On May 31st 2023, Progress Solutions posted a security advisory regarding a zero-day vulnerability in its flagship solution, MOVEit Transfer. MOVEit Transfer is an on-premises Managed File Transfer (MFT) solution utilised by financial, defence, and healthcare organisations for ‘secure collaboration and automated file transfers of sensitive data’. According to Open-Source Intelligence (OSINT), the Ransomware Gang, CL0P, has been exploiting the SQL injection vulnerability since May 27; However, there are indications that the group had been testing similar SQL vulnerabilities as early as 2021 and had previously been linked to other ransomware attacks on the GoAnywhere MFT platform.
The SQL injection zero-day vulnerability CVE-2023-34362 – a previously unknown issue with no current fix at the time of discovery – was exploited by the group by inserting a web shell or malicious code named LEMURLOOT within the software. The web shell file was intentionally named human2.aspx to camouflage itself as the already existing legitimate file component, human.aspx within the MOVEit Transfer platform.
Within a month, a wave of cybersecurity incidents impacted over 90 organisations within the MOVEit supply chain. Notably, Zellis – a leading UK provider of payroll and HR software solutions – had also fallen victim to this breach. The effects have rippled through the UK, affecting prominent organisations such as the BBC, British Airways (BA), and Boots. While specific figures have not been disclosed, affected organisations have taken proactive measures by collaborating with and engaging Incident Response Teams (IRTs). These teams are working diligently to conduct forensic analyses and ensure ongoing monitoring of systems to mitigate further risks.
The Web Shell Upon installation, the web shell’s hardcoded 36-character password serves as a means of authentication for incoming connection requests made by the threat actor. The threat actor then sends a HTTP request that contains a header field named X-siLock-Comment and the password equal to the initially installed web shell. Once the authentication has been granted threat actors are then able to feed commands to the web shell that can:
Retrieve Microsoft Azure system settings and count the underlying SQL database.
Store a string sent by the operator and perform SQL queries to retrieve a file from the MOVEit Transfer system.
Create new administrator privileged account with LoginName and RealName values set to ‘Health Check Service’.
Delete an account with LoginName and RealName values set to ‘Health Check Service’.
How to mitigate risk in cyberattacks While complete immunity to cyberattacks cannot be guaranteed, organisations can take measures to effectively mitigate the risks involved.
1. Train employees.
Employees are the first line of defence when it comes to protecting a system. Conduct training programmes to train behaviours to address common cyber threats, such as phishing attacks, and teach employees about best practices for data protection and secure online behaviour.
2. Keep software up to date.
Be sure to have regular, if not automated, software updates on all devices and software. This ensures that known vulnerabilities are patched up before threat actors, like CL0P, can exploit it.
3. Implement effective incident response plans.
In a scenario like with the MOVEit Transfer zero-day vulnerability, sometimes no matter what measures you take, a third-party vendor has been breached, leaving your organisation out in the cold. Don’t worry!
This is why having an effective Incident Response Plan (IRP) is crucial for protecting your organisation. It provides guidance and procedures to mitigate risks and respond swiftly to unexpected events, ensuring proper precautions are taken to safeguard your organisation.
4. Engage in third-party security experts.
Implementing cybersecurity measures can be a daunting task, especially for those not knowing where to start. At P3M Works, we specialise in assisting organisations with their cybersecurity needs. With our expertise and experience, we provide reliable support in navigating the challenges of digital transformation and effectively mitigating the risks associated with cyberattacks.
if you'd like to know more about mitigating the risk of cyberattacks within your organisation, get in touch and speak to one of our experts today