Published August 31st, 2023 by Avigdor Book
In recent weeks, the cybersecurity landscape has been shaken by a series of breaches targeting MOVEit, a popular managed file transfer (MFT) application developed by Progress Software. These attacks, attributed to the Cl0p ransomware gang, have exploited vulnerabilities, including zero-day vulnerabilities in MOVEit, to perform ransomware attacks and exfiltrate data from organizations worldwide. This article aims to provide insights into these incidents, indicators of compromise (IOCs), and offer guidance on mitigating the risks associated with the MOVEit vulnerabilities.
A New Breed of Cyberattacks
The MOVEit incidents represent a new breed of cyber threats. Unlike previous supply chain incidents, these are calculated and tactical intrusions that demonstrate a shift in the strategies employed by threat actors. The attacks have been successful in infiltrating federal and municipal organizations, including the Department of Energy and university systems, underscoring the need for a layered and dynamic approach to security.
The Cybersecurity and Infrastructure Security Agency (CISA) has been monitoring these incidents, particularly focusing on new vulnerabilities such as CVE-2023-34362 and MOVEit cloud vulnerabilities, discovered in the Progress MOVEit Transfer system.
Patches and Vulnerabilities
Progress, the developer of MOVEit, has identified three notable vulnerabilities, including an SQL injection vulnerability and provided patches for each. Microsoft and Azure have also issued security advisories about related risks. CVE-2023-34362, CVE-2023-35708, and CVE-2023-35036 have been marked as critical, allowing unauthorized access and code execution. These threats underscore the need for comprehensive and proactive remediation, including prioritizing threat intelligence and applying patches for cloud and webshell endpoints.
Cl0p Comes Forward
The Cl0p ransomware group has claimed responsibility for the MOVEit incidents, revealing that it has successfully launched ransomware and exfiltration attacks against vulnerable MOVEit Transfer instances running at some of the world’s most prominent organizations. This serves as a stark reminder that while addressing known vulnerabilities like MOVEit Transfer’s database and human2.aspx is critical, staying ahead of the curve and anticipating unknown threats, including zero-day vulnerabilities, is equally essential.
To enhance the security of your MOVEit Transfer environment, it is essential to disable all HTTP and HTTPS traffic temporarily. Rapid7 recommends adjusting the firewall rules to deny any incoming or outgoing HTTP and HTTPS connections on ports 80 and 443. While this measure ensures heightened protection, certain services and functionalities, such as file transfer software and downloads, will be affected until HTTP and HTTPS traffic are re-enabled.
Tufin’s Role in Mitigating MOVEit Vulnerabilities
This article highlights the importance of a comprehensive security strategy. Tufin’s firewall management and network security automation solutions can play a crucial role in this strategy. Firewall change automation automates network access changes, such as disabling HTTP and HTTPS traffic, from request to implementation.
The recent MOVEit incidents serve as a potent reminder of the pressing need for a comprehensive and proactive approach to cybersecurity. With a combination of network and application protection, including the use of malware defenses and API security, along with a proactive approach to threat detection and prevention, organizations can ensure the safety and integrity of their digital resources in the face of cyber threats.
Q: Has the MOVEit vulnerability been fixed?
A: Yes, Progress, the developer of MOVEit, has identified the vulnerabilities, including MOVEit Transfer critical vulnerability and provided patches for each. However, it’s crucial for organizations to stay vigilant and proactive in their cybersecurity efforts. For more insights, read our article on how policy automation helps prevent the success of advanced persistent threats.
Q: What are the vulnerabilities of MOVEit application?
A: Three notable vulnerabilities have been identified in MOVEit instances, including CVE-2023-35036, which is related to code execution. These vulnerabilities have been exploited by the Cl0p ransomware group to perform ransomware attacks and exfiltrate data. For more information on how to protect your organization, check out our article on internet egress filtering to prevent server firewall breaches.
Q: What is the critical vulnerability for MOVEit May 2023?
A: The critical vulnerability for MOVEit in May 2023 was one of the three vulnerabilities exploited by the Cl0p ransomware group, including a new vulnerability in MOVEit cloud. Progress has provided patches for this vulnerability. To understand more about network security, read about the ECB network security audit requirements.
Remember, the best way to protect your organization is to stay proactive and vigilant. Consider signing up for a demo of Tufin to understand how our solutions can help you stay ahead of the curve.
Don't miss out on more Tufin blogs
Subscribe to our weekly blog digest