July 19, 2023 By Jonathan Reed 4 min read

The MOVEit breach could be the most devastating exploitation of a zero-day vulnerability ever, and the effects continue to ripple across the globe. The widely used file-transfer program’s vulnerability has led to new victims coming forward weekly. Recently, the New York City Department of Education, UCLA, Siemens Energy and Big 4 accounting firms have announced they were affected by the vulnerability.

The MOVEit exploitation appears to have affected at least 122 organizations and exposed the data of roughly 15 million people. These numbers are based on posts from CL0P, the Russian ransomware group that has claimed responsibility for the attacks.

The CL0P SQL attack

According to a CISA cybersecurity advisory, on May 27, 2023, CL0P (also known as TA505) began exploiting a previously unknown SQL injection vulnerability (CVE-2023-34362). The vulnerability was found in Progress Software’s managed file transfer (MFT) solution known as MOVEit Transfer.

In the attack, internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT. Threat actors leveraged this web shell to steal data from underlying MOVEit Transfer databases.

Shortly after evidence of the attack surfaced, Progress patched the vulnerability. Even though the MOVEit patch has been issued, some users of the service continue to be attacked because they haven’t installed the patch on their networks. This underlines the importance of threat intelligence and a well-defined patching strategy.

It seems as if no industry has escaped the consequences of the malicious CL0P campaign. Dozens of entities from the public and private sectors have been impacted. Victims include payroll services, retailers, major airlines, government offices, two Department of Energy entities and the U.S. states of Missouri and Illinois.

“Review of the impacted files is ongoing,” said Emma Vadehra, Chief Operating Officer of the New York City Department of Education, “but preliminary results indicate that approximately 45,000 students, in addition to DOE staff and related service providers, were affected. Roughly 19,000 documents were accessed without authorization. The types of data impacted include Social Security Numbers and employee ID numbers.”

What is a SQL injection attack?

The SQL programming language is used for managing and manipulating databases. A SQL injection vulnerability is a security flaw in a web application that allows an attacker to manipulate the application’s database by injecting malicious SQL statements.

In a SQL (Structured Query Language) injection attack, the threat actor takes advantage of improper handling of user input within the application’s SQL queries. By inserting malicious SQL code into user-supplied input fields, such as forms or URL parameters, the attacker can modify the intended behavior of the SQL query.

For example, let’s say a website has a login form where a user enters their username and password. The application may construct an SQL query using the provided input to check if the user exists in the database and validate their credentials. However, if the application does not properly validate or sanitize the user input, an attacker can craft input that alters the query’s logic or extends its scope.

As per OWASP, the main consequences of a SQL injection attack include:

  • Confidentiality: Since SQL databases generally hold sensitive data, loss of confidentiality is a frequent problem with SQL Injection vulnerabilities.
  • Authentication: If poor SQL commands are used to check user names and passwords, it may be possible to connect to a system as another user with no previous knowledge of the password.
  • Authorization: If authorization information is held in a SQL database, it may be possible to change this information through the successful exploitation of a SQL injection vulnerability.
  • Integrity: Just as it may be possible to read sensitive information, it is also possible to make changes or even delete this information with a SQL injection attack.

Mitigating the MOVEit attack

The top CISA recommendations in response to the MOVEit vulnerability include:

  1. Take an inventory of assets and data, identifying authorized and unauthorized devices and software.
  2. Grant admin privileges and access only when necessary, establishing a software allow list that only executes legitimate applications.
  3. Monitor network ports, protocols and services, activating security configurations on network infrastructure devices such as firewalls and routers.
  4. Regularly patch and update software and applications to their latest versions, and conduct regular vulnerability assessments.

However, even if your organization doesn’t use MOVEit, your vendors might be affected, which exposes you to risk. Therefore, it’s a good idea to contact all your vendors to inquire whether they use MOVEit and what measures they have taken in response to the vulnerability. Also, companies should review vendor contracts for data breach notification requirements to ensure that vendors meet their obligations.

Explore incident response services

Feds tweet reward for information

Meanwhile, CISA and the FBI are offering a $10 million reward to anyone that can offer intelligence on the CL0P ransomware gang.

A tweet posted by the U.S. Department of State’s “Rewards for Justice” program reads, “Reward up to $10 million. For information on the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act. Send us your information on Signal, Telegram, WhatsApp or via our Tor-based tip line below.”

Preventing zero-day exploits

Here are steps companies can take to uncover vulnerabilities and lessen the impact of zero-day attacks:

The impact of the MOVEit breach continues to reach far and wide. Security teams must stay on top of their game to prevent similar zero-day attacks in the future.

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence or offensive security services schedule a meeting here: IBM X-Force Scheduler.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help:
US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from News

The rising threat of cyberattacks in the restaurant industry

2 min read - The restaurant industry has been hit with a rising number of cyberattacks in the last two years, with major fast-food chains as the primary targets. Here’s a summary of the kinds of attacks to strike this industry and what happened afterward. Data breaches have been a significant issue, with several large restaurant chains experiencing incidents that compromised the sensitive information of both employees and customers. In one notable case, a breach affected 183,000 people, exposing names, Social Security numbers, driver's…

DHS awards significant grant to improve tribal cybersecurity

4 min read - The Department of Homeland Security (DHS) has awarded $18.2 million in grants through the Tribal Cybersecurity Grant Program to boost cybersecurity defenses among Native American Indian Tribes. The program takes a big step in addressing the unique digital threats faced by tribal communities — a dedicated effort to improve cybersecurity infrastructure across these regions. The $18.2 million grant is just one component of DHS's broader strategy to enhance national cybersecurity. Administered by the Federal Emergency Management Agency (FEMA) in partnership…

ONCD releases request for information: Open-source software security

3 min read - Open-source software is a collective partnership across the development community that requires both private and public buy-in. However, securing open-source software can be tricky. With so many different people working on the coding, security measures are often overlooked, increasing the chances that a vulnerability will fall through the cracks and be exploited. The Open-Source Software Security Initiative (OS31) aims to provide governance over open-source security processes. After the Log4Shell vulnerability, securing open-source software became a top priority for the federal…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today