The MOVEit breach could be the most devastating exploitation of a zero-day vulnerability ever, and the effects continue to ripple across the globe. The widely used file-transfer program’s vulnerability has led to new victims coming forward weekly. Recently, the New York City Department of Education, UCLA, Siemens Energy and Big 4 accounting firms have announced they were affected by the vulnerability.

The MOVEit exploitation appears to have affected at least 122 organizations and exposed the data of roughly 15 million people. These numbers are based on posts from CL0P, the Russian ransomware group that has claimed responsibility for the attacks.

The CL0P SQL attack

According to a CISA cybersecurity advisory, on May 27, 2023, CL0P (also known as TA505) began exploiting a previously unknown SQL injection vulnerability (CVE-2023-34362). The vulnerability was found in Progress Software’s managed file transfer (MFT) solution known as MOVEit Transfer.

In the attack, internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT. Threat actors leveraged this web shell to steal data from underlying MOVEit Transfer databases.

Shortly after evidence of the attack surfaced, Progress patched the vulnerability. Even though the MOVEit patch has been issued, some users of the service continue to be attacked because they haven’t installed the patch on their networks. This underlines the importance of threat intelligence and a well-defined patching strategy.

It seems as if no industry has escaped the consequences of the malicious CL0P campaign. Dozens of entities from the public and private sectors have been impacted. Victims include payroll services, retailers, major airlines, government offices, two Department of Energy entities and the U.S. states of Missouri and Illinois.

“Review of the impacted files is ongoing,” said Emma Vadehra, Chief Operating Officer of the New York City Department of Education, “but preliminary results indicate that approximately 45,000 students, in addition to DOE staff and related service providers, were affected. Roughly 19,000 documents were accessed without authorization. The types of data impacted include Social Security Numbers and employee ID numbers.”

What is a SQL injection attack?

The SQL programming language is used for managing and manipulating databases. A SQL injection vulnerability is a security flaw in a web application that allows an attacker to manipulate the application’s database by injecting malicious SQL statements.

In a SQL (Structured Query Language) injection attack, the threat actor takes advantage of improper handling of user input within the application’s SQL queries. By inserting malicious SQL code into user-supplied input fields, such as forms or URL parameters, the attacker can modify the intended behavior of the SQL query.

For example, let’s say a website has a login form where a user enters their username and password. The application may construct an SQL query using the provided input to check if the user exists in the database and validate their credentials. However, if the application does not properly validate or sanitize the user input, an attacker can craft input that alters the query’s logic or extends its scope.

As per OWASP, the main consequences of a SQL injection attack include:

  • Confidentiality: Since SQL databases generally hold sensitive data, loss of confidentiality is a frequent problem with SQL Injection vulnerabilities.
  • Authentication: If poor SQL commands are used to check user names and passwords, it may be possible to connect to a system as another user with no previous knowledge of the password.
  • Authorization: If authorization information is held in a SQL database, it may be possible to change this information through the successful exploitation of a SQL injection vulnerability.
  • Integrity: Just as it may be possible to read sensitive information, it is also possible to make changes or even delete this information with a SQL injection attack.

Mitigating the MOVEit attack

The top CISA recommendations in response to the MOVEit vulnerability include:

  1. Take an inventory of assets and data, identifying authorized and unauthorized devices and software.
  2. Grant admin privileges and access only when necessary, establishing a software allow list that only executes legitimate applications.
  3. Monitor network ports, protocols and services, activating security configurations on network infrastructure devices such as firewalls and routers.
  4. Regularly patch and update software and applications to their latest versions, and conduct regular vulnerability assessments.

However, even if your organization doesn’t use MOVEit, your vendors might be affected, which exposes you to risk. Therefore, it’s a good idea to contact all your vendors to inquire whether they use MOVEit and what measures they have taken in response to the vulnerability. Also, companies should review vendor contracts for data breach notification requirements to ensure that vendors meet their obligations.

Explore incident response services

Feds tweet reward for information

Meanwhile, CISA and the FBI are offering a $10 million reward to anyone that can offer intelligence on the CL0P ransomware gang.

A tweet posted by the U.S. Department of State’s “Rewards for Justice” program reads, “Reward up to $10 million. For information on the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act. Send us your information on Signal, Telegram, WhatsApp or via our Tor-based tip line below.”

Preventing zero-day exploits

Here are steps companies can take to uncover vulnerabilities and lessen the impact of zero-day attacks:

The impact of the MOVEit breach continues to reach far and wide. Security teams must stay on top of their game to prevent similar zero-day attacks in the future.

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence or offensive security services schedule a meeting here: IBM X-Force Scheduler.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help:
US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from News

Securing critical infrastructure with the carrot and stick

4 min read - It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat. So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach. Back in March 2022, the…

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Will data backups save you from ransomware? Think again

4 min read - Backups are an essential part of any solid anti-ransomware strategy. In fact, research shows that the median recovery cost for ransomware victims that used backups is half the cost incurred by those that paid the ransom. But not all data backup approaches are created equal. A separate report found that in 93% of ransomware incidents, threat actors actively target backup repositories. This results in 75% of victims losing at least some of their backups during the attack, and more than…

Should you worry about state-sponsored attacks? Maybe not.

4 min read - More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today? While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the…