MOVEit or lose it: Lessons learned from the recent zero-day vulnerability

July 17, 2023
  • Thoropass Team
    Thoropass Team
Close up photo of user typing on a keyboard

On May 27, 2023, a coordinated cyberattack began taking place against hundreds of organizations with one thing in common: Their use of MOVEit Transfer, a secure file-sharing tool relied upon by government agencies and private enterprises for securely sharing business-critical information. This article will break down how the incident unfolded and how organizations can better protect themselves from similar threat events.

How did it happen?

Cl0p, a Russian-speaking professional ransomware group, first exploited the vulnerability (CVE-2023-34362). The vulnerability was related to SQL injection, a common attack vector whereby malicious code is entered into an input field that can manipulate or reveal elements of a backend database in ways unintended by the developer. In the case of this vulnerability, an unauthenticated attacker could gain access to a MOVEit Transfer database, infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. These actions could also escalate privileges and further unauthorized access to the organization’s sensitive data environment.

The attack exploited a zero-day vulnerability, meaning that the attackers knew of a flaw in the MOVEit Transfer software that was unknown to MOVEit Transfer developers and with no patch available to customers. 

Zero-Day Vulnerability: A previously undiscovered flaw in an application or operating system for which there is no defense or patch—in other words, they’ve had “zero days” to prepare an effective response.

Some reports suggest that attackers may have known and tested this vulnerability since as early as 2021. With no patch available, incident response teams are limited in their detection and response capabilities as they scramble to protect their sensitive data environments.

Ultimately, a patch for the vulnerability was released on May 31, 2023, with additional software vulnerabilities being identified and patched by the vendor, Progress Software, on June 9th (CVE-2023-35036) and June 15th (CVE-2023-35708) following an internal security assessment. The fallout from the attack is ongoing, most recently including a change by the vendor in how updates and fixes to MOVEit products are distributed and installed. However, it is likely that the full impact of the event is yet to be realized, with an estimated 150+ organizations’ and over 15 million individuals’ data at risk.

How can organizations protect themselves?

Unlike most vulnerabilities, periodic patching and vulnerability scanning of systems and software will not protect against a zero-day attack. However, mitigating controls can still provide protection even when no patch is available.

  1. Extended Detection and Response (XDR) tools seek to detect, record, evaluate, and respond to potentially malicious events that occur on an organization’s network. Such tools combine elements of antimalware, intrusion detection, and firewall solutions; they are also similar to Endpoint Detection and Response (EDR) tools, albeit with additional capabilities to monitor more than just endpoints themselves. Unlike traditional signature-based detection, which can only identify threats based on known patterns, these solutions are behavior-based. They can identify abnormal patterns that were never previously detected via machine learning.

After the dust had settled on the MOVEit Transfer zero-day, several organizations offering EDR/XDR solutions took credit for their solution identifying, quarantining, and reporting the threat before a patch was released. However, some third-party post-mortem studies have found that only some EDR/XDR solutions successfully identified the indicators of compromise, meaning it may not be sufficient to rely solely on these tools to protect against cyberattacks.

  1. Third-Party Risk Management (TPRM) is necessary for organizations to decide whether to utilize third-party systems and applications. Such activities may include the review of security attestations and certifications (such as SOC 2 or ISO 27001), due diligence questionnaires, on-site inspections, and the signing of formal contracts and agreements.

In the case of MOVEit Transfer vendor Progress Software, the organization maintained several security reports, which should serve as a reminder that simply passing an audit does not guarantee cybersecurity. Instead, organizations should consider factors such as the specific controls in place, the nature, timing, and extent of controls testing performed, and the overall risk posed to the organization should the vendor suffer a security incident despite the safeguards that have been implemented.

  1. Network Segmentation is an important element of network security to limit the overall impact of a successful breach. By restricting the traffic flows and access levels between subnetworks, unauthorized access can be isolated to only one subnetwork instead of the entire organization. Successful network segmentation is characterized by:
  • Physical or logical segregation of network segments
  • Configuring firewall rules and/or security groups
  • Closing unnecessary network ports
  1. Least Privilege for service accounts, in combination with a zero-trust network architecture, can prevent malicious actors from taking unauthorized actions (such as installing malware or creating new accounts) on a compromised server or compromising other parts of the network. Organizations should have a formal access provisioning and de-provisioning process and periodic access reviews to mitigate this risk.

For a full picture of the attack techniques used and potential mitigating controls, refer to the Cybersecurity Advisory released jointly by the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI).

How could this have been prevented by the software vendor?

