In the last week, a critical security flaw in Progress Software's MOVEit Transfer application came to light, exposing organizations to the risk of data breaches and potential extortion attempts.
The vulnerability is an SQL injection vulnerability within MOVEit Transfer, a widely-used file transfer tool employed by enterprises for sharing large files securely over the internet.
Tracked as CVE-2023-34362, Microsoft says it has been actively exploited by threat actors affiliated with the Lace Tempest group, renowned for its involvement in ransomware operations and the notorious CL0P extortion site.
[RELATED: Ukraine Detains Associates of CL0P]
Microsoft's Threat Intelligence Team confirmed this in a recent Twitter thread:
Exploiting this vulnerability allows unauthenticated attackers to gain access to the application's database and execute arbitrary code. Consequently, this grants attackers the ability to manipulate data and potentially compromise sensitive information.
Threat actors leveraging this vulnerability often follow a specific attack pattern, Microsoft said. After exploiting the vulnerability, they deploy a web shell within the compromised system. This web shell grants persistent access to the attackers, enabling them to exfiltrate data from the affected organization.
In this case, data exfiltration can lead to severe consequences, including unauthorized access to personal information, payroll data, and confidential documents.
The impact of the MOVEit vulnerability has already reverberated across organizations worldwide. Zellis, a UK-based human resources software maker, confirmed that its MOVEit system was compromised, potentially affecting a small number of its corporate customers, according to TechCrunch.
Similarly, British Airways and the BBC have come forward as victims, with the former reporting the compromise of payroll data for all its UK-based employees. Even the government of Nova Scotia, relying on MOVEit for interdepartmental file sharing, has warned citizens about potential data breaches.
Zane Bond, Head of Product at Keeper Security, discussed the vulnerability with SecureWorld News:
"In this case, an attacker may be able to infer information about the structure and contents of a MOVEit Transfer database, or even alter or delete database elements. Organizations must take a proactive approach to regularly update software and immediately patch vulnerabilities that can be exploited in cyberattacks.
The first step for administrators utilizing MFT should be to patch the vulnerability or take the service offline until it can be patched, especially now that it is public knowledge. While not every attack can be prevented, steps can be taken to mitigate the access of cybercriminals and minimize impacts on systems, data and operations.
The most effective method for minimizing sprawl in an attack does occur is by investing in prevention with a zero-trust and zero-knowledge cybersecurity architecture that will limit, if not altogether prevent, a bad actor's access."
Given the severity of this vulnerability and the associated risks, affected organizations are strongly advised to take immediate action to protect their systems.
Progress Software has released security patches to address the vulnerability, and it is crucial for organizations to apply these patches promptly. Additionally, mitigation measures, such as disabling HTTP and HTTPS traffic to MOVEit Transfer environments, can help reduce the attack surface and mitigate potential risks.
Microsoft, in collaboration with other partners, has published articles, threat intelligence, and guidance to aid organizations in identifying indicators of compromise and implementing effective detection and response strategies.
Follow SecureWorld News for more stories related to cybersecurity.