MOVEit Vulnerability Weaponized in Ransomware Attack
What is MOVEit?
MOVEit is a managed file transfer (MFT) software solution developed by Progress Software Corporation (formerly Ipswitch). It is designed to securely transfer files within or between organizations. MOVEit offers a centralized platform for managing file transfers, providing security, compliance, and automation features.
What happened?
In May 2023, Progress disclosed a vulnerability in MOVEit Transfer and MOVEit Cloud (CVE-2023-34362) that could lead to escalated privileges and potential unauthorized access to the environment. Upon discovery, Progress launched an investigation, provided mitigation steps and released a security patch, all within 48 hours.
Unfortunately, during that time, cybercriminals associated with Russian-affiliated ransomware group Clop exploited the vulnerability and launched a supply chain attack against MOVEit users. Among them was payroll services provider Zellis, who was the first to disclose a security breach in June 2023, although many others have been impacted. So far eight of its customers have reported data theft, and it is expected that hundreds more have been affected.
Following the attack, the financially-motivated ransomware group demanded payment to stop data being released publicly. In a Dark Web post, they said: “We are the only one who perform such attack and relax because your data is safe. We are to proceed as follow and you should pay attention to avoid extraordinary measures to impact you company”.
Ransomware: to pay or not to pay?
Ransomware is one of the biggest threats to an organization’s security. In the early days, attacks were distributed through mass numbers of automated payloads to random targets, collecting small sums from each “successful” attack. Now these attacks have evolved to become mostly human-operated processes, carried out by multiple entities over several weeks.
What is evident in the MOVEit exploitation is how ransomware groups have shifted focus away from data encryption to data extortion. Why? Because unencrypted data is more valuable. It can be released into the public domain almost immediately, meaning victims will be eager to get it back, no matter the cost.
While some may think these are empty threats, we have seen how effective this approach can be in the case of Australian health insurer Medibank. When they refused to pay ransom demands of $10M in October 2022, the attackers dumped personal information relating to pregnancy termination, drug and alcohol abuse, mental health issues and other confidential medical data.
The question is, should organizations pay? Most experts believe that paying demands will not stop future incidents. Speaking to the iNews, Simon Newman, a member of International Cyber Expo’s Advisory Council said: “Paying ransoms to cyber criminals does not guarantee that all the data will be returned. In fact, in most cases, it’s extremely rare and may simply expose you to further ransomware attacks in the future.” Some governments have proposed sanctions against paying these groups including Australia, UK and the USA. This may explain why ransomware profits dropped 40% in 2022 to $456.8M.
A chink in the supply chain
This incident is a textbook example of how fertile the supply chain is for cybercriminals. According to a report by the non-profit organization Identity Theft Resource Center, supply chain attacks surpassed the number of malware-based attacks by 40% in 2022, with more than 10 million people and 1,743 entities impacted.
Most organizations will invest time and resources to make themselves more resilient against cyberattacks. Unfortunately, many forget to assess how secure their third-party providers are, or they have limited visibility about the software and services they are using which makes patching vulnerabilities very difficult.
To operate responsibly, organizations need to take ownership of their cybersecurity strategy and part of that includes understanding third-party weaknesses as if they are their own. This is crucial because an attack does not just affect the target but also its employees, whose data is now exposed. When personal data is compromised, we put those individuals at a higher risk of being targeted with further attacks as well as phishing scams, with cybercriminals hoping to steal credentials or even banking information.
It is key that businesses adopt a prevent-first mindset and implement tighter controls such as segmentation to limit the impact of an attack, as well as more thorough monitoring to ensure a higher level of visibility across multiple attack vectors, including the network and users.
Check Point’s Protections
Check Point IPS blade, Harmony Endpoint and Threat Emulation provide protection against this threat
(MOVEit Transfer SQL Injection CVE-2023-34362);
Webshell.Win.Moveit,
Ransomware.Win.Clop,
Ransomware_Linux_Clop;
Exploit.Wins.MOVEit).