By now, you have probably seen the recommended actions and mitigations to protect against and reduce impact from CL0P Ransomware Gang exploiting a MOVEit vulnerability (CVE-2023-34362). In case you haven't seen such recommendations, please see the CISA posting or the Progress Software posting.
MOVEit is a secure file transfer and automation software for enterprises and government agencies. Attackers are targeting MOVEit Transfer and MOVEit Cloud vulnerabilities. Specifically, CVE-2023-34362 is a SQL injection vulnerability.
The CL0P Ransomware Gang is known for "driving global trends in criminal malware distribution". In May 2023, this gang exploited SQL injection zero day vulnerability CVE-2023-34362 to install a web shell named LEMURLOOT on MOVEit Transfer web applications.
SQL injection (SQLi) vulnerabilities are not new or emerging. These vulnerabilities have been around for over two decades. A SQLi vulnerability occurs when a user-supplied input is not properly validated or sanitized, allowing attackers to manipulate database queries and potentially access or modify sensitive information
The recommendations for MOVEit are straightforward:
Asset & Software Inventory: Build or maintain and up-to-date enterprise asset and software inventory to determine if and where MOVEit is being used within your enterprise.
Access Control Management: Limit the use of admin privileges, only grant admin privileges and access when and where necessary. Related to software inventory, establish and maintain a software allow list to restrict the use of any MOVEit software or only approved versions of MOVEit software.
Network Monitoring & Defense: Centralize security event alerting to detect MOVEit vulnerability exploitation and perform application layer filtering to virtually remediate SQLi vulnerabilities.
Continuous Vulnerability Management: Maintain up-to-date patching for all MOVEit software. (Please see related Progress Software knowledge base.)
If you are concerned about ransomware and if you are using MOVEit software within your enterprise, then the X-Analytics Community would recommend applying the above recommendations. If you are not sure if your industry has a ransomware problem, or if you don't know the potential impacts of ransomware, then please find your latest industry benchmark within the Community Insights.
Is the Hype Real?
According to numerous public and private outlets, the exploitation of MOVEit vulnerabilities is real and is expected to lead to widespread exploitation.
NIST: CVE-2023-34362 has a base score of 9.8 (out of 10), which is considered critical.
Progress Software: As the publisher of MOVEit software, they are recommending that all MOVEit Transfer customers must take action and apply the software patch.
CISA: The FBI and CISA published a joint advisory urging swift remediation.
Further, Bloomberg published a list of companies and organizations effected by the CL0P-MOVEit Hack.
The above references clearly suggest urgency. However, maybe the easy exploitation of a well known security weakness points to a wide-spread flaw in how enterprises manage cyber risk.
A Different Perspective
The CL0P-MOVEit scenario is not unique. In the case of MoveIt or any software, the exploitation of vulnerabilities generally involves identifying security weaknesses, understanding how they can be exploited, and then carrying out the attack. Common types of vulnerabilities, for over twenty years, that can be exploited include:
Remote Code Execution (RCE): This vulnerability allows an attacker to execute arbitrary code on a target system, potentially gaining control over it.
SQL Injection (SQLi): This vulnerability occurs when user-supplied input is not properly validated or sanitized, allowing attackers to manipulate database queries and potentially access or modify sensitive information.
Cross-Site Scripting (XSS): This vulnerability enables attackers to inject malicious scripts into web pages viewed by other users, potentially leading to the theft of sensitive information or session hijacking.
Denial-of-Service (DoS): This vulnerability aims to overwhelm a system, network, or service to the point where it becomes unavailable to legitimate users.
To mitigate and prevent such vulnerabilities, it is crucial to regularly update software components, apply security patches, follow secure coding practices, conduct thorough security testing, and adhere to cybersecurity best practices. Even as an alternative, web application firewalls (or application-layer filtering) have been successful at reducing RCE, SQLi, and XSS.
The urgency around CL0P-MOVEit emphasizes that many enterprises are still missing the basics in 2023. Asset and software inventory, access control management (or least privilege), network monitoring and defense (which includes application-layer filtering), and continuous vulnerability management (which includes automatic software updates and patching) are essential to every enterprise. If these basic elements are not part of the cyber risk strategy, then cyber resilience will remain a challenge for many years to come.
Is this is a Systemic Risk Incident?
Yes. MOVEit, like SolarWinds, and Log4J, represents an aggregation node. An aggregation node is either a common cloud-based platform that many organizations rely on for operational purposes, or a common hardware/software that is implemented across many organizations for operational purposes. In this case, MOVEit Transfer is a commonly deployed software and MOVEit Cloud is a common cloud-application.
The attacker would utilize a proven attack method repeatedly across MOVEit Transfer and MOVEit Cloud to cause wide-spread exploitation. Fortunately, this type of systemic risk incident spreads from the first victim to other victims over weeks or months, which gives most enterprises an opportunity to learn from the initial victims and implement countermeasures before actually being attacked.
If this type of systemic risk incident causes you concern, then focus on the basic elements that were listed in the previous section of this blog.
Comments