On May 29, 2023, a critical security vulnerability, identified as CVE-2023-34362, was published, leaving users of MOVEit Transfer software at high risk.
According to Progress, organizations have reported possible exploitation in the wild. Therefore it’s crucial that any business using MOVEit Transfer to take immediate action, especially since all versions of this popular file transfer software are affected by this vulnerability.
This blog post covers the details of this vulnerability, discusses its implications, and provides recommendations for users to mitigate the risk.
MOVEit Transfer, a Windows-based managed file transfer service, can be used either on the cloud or installed on-premises.
A SQL Injection has been found on an API in the web application of MOVEit, which enables attackers to exfiltrate data. In some cases, it allows them to execute commands on the server and potentially gain access to other areas of the network and do lateral movement.
The recently discovered vulnerability in MOVEit Transfer poses a serious threat to organizations utilizing this file transfer service. Attackers have reportedly been able to exploit this vulnerability since March 2023.
There have been reports that on May 27, CL0P Reandomware Gang exploited this vulnerability. By taking advantage of the vulnerability, the group uploaded a web shell named LEMURLOOT. They could access the underlying database of MOVEit and execute arbitrary code remotely, compromising the integrity, confidentiality, and availability of the system.
According to CISA (CyberSecurity Infrastructure Security Agency), the CL0P group has been known since 2019, when it launched a large-scale spear-phishing campaign. The tactic is to use ransomware to steal and encrypt victim data, refuse to restore access until fully paid, and even publish exfiltrated data on TOR and other public media. This tactic of exfiltrating a victim's sensitive data in addition to encrypting it is also known as “double extortion.”
The group typically targets sizable corporations, specifically those operating in the financial, healthcare, manufacturing, and media sectors. They have been observed to set their sights on small and medium-sized enterprises as well.
Given the speed and ease of the current MOVEit exploitation, and based on the group’s past campaigns, the FBI and CISA expect to see a large-scale exploitation of this service.
Given the severity of this vulnerability, MOVEit users must patch their installations as soon as possible. Until the patch is applied, it is strongly recommended to disable HTTP/HTTPS access to the MOVEit servers to prevent any unauthorized access.
This recent incident serves as a reminder that critical vulnerabilities can occur, and traditional security measures are not always sufficient. While network monitoring can assist in detecting data exfiltration, it is important to acknowledge that threat actors may employ techniques to bypass detection. A WAF (web application firewall) should theoretically detect SQLi attacks, but these devices have their limitations, including not being able to detect low-and-slow attacks on APIs. Plenty of publicly disclosed breaches included attackers bypassing WAFs.
Therefore, adopting a multi-layered security approach is essential, including proactive measures such as secure coding practices and continuous monitoring for suspicious activities using advanced techniques like behavioral analytics, anomaly detection, and machine learning to identify suspicious activities accurately, especially for detecting API abuses and attacks.
The Salt Security API Protection Platform applies cloud-scale big data, and ML and AI to enable organizations to catalog their APIs, see where they expose sensitive data, detect and block API attackers, and provide remediation insights that developers can use to improve API security posture over time. The platform’s ability to baseline user and API behavior over time enables it to identify the malicious behaviors of bad actors performing reconnaissance to learn a company’s APIs, attempting account takeovers, or abusing APIs to exfiltrate data.
To ensure the security of your MOVEit installation, take the following actions:
Salt continues to receive accolades for the Salt Security API Protection Platform – all year round! This time we have been honored with the “Best API Security” award in the 2023 API Awards.
We’ve further strengthened our partnership with the new “better-together” story of Salt and the CrowdStrike Falcon® platform.