The MOVEit breach could be the most devastating exploitation of a zero-day vulnerability ever, and the effects continue to ripple across the globe. The widely used file-transfer program’s vulnerability has led to new victims coming forward weekly. Recently, the New York City Department of Education, UCLA, Siemens Energy and Big 4 accounting firms have announced they were affected by the vulnerability.

The MOVEit exploitation appears to have affected at least 122 organizations and exposed the data of roughly 15 million people. These numbers are based on posts from CL0P, the Russian ransomware group that has claimed responsibility for the attacks.

The CL0P SQL attack

According to a CISA cybersecurity advisory, on May 27, 2023, CL0P (also known as TA505) began exploiting a previously unknown SQL injection vulnerability (CVE-2023-34362). The vulnerability was found in Progress Software’s managed file transfer (MFT) solution known as MOVEit Transfer.

In the attack, internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT. Threat actors leveraged this web shell to steal data from underlying MOVEit Transfer databases.

Shortly after evidence of the attack surfaced, Progress patched the vulnerability. Even though the MOVEit patch has been issued, some users of the service continue to be attacked because they haven’t installed the patch on their networks. This underlines the importance of threat intelligence and a well-defined patching strategy.

It seems as if no industry has escaped the consequences of the malicious CL0P campaign. Dozens of entities from the public and private sectors have been impacted. Victims include payroll services, retailers, major airlines, government offices, two Department of Energy entities and the U.S. states of Missouri and Illinois.

“Review of the impacted files is ongoing,” said Emma Vadehra, Chief Operating Officer of the New York City Department of Education, “but preliminary results indicate that approximately 45,000 students, in addition to DOE staff and related service providers, were affected. Roughly 19,000 documents were accessed without authorization. The types of data impacted include Social Security Numbers and employee ID numbers.”

What is a SQL injection attack?

The SQL programming language is used for managing and manipulating databases. A SQL injection vulnerability is a security flaw in a web application that allows an attacker to manipulate the application’s database by injecting malicious SQL statements.

In a SQL (Structured Query Language) injection attack, the threat actor takes advantage of improper handling of user input within the application’s SQL queries. By inserting malicious SQL code into user-supplied input fields, such as forms or URL parameters, the attacker can modify the intended behavior of the SQL query.

For example, let’s say a website has a login form where a user enters their username and password. The application may construct an SQL query using the provided input to check if the user exists in the database and validate their credentials. However, if the application does not properly validate or sanitize the user input, an attacker can craft input that alters the query’s logic or extends its scope.

As per OWASP, the main consequences of a SQL injection attack include:

• Confidentiality: Since SQL databases generally hold sensitive data, loss of confidentiality is a frequent problem with SQL Injection vulnerabilities.
• Authentication: If poor SQL commands are used to check user names and passwords, it may be possible to connect to a system as another user with no previous knowledge of the password.
• Authorization: If authorization information is held in a SQL database, it may be possible to change this information through the successful exploitation of a SQL injection vulnerability.
• Integrity: Just as it may be possible to read sensitive information, it is also possible to make changes or even delete this information with a SQL injection attack.

Mitigating the MOVEit attack

The top CISA recommendations in response to the MOVEit vulnerability include:

1. Take an inventory of assets and data, identifying authorized and unauthorized devices and software.
2. Grant admin privileges and access only when necessary, establishing a software allow list that only executes legitimate applications.
3. Monitor network ports, protocols and services, activating security configurations on network infrastructure devices such as firewalls and routers.
4. Regularly patch and update software and applications to their latest versions, and conduct regular vulnerability assessments.

However, even if your organization doesn’t use MOVEit, your vendors might be affected, which exposes you to risk. Therefore, it’s a good idea to contact all your vendors to inquire whether they use MOVEit and what measures they have taken in response to the vulnerability. Also, companies should review vendor contracts for data breach notification requirements to ensure that vendors meet their obligations.

Feds tweet reward for information

Meanwhile, CISA and the FBI are offering a $10 million reward to anyone that can offer intelligence on the CL0P ransomware gang.

A tweet posted by the U.S. Department of State’s “Rewards for Justice” program reads, “Reward up to $10 million. For information on the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act. Send us your information on Signal, Telegram, WhatsApp or via our Tor-based tip line below.”

Preventing zero-day exploits

Here are steps companies can take to uncover vulnerabilities and lessen the impact of zero-day attacks:

• Patch management: Formal patch management can help security teams remain aware of critical patches.
• Vulnerability management: Vulnerability assessments and penetration tests can help companies detect zero-day vulnerabilities before adversaries find them.
• Attack surface management (ASM): ASM enables security teams to identify all network assets and scan them for vulnerabilities. ASM tools assess the network from an attacker’s perspective, focusing on how threat actors might try to exploit assets.
• Threat intelligence: Security researchers are often the first to identify zero-day vulnerabilities. Organizations that receive threat intelligence updates may be informed about zero-day vulnerabilities sooner.
• Anomaly-based detection methods: Machine learning tools can spot suspicious activity in real-time. Common anomaly-based detection solutions include user and entity behavior analytics (UEBA), extended detection and response (XDR) platforms, endpoint detection and response (EDR) tools and some intrusion detection and intrusion prevention systems.

The impact of the MOVEit breach continues to reach far and wide. Security teams must stay on top of their game to prevent similar zero-day attacks in the future.

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence or offensive security services schedule a meeting here: IBM X-Force Scheduler.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help:
US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.