+44 (0)203 88 020 88

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

Critical Flaws Exploited in MOVEit Transfer Data Theft

MOVEit Transfer and MOVEit Cloud customers experienced data theft attacks through the exploit of critical vulnerabilities beginning at the end of last month. High profile organisations across the UK and USA suffered massive data breaches as a result.  

 

Ongoing investigation into these attacks have resulted in three vulnerabilities being identified and patched by Progress Software, the company behind MOVEit Transfer and MOVEit Cloud. In their summary of this actively developing case, Progress Software state that the third vulnerability to be identified is currently believed not to have been exploited in these attacks, however because it was publicly disclosed by a third party it has been urgently patched alongside the exploited flaws. The attacks are believed to have begun at the end of May, with security researchers at Rapid7 identifying indicators of compromise since 27th May, and evidence of data exfiltration starting on 28th May. The original advisory from Progress Software was published on the 31st May but has been continued to be updated as the situation develops, including the publishing of further advisories to detail other flaws.  

 

MOVEit Transfer is a managed file transfer service that can be used as an on-premises solution, which is managed by the customer, or as a cloud-based solution (MOVEit Cloud) on an SaaS platform managed by the developer, Progress Software. This product is designed to securely transfer files between businesses and customers allowing for SFTP, SCP, and HTTP-based files to be uploaded and transferred. The BBC have published the names of some customers who use this product, including themselves, British Airways, Boots, Aer Lingus, and payroll-provider Zellis, who had 8 client’s data stolen, when reporting on customers who have been affected by the recent data exfiltration attacks. Rapid7 also mention that a wide range of organisations were targeted in these attacks, “particularly in North America”.  

 

These attacks have been claimed after the fact to have been performed by Russian-based ransomware gang Cl0p, with one member being singled out for responsibility by Microsoft. Ransom demands have since been posted on the data leak site used by the Cl0p ransomware gang, with a deadline of 14th June for their current victims to be able to pay to have their stolen data deleted, just 8 days after the first posting of their demands. This delay is not unknown for this threat actor, as their ransom demands for their Go Anywhere attacks at the start of the year were published over a month after the initial data was stolen. Within their ransom demands Cl0p state that data stolen from government, city, or police services were erased as they did not want to expose that information, so those organisations have no need to contact the threat actor. Despite being known for ransomware, the attacks carried out by Cl0p recently have been data exfiltration attacks only, with no encryption involved. 

 

The original zero-day vulnerability that was exploited in these attacks is tracked as CVE-2023-34362 and has been assigned a CVSS base score of 9.8, with a critical severity rating. This is an SQL injection vulnerability, so the effects of an exploit may be different depending on the SQL database engine in use on the vulnerable system, whether it is MySQL, Microsoft SQL Server, or Azure SQL. An unauthenticated attacker can potentially gain access to the MOVEit Transfer database through the web application by performing SQL injection. This is done through inferring information about the structure and contents of the database and then executing SQL statements to change or delete certain database elements. The threat actors sent malicious HTTP and HTTPS traffic through the MOVEit Transfer system in order to perform this exploit. A detailed technical analysis of the remote code execution attack chain has been performed by Rapid7, where they discover how the threat actor used the SQL injection flaw to perform unauthenticated code execution. 

 

The second SQL injection vulnerability discovered is tracked as CVE-2023-35036 and was patched by an update to the original vulnerability’s patch version. In this patch a file believed by security researchers to have been involved in the original attack chain has been changed, although no exploits of this second vulnerability have been confirmed. Despite this, this flaw has received a critical severity rating and a CVSS base score of 9.1. In a theoretical exploit, an unauthenticated attacker could send a malicious payload to a MOVEit Transfer application endpoint. This would allow for unauthorised access to the MOVEit Transfer database, including the ability to read and edit the database contents. As with the first flaw, all versions of MOVEit Transfer were affected by this vulnerability. 

 

The third vulnerability, CVE-2023-35708, was discovered like the second through researchers performing a security audit after the original vulnerability had been exploited in the data extortion attacks. This vulnerability has been confirmed to be critical by Progress Software in their advisory, however a CVSS base score has not yet been posted on this flaw’s NIST NVD (National Vulnerability Database) entry. This is an elevation of privileges vulnerability that can be exploited to provide unauthorised access to the database environment. Similar to the first two flaws this is performed through submitting a payload to a MOVEit Transfer endpoint, that allows the attacker to perform SQL injection. This then provides the attacker with unauthorised access to the database where they can read and edit the database content. 

 

The patch to address the original flaw was updated to include the fix for this third vulnerability. Users who had already applied the initial patch will still need to apply the patch for this flaw. A list of fixed versions is presented in a table in the 15th June advisory. All users who are currently operating MOVEit Transfer versions before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3) need to update to these versions to apply the patches. Mitigation steps have also been suggested by Progress Software, including the disabling of HTTP and HTTPS traffic on ports 80 and 443 by applying firewall rules, which they advise to be done until the patch is fully applied. These patches will prevent future exploit however it is possible that users may not be aware that data has already been exfiltrated. Indicators of Compromise (IoCs)are listed in a CSV file attached at the end of the Progress Software advisory, which administrators can use to determine if an attack has taken place on their system. Researchers at Rapid7 suggest administrators look back at least a month when searching for these IoCs. 

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

CREST
CCS
ISO9001
ISO27001
CE-PLUS

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

0

No products in the basket.

No products in the basket.