MOVEit Transfer and MOVEit Cloud customers experienced data theft attacks through the exploit of critical vulnerabilities beginning at the end of last month. High profile organisations across the UK and USA suffered massive data breaches as a result.  

 

Ongoing investigation into these attacks have resulted in three vulnerabilities being identified and patched by Progress Software, the company behind MOVEit Transfer and MOVEit Cloud. In their summary of this actively developing case, Progress Software state that the third vulnerability to be identified is currently believed not to have been exploited in these attacks, however because it was publicly disclosed by a third party it has been urgently patched alongside the exploited flaws. The attacks are believed to have begun at the end of May, with security researchers at Rapid7 identifying indicators of compromise since 27th May, and evidence of data exfiltration starting on 28th May. The original advisory from Progress Software was published on the 31st May but has been continued to be updated as the situation develops, including the publishing of further advisories to detail other flaws.  

 

MOVEit Transfer is a managed file transfer service that can be used as an on-premises solution, which is managed by the customer, or as a cloud-based solution (MOVEit Cloud) on an SaaS platform managed by the developer, Progress Software. This product is designed to securely transfer files between businesses and customers allowing for SFTP, SCP, and HTTP-based files to be uploaded and transferred. The BBC have published the names of some customers who use this product, including themselves, British Airways, Boots, Aer Lingus, and payroll-provider Zellis, who had 8 client’s data stolen, when reporting on customers who have been affected by the recent data exfiltration attacks. Rapid7 also mention that a wide range of organisations were targeted in these attacks, “particularly in North America”.  

 

These attacks have been claimed after the fact to have been performed by Russian-based ransomware gang Cl0p, with one member being singled out for responsibility by Microsoft. Ransom demands have since been posted on the data leak site used by the Cl0p ransomware gang, with a deadline of 14th June for their current victims to be able to pay to have their stolen data deleted, just 8 days after the first posting of their demands. This delay is not unknown for this threat actor, as their ransom demands for their Go Anywhere attacks at the start of the year were published over a month after the initial data was stolen. Within their ransom demands Cl0p state that data stolen from government, city, or police services were erased as they did not want to expose that information, so those organisations have no need to contact the threat actor. Despite being known for ransomware, the attacks carried out by Cl0p recently have been data exfiltration attacks only, with no encryption involved. 

 

The original zero-day vulnerability that was exploited in these attacks is tracked as CVE-2023-34362 and has been assigned a CVSS base score of 9.8, with a critical severity rating. This is an SQL injection vulnerability, so the effects of an exploit may be different depending on the SQL database engine in use on the vulnerable system, whether it is MySQL, Microsoft SQL Server, or Azure SQL. An unauthenticated attacker can potentially gain access to the MOVEit Transfer database through the web application by performing SQL injection. This is done through inferring information about the structure and contents of the database and then executing SQL statements to change or delete certain database elements. The threat actors sent malicious HTTP and HTTPS traffic through the MOVEit Transfer system in order to perform this exploit. A detailed technical analysis of the remote code execution attack chain has been performed by Rapid7, where they discover how the threat actor used the SQL injection flaw to perform unauthenticated code execution. 

 

The second SQL injection vulnerability discovered is tracked as CVE-2023-35036 and was patched by an update to the original vulnerability’s patch version. In this patch a file believed by security researchers to have been involved in the original attack chain has been changed, although no exploits of this second vulnerability have been confirmed. Despite this, this flaw has received a critical severity rating and a CVSS base score of 9.1. In a theoretical exploit, an unauthenticated attacker could send a malicious payload to a MOVEit Transfer application endpoint. This would allow for unauthorised access to the MOVEit Transfer database, including the ability to read and edit the database contents. As with the first flaw, all versions of MOVEit Transfer were affected by this vulnerability. 

 

The third vulnerability, CVE-2023-35708, was discovered like the second through researchers performing a security audit after the original vulnerability had been exploited in the data extortion attacks. This vulnerability has been confirmed to be critical by Progress Software in their advisory, however a CVSS base score has not yet been posted on this flaw’s NIST NVD (National Vulnerability Database) entry. This is an elevation of privileges vulnerability that can be exploited to provide unauthorised access to the database environment. Similar to the first two flaws this is performed through submitting a payload to a MOVEit Transfer endpoint, that allows the attacker to perform SQL injection. This then provides the attacker with unauthorised access to the database where they can read and edit the database content. 

 

The patch to address the original flaw was updated to include the fix for this third vulnerability. Users who had already applied the initial patch will still need to apply the patch for this flaw. A list of fixed versions is presented in a table in the 15th June advisory. All users who are currently operating MOVEit Transfer versions before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3) need to update to these versions to apply the patches. Mitigation steps have also been suggested by Progress Software, including the disabling of HTTP and HTTPS traffic on ports 80 and 443 by applying firewall rules, which they advise to be done until the patch is fully applied. These patches will prevent future exploit however it is possible that users may not be aware that data has already been exfiltrated. Indicators of Compromise (IoCs)are listed in a CSV file attached at the end of the Progress Software advisory, which administrators can use to determine if an attack has taken place on their system. Researchers at Rapid7 suggest administrators look back at least a month when searching for these IoCs.