If you’re unfamiliar with the corporate file-sharing app MOVEit Transfer, it’s still worth studying how it was hacked – if only for its sheer scale: hundreds of organizations were affected, including, among many others, Shell, the New York State Education Department, the BBC, Boots, Aer Lingus, British Airways, several large healthcare providers across the globe, the University of Georgia, and Heidelberger Druck. Both ironically and sadly, MOVEit Transfer is touted as “Secure Managed File Transfer Software for the Enterprise” by its creators, Ipswitch (now part of a company named Progress). It’s a managed file transfer (MFT) system that helps employees share large files with contractors via SFTP, SCP and HTTP, offered as a cloud or on-premise solution.
The series of incidents represents a cautionary tale for everyone in charge of information security at an organization.
How MOVEit Transfer was hacked
Without going into every twist and turn of MOVEit users’ turbulent one-and-a-half-months, we’ll cover the key events.
Reports about suspicious activity on the networks of many organizations that used MOVEit Transfer started surfacing on May 27, 2023. According to an investigation, malicious actors were taking advantage of an unknown vulnerability to steal data by running SQL queries.
On May 31, Progress released their first security bulletin, which summarized the fixes that had been released up to that point and recommended remediation steps. The company originally believed the issue was limited to on-premise installations, but it was later found that the cloud version of MOVEit was affected as well. MOVEit Cloud was temporarily shut down for patching and investigations. Rapid7 researchers counted a total of 2500 vulnerable on-premise servers.
On June 2, the vulnerability was assigned the identifier CVE-2023-34362 and a CVSS score of 9.8 (out of 10). Incident researchers attributed the threat to the cl0p ransomware group. Researchers at Kroll reported on June 9 that the MOVEit exploit likely had been in testing since 2021. Investigations made it apparent that the cyberattack chain did not necessarily end in an SQL injection and that it could include code execution.
To their credit, Progress went beyond patching the software. The company initiated a code audit, making it possible for the Huntress company to both reproduce the entire exploit chain and discover another vulnerability, which would be fixed on June 9 as announced in the next bulletin and designated as CVE-2023-35036. Before many admins got the chance to install that patch, Progress itself discovered another issue – CVE-2023-35708 – and announced it in its June 15 bulletin. MOVEit Cloud was shut down again for ten hours for the fixes to be applied.
June 15 was also notable for the hackers publishing the details of some of the victims and starting ransom negotiations. Two days later, the U.S. government promised up to $10 million for information about the group.
On June 26, Progress announced that it would shut down MOVEit Cloud for three hours on July 2 to beef up server security.
On July 6 developers published another update, which fixed three more vulnerabilities – one of them being critical (CVE-2023-36934, CVE-2023-36932 and CVE-2023-36933).
File sharing services as a convenient attack vector
May’s MOVEit Transfer attack is not the first of its kind. A similar series of attacks targeting Fortra GoAnywhere MFT was launched in January, and late 2020 saw massive exploitation of a vulnerability in Accellion FTA.
Many attacks aim to get privileged access to servers or run arbitrary code, which happened in this case too, but hackers’ objective has often been to execute a quick, low-risk attack to gain access to the databases of a file-sharing service. This helps snatch files without penetrating deep into the system so as to remain under the radar. After all, downloading files that are meant to be downloaded isn’t that suspicious.
Meanwhile, file-sharing databases tend to collect lots of truly important information: thus, a MOVEit Transfer attack victim admitted that the leak contained the data of 45 000 college and school students.
What this means for security teams is that apps like these and their configuration require special attention: steps to take here include limiting administrative access as well as taking additional security measures with regard to database management and network protection. Organizations should promote cyberhygiene among employees by teaching them to delete files from the file exchange system as soon as they cease to need them, and share with only a bare minimum of users.
Focus on servers
For cyberattackers looking to steal data, servers are an easy target since they’re not too closely monitored and contain a lot of data. Unsurprisingly, in addition to massively exploiting popular server-side apps with attacks like ProxyShell or ProxyNotShell, hackers take paths less traveled by mastering encryption of ESXi farms and Oracle databases, or trying services like MOVEit Transfer, which are popular in the corporate world but less known to the general public. This is why security teams need to put the focus on servers:
- prioritize server patching
- use an EDR solution
- limit privilege access
- secure containers, virtual machines and so on
If an app seems to have few vulnerabilities, it means no one’s looked for them
The question of priorities always comes up when an organization starts discussing patches. Vulnerabilities number in the hundreds, and they’re impossible to fix everywhere and all at once, in all applications, and on all computers. So, system admins have to focus on the most dangerous vulnerabilities – or the ones that are the most widespread due to affecting popular software. The MOVEit story teaches us that this landscape is dynamic: if you’ve spent the last year fixing holes in Exchange or other Microsoft products, it doesn’t mean you need to stay focused mostly on those. It’s critical to follow Threat Intelligence trends, and not just eliminate specific new threats but also predict their possible impact on your organization.