The MOVEit breach impact and fallout: How can you respond? (CVE-2023-34362)

Share Now

The recent MOVEit breach could go down as one of the most impactful exploitations of a zero-day vulnerability ever discovered. The effects continue to ripple around the world, with new victims coming forward almost weekly. Major organizations like the New York City Department of Education, UCLA, Siemens Energy, and Big 4 accounting firms have all announced in recent weeks that they were affected by the vulnerability as well.

The scope of the MOVEit exploitation appears massive, impacting at least 122 organizations so far and exposing the personal data of approximately 15 million people. These figures come directly from posts made by CL0P, the Russian ransomware group claiming responsibility for the attacks.

Understanding the CL0P SQL attack The attacker’s methods first came to light on May 27, 2023, when the DHS Cybersecurity and Infrastructure Security Agency (CISA) published an advisory. According to CISA, the CL0P group (also known as TA505) began exploiting a previously unknown SQL injection flaw in Progress Software’s managed file transfer solution MOVEit Transfer, tracked as CVE-2023-34362.

In the attack, internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT. Threat actors then utilized this backdoor to extract data from the underlying MOVEit Transfer databases. Soon after signs of the attack surfaced, Progress released a patch fixing the vulnerability.

However, some MOVEit users continue to be breached because they have not yet installed the patch on their networks. This situation underscores the importance of actionable threat intelligence and having a clear patching strategy in place.

So far, no industry seems to have escaped the effects of this malicious CL0P campaign. Dozens of public and private sector entities have been confirmed as victims, including payroll services, retailers, major airlines, government offices, two Department of Energy facilities, and the states of Missouri and Illinois.

“Our review of the impacted files is ongoing, but preliminary results show that approximately 45,000 students were affected, in addition to DOE staff and related service providers,” said Emma Vadehra, COO of the New York City Department of Education. “Roughly 19,000 documents were accessed without authorization. The types of data impacted include Social Security Numbers and employee ID numbers.”

What is a SQL injection attack?

SQL is a programming language commonly used for managing and manipulating databases. A SQL injection vulnerability is a security flaw in a web application enabling an attacker to interfere with the application’s database by injecting malicious SQL statements.

In a SQL injection attack, the threat actor exploits improper handling of user-supplied input within the application’s SQL queries. By inserting malicious SQL code into input fields like forms or URL parameters, the attacker can modify the intended behavior of the SQL query.

For example, consider a website with a login form where users enter their username and password. The application might construct an SQL query using the input provided to check if the user exists in the database and validate their credentials. However, if the application fails to properly validate or sanitize the user input, an attacker could craft input altering the query’s logic or extending its scope.

According to OWASP, the main consequences of a successful SQL injection attack include:

  • Confidentiality loss: Since SQL databases often contain sensitive data, confidentiality loss is a frequent issue with SQL injection flaws.
  • Compromised authentication: Poorly constructed SQL commands for checking usernames and passwords could allow an attacker to connect to a system as another user without knowing the password.
  • Unauthorized access: If authorization details are stored in an SQL database, it may be possible to modify this data and gain unauthorized access through a SQL injection attack.
  • Data integrity loss: In addition to reading sensitive information, attackers may be able to modify or even delete data via SQL injection.

Mitigating the MOVEit attack CISA’s top recommendations for responding to the MOVEit vulnerability are:

  • Inventory assets and data, identifying authorized and unauthorized devices and software.
  • Only grant admin privileges when necessary, establishing a software allow list permitting only legitimate applications to run.
  • Monitor network ports, protocols, and services, activating security configurations on network devices like firewalls and routers.
  • Regularly patch and update software to the latest versions, and perform periodic vulnerability scans.

However, even if your organization does not use MOVEit, your vendors may be affected, exposing you to risk. Contact all vendors to ask whether they use MOVEit and what measures they have enacted in response to the vulnerability. Also review vendor contracts for data breach notification stipulations to guarantee vendors meet obligations.

You may also want to explore incident response services to ensure you have support if breached. With the help of experts like ResilientX Security, you can contain attacks faster and minimize damage.

Contact us at: [email protected]

Feds tweet $10 million reward for info Meanwhile, CISA and the FBI have tweeted a $10 million reward for any intelligence on the CL0P ransomware gang.

The tweet from the State Department’s Rewards for Justice program reads: “Reward up to $10 million. For information on the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act. Send us your information on Signal, Telegram, WhatsApp or via our Tor-based tip line below.”

Preventing zero-day exploits

Here are proactive steps organizations can take to uncover vulnerabilities and reduce the impact of zero-day attacks:

  • Patch management: Formal patch management helps security teams stay aware of critical patches.
  • Vulnerability management: Vulnerability assessments and penetration testing can detect zero-day flaws before attackers exploit them.
  • Attack surface management: ASM lets security teams identify all network assets and scan them for vulnerabilities from an attacker’s perspective.
  • Threat intelligence: Security researchers often first identify zero-day flaws. Timely threat intel updates can provide early warnings.
  • Anomaly detection: Machine learning tools like UEBA, XDR, EDR, and some IDS/IPS can spot suspicious activity indicating attacks.

The damage from the MOVEit breach continues spreading far and wide. To prevent similar zero-day attacks in the future, security teams must remain vigilant with continuous monitoring and response capabilities.

Sign up for ResilientX Security Newsletter