Several vulnerabilities were recently discovered in MOVEit, Managed File Transfer (MFT) software developed by Ipswitch, Inc. and produced by Progress Software. This includes CVE-2023-34362. [1]CVE-2023-35036 [2] and CVE-2023-35708 [3]. These vulnerabilities could allow an attacker to gain unauthorized access and escalate privileges in the environment.
MOVEit is a popular tool used by thousands of organizations worldwide. This includes organizations in the public, private and government sectors. The transfer software can be deployed on-premise, in the MOVEit cloud or on any Microsoft Azure server. Due to its nature of handling potentially sensitive information, MOVEit is an advantageous target from the threat actor’s point of view by giving them the ability to add and remove database content, execute arbitrary code, and steal sensitive information.
This story is still lively and we’ll know the final tally in the coming weeks, but so far here’s what we know.
The CL0p ransomware gang has been actively exploiting this vulnerability and claims to have compromised more than a dozen organizations across various industries and geographies. These include oil and gas, news and media, healthcare, financial services, state and federal government, and more. According to Anomali’s own assessment, there are thousands of externally exposed MOVEit instances that could potentially be exploited.
Further public research suggests that this vulnerability may still be actively exploited in 2021 and beyond. [4]. More recently, the organization has also released proof-of-concept (PoC) exploit code for this vulnerability. [5]It is possible that other attackers may exploit the unpatched system.
Anomali MOVEit Vulnerability Dashboard
The Anomali Threat Research team has further investigated and documented additional details about this vulnerability via Threat Bulletin. The team also identifies more than 430 relevant indicators and signatures, as well as several sector-specific articles, providing more industry-specific details. The dashboard below highlights some of the insights available to Anomali customers through ThreatStream.
There are several important steps to mitigate the impact of this vulnerability, some of which are also documented in Progress’ knowledge base article. [6]
1. Discover your attack surface. There are several tools that provide this functionality, including Anomali Attack Surface Management. [7]
2. Patch vulnerable systems early. progress knowledge base [6] Documentation captures this in the next step.
Disable HTTP/S traffic for a.MOVEit transport environment
b. Patching vulnerable systems
Enable HTTP/S access to the c.MOVEit Transfer environment
3. Monitor the environment for known indicators to identify malicious activity. Anomali Threat Bulletin captures over 2200 observables that can be used to monitor malicious activity through SIEMs, firewalls or other technologies. Pre-deploy these metrics into security controls (firewalls, proxies, etc.) to monitor for malicious activity.
Anomali MOVEit Vulnerability Threat Bulletin
4. Find the attacker’s footprints. Hunting lets you look back at past attacker activity, while monitoring lets you look to the future. There are several tools to help you on the hunt, including Anomali Match. [8]. Match can help customers search through years of data in seconds to understand if attacker activity has occurred in the past.
5. Look beyond yourself. Monitor industry activity for malicious activity. Threat intelligence platform including Anomali ThreatStream [9], should be able to help monitor industry trends. Join ISAC to see if we are sharing information with industry peers to develop a collective defense posture.
6. Have a response plan. Test response plans, create communication plans, and build and test automated workflows for timely responses.
Anomali will continue to improve the blog, forums and dashboards as we learn more about MOVEit.
To learn more about this vulnerability, join our threat intelligence experts for a live webinar on June 21, 2023. Sign up here to attend live or to be notified when on-demand webinars are available.
reference
[1] https://nvd.nist.gov/vuln/detail/CVE-2023-34362
[2] https://nvd.nist.gov/vuln/detail/CVE-2023-35036
[3] https://nvd.nist.gov/vuln/detail/CVE-2023-35708
[4] https://www.bleepingcomputer.com/news/security/clop-ransomware-likely-testing-moveit-zero-day-since-2021/
[5] https://www.helpnetsecurity.com/2023/06/13/cve-2023-34362-exploit/
[6] https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023
[7] https://www.anomali.com/products/attack-surface-management
[8] https://www.anomali.com/products/match
[9] https://www.anomali.com/products/threatstream