There is, unfortunately, no way to guarantee complete protection from cyberattacks, and this breach on its own should not be considered an indicator that Progress Software’s security program is unsound. The organization has responded by swiftly developing and releasing a patch for the vulnerability and subsequently performing a thorough internal investigation leading to additional patches released for unexploited vulnerabilities. With that said, SQL injection attacks (such as the one affecting MOVEit Transfer) can be mitigated in some of the following ways:

  1. Input Validation (and other methods of input sanitization): This is a method by which input is validated to align with developers’ expectations before being processed. Certain risky characters and character sequences, such as ‘ ” / – < >, can interact in unintended ways when processed by a server or database that may lead to compromise. Successful input validation can remove these risky characters and replace them with safe values. Other methods of input sanitization, such as the use of parameterized queries, are discussed on OWASP’s SQL Injection Prevention Cheat Sheet.
  1. Penetration Testing (or adversary emulation exercises by a third party): This can help uncover vulnerabilities in your web application that may have fallen under your organization’s radar. Penetration testers conduct various tests to identify and safely exploit vulnerabilities in your organization’s applications and/or network, depending on the scope of the engagement. SQL injection is one such test that any reputable penetration tester will consider when performing their work.
  1. Code Review: Review should be performed in accordance with an organization’s risk tolerance to ensure that application code is free from unintended bugs and backdoors, such as SQL injection vulnerabilities. Code review is especially important when utilizing contractors for software development.

Where does information security compliance come into play?

As mentioned previously, there is no silver bullet that will guarantee protection against all cybersecurity threats. However, when appropriately implemented, many common information security standards, frameworks, and regulations incorporate guidelines that can reduce the impact or likelihood of similar attacks. 

Some examples of how these standards, frameworks, and regulations may protect organizations and their customers from similar attacks are as follows:

SOC 2:

  • CC6.1: The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.
  • CC7.2: The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.
  • CC7.4: The entity responds to identified security incidents by executing a defined incident-response program to understand, contain, remediate, and communicate security incidents, as appropriate.
  • CC9.2: The entity assesses and manages risks associated with vendors and business partners.

ISO 27001:2022:

  • A.5.21 Managing information security in the ICT supply chain
  • A.5.23 Information security for use of cloud services
  • A.5.26 Response to information security incidents
  • A.8.16 Monitoring activities
  • A.8.2  Privileged access rights
  • A.8.26 Application security requirements
  • A.8.27 Secure system architecture and engineering principles

HIPAA:

  • 164.212(b) Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. 
  • 164.308(a)(1)(ii)(A) Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
  • 164.308(a)(6)(ii) Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.
  • 164.312(a)(1) Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).

As you can see, the literature for SOC 2, ISO 27001, and HIPAA (as examples) do not prescribe specific controls but provide guidelines for achieving information security objectives. It is up to the organization to ensure that the implemented controls not only satisfy the standard, framework, or regulation requirements but also meaningfully reduce risk facing the organization and its customers. When assessing a vendor’s information security compliance report or certification, it is important to consider the following:

  • Scope of the audit or assessment
  • Controls that have been implemented
  • Nature, timing, and extent of testing of controls
  • Reputation of the audit firm performing the testing

In the case of MOVEit products’ compliance reports, it is possible that the controls in the report(s) need to be revised in order to sufficiently manage risks facing the system. Having said that, the reports are confidential and could not be reviewed by Thoropass.  Regardless, it is certain that the auditors of MOVEit products will verify that a root cause analysis was performed over the incident, and that actions were taken to prevent or address the recurrence of such incidents.

Closing remarks

Organizations today face a multitude of challenges, not the least of which are cybersecurity breaches. Zero-day exploits, such as what happened to the MOVEit Transfer application, are the most concerning given that it may not be readily apparent to security teams how to respond. 

The best approach to mitigate these threats is to incorporate security into all phases of the system development life cycle, including secure network architecture, third-party risk management, and monitoring activities. 

While imperfect, information security compliance attestations and certifications can also help to provide assurance over an organization’s security posture and how they might mitigate these threats.

More questions?

Whether you’re confused about what framework is right for your business, or you are ready to start and maintain your compliance program, Thoropass has the experts ready to help you. Talk to one of our experts and have your questions answered.

Share this post with your network:

Related Posts

Key takeaways from Thoropass Connect 2024: Emerging threats and opportunities from AI

Thoropass recently held its first-ever Thoropass Connect, a one-day in-person event for infosec leaders and compliance professionals to network, safeguard their organizations for the future, and gain takeaways to apply...
Read Article icon-arrow

SOC 2 certification (or attestation) explained: Essential guide and key steps

System & Organization Controls 2 (originally called Service Organization Controls 2), commonly referred to as SOC 2, is a set of guidelines aimed at safeguarding customer data by enforcing rigorous...
Read Article icon-arrow