end in an SQL injection and that it could include code execution.<\/p>\n

To their credit, Progress went beyond patching the software. The company initiated a code audit, making it possible for the Huntress company to both reproduce the entire exploit chain and discover another vulnerability, which would be fixed on June 9 as announced in the next bulletin<\/a> and designated as CVE-2023-35036<\/a>. Before many admins got the chance to install that patch, Progress itself discovered another issue \u2013 CVE-2023-35708<\/a> \u2013 and announced it in its June 15 bulletin<\/a>. MOVEit Cloud was shut down again for ten hours<\/a> for the fixes to be applied.<\/p>\n

June 15 was also notable for the hackers publishing the details of some of the victims and starting ransom negotiations<\/a>. Two days later, the U.S. government promised up to $10 million<\/a> for information about the group.<\/p>\n

On June 26, Progress announced that it would shut down MOVEit Cloud for three hours on July 2 to beef up server security.<\/p>\n

On July 6 developers published another update, which fixed three more vulnerabilities \u2013 one of them being critical (CVE-2023-36934<\/a>,\u00a0CVE-2023-36932<\/a> and\u00a0CVE-2023-36933<\/a>).<\/p>\n

File sharing services as a convenient attack vector<\/h2>\n

May\u2019s MOVEit Transfer attack is not the first of its kind. A similar series of attacks targeting Fortra GoAnywhere MFT<\/a> was launched in January, and late 2020 saw massive exploitation of a vulnerability in Accellion FTA<\/a>.<\/p>\n

Many attacks aim to get privileged access to servers or run arbitrary code, which happened in this case too, but hackers\u2019 objective has often been to execute a quick, low-risk attack to gain access to the databases of a file-sharing service. This helps snatch files without penetrating deep into the system so as to remain under the radar. After all, downloading files that are meant to be downloaded isn\u2019t that suspicious.<\/p>\n

Meanwhile, file-sharing databases tend to collect lots of truly important information: thus, a MOVEit Transfer attack victim admitted that the leak contained the data of 45 000 college and school students<\/a>.<\/p>\n

What this means for security teams is that apps like these and their configuration require special attention: steps to take here include limiting administrative access as well as taking additional security measures with regard to database management and network protection. Organizations should promote cyberhygiene among employees by teaching them to delete files from the file exchange system as soon as they cease to need them, and share with only a bare minimum of users.<\/p>\n

Focus on servers<\/h2>\n

For cyberattackers looking to steal data, servers are an easy target since they\u2019re not too closely monitored and contain a lot of data. Unsurprisingly, in addition to massively exploiting popular server-side apps with attacks like ProxyShell or ProxyNotShell<\/a>, hackers take paths less traveled by mastering encryption of ESXi farms<\/a> and Oracle databases<\/a>, or trying services like MOVEit Transfer, which are popular in the corporate world but less known to the general public. This is why security teams need to put the focus on servers:<\/p>\n