Tuesday, June 6th, 2023
Active Exploitation of MOVEit Vulnerability
The Cybersecurity and Infrastructure Security Agency (CISA) has identified a critical security vulnerability in the Progress MOVEit Transfer managed file transfer (MFT) solution that is actively being exploited. The flaw, known as CVE-2023-34362, is an SQL injection vulnerability that allows remote attackers to access the MOVEit Transfer database and execute malicious code. CISA has instructed U.S. federal agencies to patch their systems by June 23, following a binding operational directive issued in November 2022.
While the directive primarily applies to federal agencies, it is recommended that private companies also prioritize securing their systems against this vulnerability. Progress, the company behind MOVEit Transfer, advises all its customers to install patches to prevent exploitation attempts and potential data breaches. In cases where immediate updates are not possible, disabling all HTTP and HTTPS traffic to MOVEit Transfer environments can reduce the attack surface.
The flaw – CVE-2023-34362 has since been patched with the release of patched versions, namely 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1). While MOVEit Cloud was affected, a fix has already been implemented, requiring no action from users.
It has been reported that over 2,500 MOVEit Transfer servers are currently accessible on the internet, with the majority located in the United States. Threat actors have been actively exploiting the CVE-2023-34362 vulnerability since at least May 27 with widespread data theft occurring as a result of this exploitation. The motivation of the attackers is currently unknown, but organisations should prepare for potential extortion and publication of stolen data.
A newly identified web shell called LemurLoot has also been discovered, which assists attackers in harvesting Azure Blob Storage account information. This includes credentials that can be used to extract data from victims’ Azure Blob Storage containers. There are indications of a possible connection between the attacks on MOVEit Transfer servers and the financially-motivated threat group FIN11. FIN11 is known for attempting data theft extortion through the Clop ransomware gang’s leak site, often exploiting zero-day vulnerabilities in file transfer systems.
The attackers’ identity is currently unknown, and they have not yet started extorting their victims. However, their methods bear similarities to previous incidents involving the exploitation of other managed file transfer platforms, such as Accellion FTA and GoAnywhere MFT, both of which were targeted by the Clop ransomware gang for data theft and extortion.
Victims of the exploitation have been identified in the US, Canada and India, with data theft occurring within minutes of the webshell deployment in some cases. International Airlines Group (IAG), a group containing Aer Lingus and British Airways, was targeted as well as Boots and the BBC. Employee data was accessed through a third-party service provider. Zellis, a prominent payroll company, reported that a “global issue” affected eight of its customers, potentially leading to the exposure of personal information such as names and addresses to unauthorised individuals. Aer Lingus and British Airways have notified both the affected personnel as well as the relevant authorities but have confirmed that no financial or bank details were compromised.
This is yet another case highlighting the importance for organisations to prioritise strong third-party security measures to protect themselves from potential threats. In today’s interconnected digital world, businesses rely on third-party vendors and partners to provide critical services such as cloud storage, payment processing, and software development. While these relationships can offer tremendous benefits, they also come with significant risks. Third-party vendors can pose a significant threat to a company’s cybersecurity posture, as they often have access to sensitive data and systems that can be compromised.
Steps to Strengthen Third-Party Security Measures
- Conduct Risk Assessments: Before engaging with a third-party vendor, organisations should conduct a thorough risk assessment to evaluate the potential risks and vulnerabilities associated with the vendor. This assessment should include an evaluation of the vendor’s security controls, data handling practices, and history of security incidents.
- Establish Security Requirements: Organisations should establish clear security requirements for their third-party vendors, including minimum security standards, data handling practices, and incident response procedures. These requirements should be clearly communicated to vendors and monitored regularly to ensure compliance.
- Monitor Third-Party Vendors: Organisations should establish a system for monitoring third-party vendors’ security practices and performance. This can include regular security audits, vulnerability assessments, and ongoing monitoring of vendor activities.
- Establish Incident Response Procedures: In the event of a security incident involving a third-party vendor, organisations should have established incident response procedures to minimize the impact of the incident and restore normal operations as quickly as possible.
- Maintain Communication: Communication is critical in maintaining strong third-party security measures. Organisations should establish clear lines of communication with their vendors to ensure that they are aware of any security issues and can work together to address them.
In conclusion, strong third-party security is essential for protecting private and public organisations from potential cyber threats. By conducting thorough risk assessments, establishing clear security requirements, monitoring vendor activities, and maintaining open communication, you can help ensure that your third-party vendors are maintaining secure and reliable systems. By prioritising third-party security, companies can protect sensitive data, maintain business continuity, comply with regulatory requirements, and safeguard their reputation.
Smarttech247 can help you ensure that you minimise your third-party security risk. Request a free consultation today!
Contact Us
The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.