Earlier this month, we witnessed ( Reuters, TechCrunch, Washington Post, CNN etc. ) the US Department of Energy, several other government agencies, banks and other commercial organizations were hit in a global hacking campaign that exploited a vulnerability in widely used file-transfer software called MOVEit by Progress Software.
MOVEit Breach: What happened?
A critical SQL injection vulnerability in MOVEit Transfer managed file transfer application is under widespread exploitation that could result in the modification and disclosure of MOVEit Transfer’s database content. This vulnerability has been assigned CVE-2023-34362.
Ransomware groups such as Cl0p have already exploited this vulnerability in the wild to perform data exfiltration at scale, across many enterprises and federal agencies.
The exploit sequence involves the threat actor gaining privileged access to the MOVEit server. The threat actor then leverages the privileged access and a service account for MOVEit to perform a series of exploit steps involving the execution of SQL queries to gain access to the backing database for the MOVEit MFT tool. This can be MySQL, SQL Server, or Azure SQL. The threat actor exfiltrates the data stored in the SQL database and then sends the extortion request.
Evolving threat: multiple post-exploitation possibilities
The MOVEit exploit also leads to attackers gaining escalated privileges on the database. Though it has not been observed so far, the escalated privileges provide attackers additional possibilities besides data exfiltration. For example, attackers can gain root privileges on the server that hosts the MOVEit database and use them to move laterally into the organization. The attackers can also inject malware in the shared files in the MOVEit database and compromise any users downloading and opening those files.
Resolving MOVEit Data Breach
A patch was made available for this exploit. As a mitigation strategy, enterprises can apply the patch provided by the vendor of the MOVEit MFT software. While patching is necessary, it is not sufficient. A day after the first patch was released, a new SQL injection vulnerability was identified by the software vendor that publishes MOVEit. This vulnerability has been assigned CVE-2023-35708. This new development requires the vendor to release a second patch. Vendors take time to issue patches and IT/Security teams need additional time to apply each patch because patch application needs to be planned and scheduled.
Patching is necessary but not sufficient
For each new vulnerability that is identified, threat actors have a window of time to perform exploits before the patch is published and applied.
The continuous stream of vulnerabilities and the subsequent release of patches clearly indicate that relying solely on patch application is not a sufficient strategy for cyber defense. In addition, the attacks may have already moved into the enterprise. Enterprises need an independent threat detection strategy that can detect application exploits and data exfiltration.
Existing security controls have limitations
This exploit encompasses an application exploit and data exfiltration. Existing security controls are not aware of applications or data. Threat actors are targeting application and data exploits to compromise enterprises that have already deployed various security controls.
Active Defense Provides a New and Powerful Approach to Cybersecurity
Active Defense based on deception technology provides an excellent defense mechanism for high-fidelity threat detection and response for a large set of threats. Active Defense deploys a comprehensive deceptive fabric across the enterprise network to detect lateral movement and privilege escalation attempts.
Specifically in this case, deception enables detection of application exploits and data exfiltration. This provides new detection capabilities that offer an effective defense mechanism for subsequent variants of such threats as they continue to occur.
Deceptions can be embedded in the data. For applications such as MOVEit, deceptive baits can be embedded in the MOVEit data repository.
Actions by the threat actor to access the deceptive baits would raise a high-fidelity incident and provide SOC teams with a detection event. The SOC team can then perform the associated response and mitigation actions to isolate the threat. This provides an effective approach to enable SOC teams to detect and respond to data exfiltration.
Active Defense-based threat detection and response is effective against new variants of threats. This enables the detection of exploits against new vulnerabilities for which a corresponding patch is not yet available from the vendor.
Enhancing Security with Acalvio’s ShadowPlex Platform
Acalvio provides deception-based Active Defense solutions. Acalvio’s platform, ShadowPlex, can be leveraged by enterprises and federal agencies to detect known as well as zero-day threats and gain protection from data exfiltration exploits.
Authors
Suril is VP Engineering at Acalvio Technologies. Suril has led engineering for industry leading cybersecurity offerings. Suril has deep domain expertise in cybersecurity and holds multiple patents.
