What happened?
In quick succession at the end of May into mid-June, software developer Progress released three advisories that any customers using its popular managed file transfer (MFT) solution MOVEit should immediately update to the latest release. In this time, they were made aware of three critical vulnerabilities, CVE-2023-34362 on May 31, CVE-2023-35036 on June 9, and CVE-2023-35708 on June 15.
It was then disclosed that CVE-2023-34362 was being exploited in the wild by CL0P, a large Russian ransomware gang, to compromise public and private sector organizations leveraging MOVEit. At the time of this publishing, there have been almost 100 affected organizations identified around the globe across dozens of industries including banking, banking and financial services, insurance, healthcare, and government.
Why should I care?
MFT solutions are used globally to help centralize all aspects of inbound and outbound file transfers. They help teams automate and streamline data transfer processes internally, across private networks, and externally with third parties and contractors.
Naturally, this means MFT solutions are leveraged for transferring large files, and in many cases high volumes of sensitive data. Not only does this mean that a malicious insider could easily copy and transfer highly valuable and sensitive files for their own gain, but it also means that malicious actors could access a massive scope of proprietary information and customer data.
How attackers are exploiting these vulnerabilities
Researchers are indicating that attackers string the zero-days together to gain access to the vulnerable organization’s MOVEit database files, then exfiltrate them and hold them for ransom. They appear to be executing these smash-and-grab attacks as quickly as possible to gain access to as much data as possible from as many vulnerable organizations as they can.
They do this by first targeting CVE-2023-3462, which is an SQL injection vulnerability that attackers exploit to install a malicious web shell in the MOVEit web apps. Once it’s installed, the shell generates a random password that the attacker eventually uses to authenticate then pass commands to the web shell that enable them to retrieve Azure system settings, enumerate the associated SQL database, retrieve files, and create a privileged administrator account.
The two subsequent vulnerabilities, CVE-2023-35036 and CVE-2023-35708, also note SQL injection vulnerabilities, and can be exploited further to potentially allow an unauthenticated attacker to access the MOVEit Transfer database. An attacker could then submit a malcrafted payload to a MOVEit endpoint, which could enable them to modify and disclose its content.
What can I do about it?
First and foremost, if you are a current MOVEit customer, you should follow their instructions on how to patch both the original vulnerability and the more recent ones. This should also serve as a reminder to ensure that all of your on-premises and cloud solutions are updated to the latest versions, that your apps aren’t publicly exposed to the open internet, and to continuously monitor all users, devices, and networks to detect any anomalous behavior or file interactions.
How Lookout Secure Private Access can help
As is the case when any zero-day vulnerability is discovered and revealed, attackers everywhere are scanning the internet in search of vulnerable MOVEit servers. Lookout customers leveraging Lookout Secure Private Access, a zero trust network access (ZTNA) solution, are equipped with a handful of ways to protect their sensitive data and mitigate the risk associated with these vulnerabilities.
Secure third-party access
MFT systems like MOVEit are frequently used by internal employees to share files with third-party vendors and contractors, which can open the organization up to risk. Lookout Secure Private Access enables secure third-party access to these apps and files, which ensures secure collaboration and mitigates the risk of unauthorized users gaining access to sensitive files. In addition, putting your MOVEit instance behind Secure Private Access cloaks it from exposure on the Internet — mitigating the risk of discovery and exploitation by attackers.
User and entity behavior analytics (UEBA)
In many cases, attackers will compromise credentials via phishing, enter the infrastructure, and escalate their privileges in order to be able to move laterally and compromise valuable data. Not only can Lookout detect anomalous behavior, but it can also integrate with enhanced authentication services like Okta to require step-up authentication when the user attempts to access sensitive data.
Data loss prevention (DLP)
With integrated digital rights management and encryption capabilities, Lookout enables IT and security teams to implement policies that can identify and encrypt sensitive data even if it’s moved offline or to an unmanaged device.
Book a personalized, no-pressure demo today to learn:
Discover how adversaries use non-traditional methods for phishing on iOS/Android, see real-world examples of threats, and learn how an integrated security platform safeguards your organization.
Know Your Data Risk Score
Curious to know your organization’s current data risk? Take our free evaluation.