Data theft Happens Because of MoveIT Vulnerability

 

In one of the biggest hacks or data leaks to have hit the US, healthcare and personal data of over 10 million people have been stolen by a group of hackers, targeting IBM. The hackers exploited a vulnerability in the super popular MOVEit file transfer software that IBM uses. 

Hackers did not damage the network, they only stole data. The Department of Social Services (DSS) made it clear that this data breach didn’t mess with their systems directly, but it did mess with the data they had. So, names, client numbers, birthdates, benefits info, and medical claims data might’ve been nabbed.

Statement from NVD  :

In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements. 

NOTE: This is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions. The detail is given here: https://nvd.nist.gov/vuln/detail/CVE-2023-34362

Chain of Events:

June 2, 2023 :

On May 31, 2023, Progress published details of a critical remote code execution (RCE) 0-day vulnerability in MOVEit Transfer being exploited in the wild (CVE-2023-34362).

June 2, 2023:

 Users are urgently advised to patch to the fixed version and stay up-to-date on the latest information about this ongoing issue.

June 10, 2023 :

On June 9, 2023, Progress published details of a second critical SQL injection vulnerability in MOVEit Transfer (CVE-2023-35036). An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.

June 20, Update  

On June 15, 2023, Progress published details of a third critical SQL injection vulnerability in MOVEit Transfer (CVE-2023-35708).

What is MoveIt Transfer? 

MoveIt transfer is a Windows-Server-based managed file transfer (MFT) service developed by Ipswitch, a subsidiary of Progress.

What is Cloud Exposure?

One percent of cloud environments have instances running MOVEit Transfer, and most publicly exposed instances of this software are indeed hosted in the cloud, particularly in Azure.

Solution from CloudArmour :

1. CloudArmour shift left solution should find out the vulnerable images inside the cloud environment and whether these images are exploitable or not.

2. CloudArmour customers can use the pre-built queries and advisory to know if and where it and in use in their environment, particularly any instances directly exposed to the Internet.

3. CloudArmour Zero Trust Solution monitors every pod and cluster and gets complete visibility of traffic and data flows. We can create a rule that a database cluster cannot be exposed to the public or a particular pod/cluster having vulnerable software cannot connect to a database application in another pod or a cluster. This kind of firewall at this granular level can prevent a lot of collateral attacks.