Over the last few weeks, Progress’ (formerly known as Ipswitch) MoveIT software has been dominating the headlines. In late May and early June 2023, the company disclosed two critical vulnerabilities in its MOVEit Transfer and MOVEit Cloud software platforms (CVE-2023-34362 & CVE-2023-35036). Fortunately, patches were made available for both vulnerabilities. However, on June 15, 2023, a third zero-day vulnerability was referenced on Progress’ website. The Russian-attributed Cl0p Ransomware Gang (TA505) has leveraged all three vulnerabilities to carry out SQL injection attacks on a long and growing list of companies. Victims include prominent universities, financial institutions, and even U.S. federal and state government agencies.
As time goes on, the list is expected to get even longer.
Recommended Cybersecurity Insights: Report Says, Social Engineering is the Most Common Type of Cyber Attack
Organizations are scrambling to prevent damage as a fallout of the vulnerabilities. To combat Cl0p and similar ransomware groups, company stakeholders must understand that vulnerability management is only one piece of the puzzle. Traditional network security vendors may have the ability to fingerprint components of the vulnerability, but holistic detection and prevention are likely to be subverted.
The truth is that the attacker is likely already inside your network, so it is a race against time. The faster abnormal behavior can be spotted, the less financial and reputational cost to the business.
How Adversaries Are Using the MoveIT Vulnerabilities
By using SQL injection, a web-based vulnerability in the processing of SQL statements parsed by the affected software, attackers can exploit these flaws without authentication. Adversaries could achieve free rein on the MOVEit transfer and cloud databases and can ultimately write files leading to remote code execution capabilities.
The truth is that most adversaries can carry out attacks without authentication. According to the latest Verizon Data Breach Investigations Report (DBIR), 86% of cyberattacks involved the use of stolen credentials. This is why it is so critical that security teams understand what behaviors might indicate compromise.
IOCs Associated with Anomalous Activity
Security teams use static signatures as a basic litmus test for identifying exact fingerprints of vulnerabilities and exploits — and attackers know this. Adversaries will look to exploit by modifying as many payload features as possible. Cl0p and other ransomware gangs will then use unique, highly customized methods to bypass detection based on fixed rules.
Top Story of the Month: CIO Influence Interview with Brian Conroy, Executive Vice President and Director at IDA Ireland
This is why security teams must focus on identifying abnormalities no matter which part of the attack chain they occur. Organizations should use security solutions that detect a vast and varied amount of behaviors including:
- Abnormal account creation
- A suspicious Windows process executed
- Failed login to an application
- Unusual process execution for a user or asset
- User with no process execution history
- An abnormal amount of data written in a database
- Anomalous database query
Vulnerability exploitation does not end with the initial incident; it can persist across the entire spectrum of the MITRE ATT&CK® framework. Circumstances can include lateral movement, data exfiltration, privilege escalation, and more.
Where Does the Security World Go from Here?
As companies pick up the pieces from this attack and the security world begins to move forward, it’s essential to remember that the key to a stronger security posture is balancing both prevention and detection. Security teams should regularly identify and patch vulnerabilities, but also be proactive in detecting abnormal behaviors and activities.
By remaining vigilant and closely monitoring evolving threats, organizations are in a much better position to mitigate damages from zero-day vulnerabilities.