Zero-Day Vulnerability in MOVEit Transfer Application Exploited by Hackers

by | Jun 6, 2023

In today’s digital age, cyberattacks have become increasingly frequent and sophisticated. As a result, businesses must prioritize cybersecurity to safeguard their sensitive information. Recently, hackers exploited a zero-day vulnerability in the MOVEit Transfer application, which could potentially compromise around 3,000 deployments exposed to the internet. This vulnerability is a significant concern for businesses, especially in the era of remote work, where secure communication channels are more crucial than ever.

The MOVEit Transfer application is a tool used for enterprise-managed file transfer (MFT), and it is essential for businesses to maintain secure communication channels. The vulnerability allowed attackers to exploit any database engine supported by the application, which could lead to severe consequences for businesses. The attack has been attributed to Lace Tempest, a hacking group that has been active since 2018, targeting organizations in the US, Canada, and India, with a focus on industries such as finance, healthcare, and energy.

Aside from enabling file transfer, the MOVEit application stores audit logs in its database, which could be queried to obtain similar information to the compromised database engine. This makes it easier for hackers to access sensitive data. The attackers deployed a web shell with data exfiltration capabilities, allowing them to perform SQL queries and enumerate files stored on Azure. One of the commands issued by the shell instructed the script to retrieve Azure-related settings from the MOVEit Transfer application, including the Azure Blob storage attack and associated key. This allowed the attackers to retrieve any files stored on Azure in compressed form.

The Clop ransomware gang has a history of exploiting vulnerabilities in MFT tools. In 2020, the group exploited the Accellion File Transfer Appliance (FTA), and in January 2021, they exploited a zero-day remote-code execution vulnerability (CVE-2023-0669) in GoAnywhere MFT. The MOVEit Transfer zero-day vulnerability has already had consequences for UK payroll provider Zellis, used by companies such as British Airways, Boots, and the BBC. The company confirmed a breach through the MOVEit vulnerability and is working with the UK’s National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) to mitigate the impact of the breach.

It is essential to secure MFT tools, which are often used to transfer sensitive information between organizations. With the rise of remote work, MFT tools have become increasingly important for businesses to maintain secure communication channels. Organizations should deploy the available patch as soon as possible to prevent any further exploitation of this vulnerability. The patch is urgent given the severity of the vulnerability and the potential consequences of a breach.

In conclusion, the MOVEit Transfer zero-day vulnerability is a wake-up call for organizations to take the security of their MFT tools seriously. Cyberattacks are becoming more sophisticated every day, and businesses must remain vigilant and proactive in protecting their networks and sensitive information. By doing so, they can reduce the risk of a breach and prevent the potentially catastrophic consequences that come with it. It is crucial to prioritize cybersecurity and stay up-to-date with the latest security measures to keep sensitive information safe.