In over 600 data breaches, 40 million individuals were affected across the globe due to the MOVEit Transfer vulnerability. Between June 2023 and the present day, healthcare information, educational records, financial records, personal information, Social Security numbers, and insurance details have been either stolen or wiped out by threat actors who abused the MOVEit Transfer vulnerability.
What is MOVEit Transfer?
MOVEit Transfer is an on-premises managed file transfer solution that was developed for the secure transfer of large volumes of files between entities. The solution relies on advanced encryption mechanisms to transmit data securely. It also minimizes the risks associated with native FTP and SFTP protocols and uses HTTP/S over REST API to transfer files securely.
What is the MOVEit Transfer vulnerability (CVE-2023-34362)?
MOVEit Transfer had a zero-day vulnerability, which, of course, no one noticed until a huge breach took place in June 2023. This vulnerability recently affected a tech giant on August 15, 2023, exposing the healthcare information of the Colorado Department of Health Care Policy and Financing (HCPF). The company handled and transferred a part of its data via MOVEit Transfer, and the abuse of the vulnerability led to HCPF’s data leak. The company identified the vulnerability immediately.
The vulnerability allowed unauthenticated remote users to perform SQL injection attacks targeting the MOVEit servers. They were able to write queries to the relational databases to view, modify, and delete sensitive records. The vulnerability was present in all earlier versions of MOVEit Transfer, including 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1) as well.
MOVEit Transfer’s SQL injection vulnerability
Reportedly, malicious code was injected as part of the LoginName parameter in an active session between a sender and a recipient, and the Transaction parameter was set to passchangerequest with the cookie of the session manually set to InitialValue.
Setting the cookie to InitialValue will trick the browser into using a cookie that was generated already for MOVEit Transfer in the user’s machine. Cookies contain sensitive information such as session IDs and user logon names. Once the cookie is invoked, attackers tamper with the session IDs to create new sessions and pass the payloads as one of the session parameters.
This attempt ensured that attackers could execute any kind of payload by modifying a few SQL queries in MOVEit Transfer.
Setting up backdoor access
The attackers were also able to use web shells to set up backdoor access to the affected systems and execute arbitrary commands to steal data stealthily. The backdoor was accessed using legitimate HTTP request headers. The attackers had to authenticate themselves with a password to access the backdoor. They made it difficult for organizations to detect backdoor access points by returning a 404 page not found error if the password entered was incorrect, thus pretending to have never existed.
What are the indicators of compromise (IoCs) for the MOVEit Transfer vulnerability?
MOVEit Transfer has released a list of patches that organizations need to apply to stay safe. MOVEit has also put together the list of IoCs to stay away from: HTTP request headers, files and their locations, IP addresses of the threat actors who’ve abused the vulnerability, and the exploited hash algorithms.
You can find the official list of IoCs released by MOVEit Transfer here.
The IoCs include:
-
Any unauthorized user accounts created and used suddenly.
-
New files created in the TEMP and ROOT directories of the MOVEit servers that enabled attackers to accumulate data before exfiltrating it.
-
Sudden downloads or modification of sensitive data.
Detecting SQL injection attempts and other IoCs
A SIEM solution can closely track activities taking place on your SQL Server and other databases. SQL injection attempts, privilege abuse during database access, and other attack vectors that take place in various parts of your network, including command line executions for MOVEit, can be correlated to identify attack kill chains.
1. Create a process for reading parent command line executions.
2. Correlate process executions, command line executions, and other events that lead to MOVEit Transfer vulnerability abuse.
You can get notified of such attacks in real time and remediate them using SIEM workflows.
Try out ManageEngine Log360, a SIEM solution that can perform complete security monitoring for your infrastructure to help thwart attacks, for free today.
