MOVEit Zero-Day Vulnerability

A critical zero-day vulnerability in a secure file transfer software has been declared. “MOVEit” file transfer application by Progress Software Corporation (Progress) has been assigned a critical CVE: CVE-2023-34362. Qualys has classified the CVSS base score as 10 and the CVSS 3.1 base as 9.8.

The critical flaw entails severe SQL injection vulnerability that has the potential to lead to escalated privileges and unauthorised access to the environment. An unauthenticated attacker can gain access to the MOVEit database, on which transfer data is held. 

Dependent on the database engine that’s being used, such as MySQL, Microsoft SQL Server or Azure SQL, an attacker can conduct reconnaissance to find information about the database architecture and contents. Additionally, SQL commands can be executed to make alterations or delete database content.

The BBC, British Airways, Boots and Aer Lingus are amongst the growing list of organisations that have fallen victim to the hack. Personal data, including national insurance numbers and bank details, were leaked. Payroll provider, Zellis, who provides services to a third of the FTSE 100, has also fallen victim to the hack.

The ransomware gang “Clop” has confirmed they were responsible for the cyber attacks on the MOVEit managed file transfer service.

Clop is a ransomware gang with links to Russia, known for targeting industrial organisations and has been an active ransomware group over the past several years.

A patch has been released for all supported MOVEit Transfer versions, which are now available through the following link: MOVEit Transfer Critical Vulnerability (May 2023) – Progress Community.

As a workaround, if a patch can’t be applied, Progress recommends the following.

  1. Disable all HTTP and HTTPs traffic to your MOVEit transfer environment.
  2. Remove any unauthorised files and user accounts.
  3. Review logs for unexpected downloads of files from unknown IPs.
  4. Review IIS logs.
  5. Reset account credentials for MOVEit service accounts.

For Qualys customers, the CVE can be tracked as QID: 378543.

ITC-TI analyst comment:
  • We strongly recommend ensuring a vulnerability and patch management cycle is fully operationally and conducted regularly to avoid any vulnerabilities being detected by external tools and actively being exploited.
  • Review access controls via firewall policies to ensure only authorised users can access applications and services.
  • To prevent unauthorised access without validation and verification, we recommend that all user accounts, and where possible machine accounts, have multifactor authentication configured.
  • To prevent supply chain attacks from hopping onto the core business, ITC recommends that all third-party suppliers with access to the core business have undergone an audit.
  • Ensure that the Zero Trust architecture is followed to verify end to end user activity and assume breach to assess the scale of impact.
  • Segment devices by criticality to prevent mass disruption across all systems, to minimise impact.
  • Implement or review DLP policies to detect when files are being transferred out to an unusual location, achievable through a Cloud App Security Broker (CASB).
  • Ensure that conditional access policies are enabled to prevent unauthorised access to critical infrastructure. 

References