MOVEit Transfer
Introduction
Following on from earlier exploits of GoAnywhere MFT and Aspera, Progress Software’s “MOVEit Transfer” has just become the latest file transfer product to fall victim to a wide-scale exploit.
MOVEit Transfer is a Windows based server component that enables easy sharing of files. It is widely used by large organisations and has around two thousand current Internet-visible deployments. The latest vulnerability (CVE-2023-34362) is a pre-authentication SQL injection issue that can result in an attacker gaining full control over the server and any contained files.
An initial wave of exploits has been attributed to the “Clop“ ransomware gang, although it is likely that additional attacks have been, and will continue to be, launched now that the vulnerability details are in the public domain. The full scope of the exploit is currently unclear but it seems likely that a significant volume of sensitive data will have been obtained, much of this is likely to be used for ransomware and could end up being disclosed.
As of a few days after the initial exploit there are still a high number of unpatched deployments.
MOVEit Transfer: Vulnerable deployments as of 4th June 2023.
Interestingly, this is not the first SQL injection vulnerability to impact the product, there have been four similar vulnerabilities in the last two years:
https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-June-2021
CVE-2021-31827 - Post authentication SQL injection
CVE-2021-33894 - Post authentication SQL injection
https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021
CVE-2021-37614 - Post authentication SQL injection
https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-6-2021
CVE-2021-38159 - Pre-authentication SQL injection
An earlier analysis of CVE-2021-38159 https://blog.viettelcybersecurity.com/moveit-transfer-cve/ noted that the vendor had patched “a lot of other values and locations”. This suggests that there may have been a number of variations of the reported vulnerability.
Given this track record it is perhaps not too surprising that another exploitable issue has now been identified and exploited. The details of the latest issue are below.
https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
CVE-2023-34362 - Pre-authentication SQL injection
Ineffective Defences?
Network intrusions often follow a somewhat predictable path: An initial exploit to get a foothold in a network, possibly some dwell time while next steps are worked out, and then a range of progressive lateral movements to extend the scope of the compromise.
The recent file-sharing exploits have followed much more of a “smash and grab” type pattern: An automated wide-scale exploit that attacks, compromises, and exfiltrates data in one step. This presents a real challenge for defenders as a lot of detection and containment approaches are ineffective in terms of preventing the initial data leak.
This type of attack method also means that a wider range of organisations are at risk of being compromised. There was an interesting comment attributed to the attackers in this article:
"I want to tell you right away that the military, children's hospitals, GOV etc like this we no to attack, and their data was erased," Clop said in their email to BleepingComputer.”
This comment gives a clear indication about the way current attackers are operating: Start by compromising everything you can, and only after the fact do you work out what data and access you have, and what you are going to do with it.
This should be taken as a clear warning sign to anybody that still thinks they aren’t big enough or valuable enough to be a victim of one of these attacks. Automated scripts are largely indiscriminate.
Lessons Learned
In this case, it is highly probable that any company with an Internet facing deployment of MOVEit Transfer will have lost some data. Those with solid security processes probably found out about it sooner and were in a better position to prevent any later lateral movement, but it is unlikely they will have been able to prevent the initial attack.
The key takeaway here is fairly clear: Even a multitude of carefully designed and expertly operated cyber defences can be rendered largely ineffective by single application level vulnerability.
So how should we defend against issues like this? There are some key practices that could significantly reduce the risk from this type of issue.
Technical Product Diligence: Apply an appropriate amount of technical due diligence when selecting applications, especially those that will be Internet facing and will be handling a large volume of data. Reviewing the vulnerability history of an application can be a valuable part of this process, although this does need to be a balanced risk assessment as the raw numbers alone often don’t give a very complete picture.
Attack Surface Reduction: Even if an application needs to be available to external partners or customers, adding a trustworthy authentication/authorisation layer in front of it can go a long way towards mitigating automated attacks. There is obviously a balance that needs to be reached between security assurance, usability, and operational costs but always remember that any component you expose directly to the Internet could well become the target for the next automated exploit.
Fast Response: Our EdgeScope product enables customers to instantly search their attack surface for any string fragment. This feature was designed for exactly the scenario where a new vulnerability is being exploited but the industry has yet to formulate the set of patterns to enable vulnerable deployments to be identified. In this case simply searching for “MOVEit” would instantly provide the details of any Internet-visible deployments. Being able to identify and remediate, or disable, any vulnerable deployments as soon as possible is one of the few steps that can be taken to reduce the impact of an ongoing wave of exploits.
Conclusion
We are still in the early days of this exploit, the implications for those who have had data stolen will become clear in the coming weeks. It is also likely that we will see continuing follow-up attacks intended to compromise remaining unpatched infrastructure.
It is clear that attackers are now carefully selecting high value applications and then working to identify reliable, exploitable vulnerabilities with a view to conducting this type of attack. It is all but guaranteed that we will see more of these in the future.
