The MOVEit Hack - The Insecurity of Security Products

A short blog on the MOVEit hack that’s still in progress, but has already affected a number of large organisations in the UK.

The Incident

So what’s the problem? It’s a critical zero-day vulnerability in MOVEit, which is a file transfer application that runs from a locally installed server (there is also a cloud version, which is unaffected by this issue). The vulnerability, which is a SQL injection leading to full database access, is being tracked as CVE-2023-34362. There is already a patch for it, as there is for some new SQL injection vulnerabilities found during a security review that followed the previous issue, and was disclosed over the weekend.

As to the attackers, Microsoft have attributed the attack to the people behind the clop extortion site:

Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site. The threat actor has used similar vulnerabilities in the past to steal data & extort victims. pic.twitter.com/q73WtGru7j

— Microsoft Threat Intelligence (@MsftSecIntel) June 5, 2023

TheRegister is reporting that the group has set a deadline of the 14th June for the victims to pay up, after which their data will supposedly be leaked. Unfortunately initial exploitation seems to be both wide and diverse, with a range of companies already affected.

One UK victim is Zellis, a payroll and HR services provider, whose compromise has apparently included payroll data from their customers. For affected organisations in the UK, the NCSC is involved and the BBC has advice the for victims.

(In)Security Appliances

It’s the third big hack of a file transfer appliance in recent memory - the same group were reportedly also behind the GoAnywhere MFT, and apparently also had connections to the hack of Accellion FTA.

As we’ve previously covered, network appliances, including many that are in place for security itself, have not had a great track record in terms of security. Even as I write this, there’s news of a new RCE vulnerability in Fortinet SSL VPNs.

The ongoing, widespread use of network appliances is interesting, given how many applications and services have moved into the cloud. A VPN appliance implies on-premises assets to which remote workers need to connect, or maybe a security model that places more trust on LAN-connected devices. It underlines that whilst new or smaller companies may be wholly in the cloud, you’d be wrong to assume it’s the same for every organisation.

It’s particularly interesting that on-premises file transfer applications are still so popular - presumably the barrier for many administrators is moving the file stores themselves into the cloud. It’d be interesting, and somewhat ironic, if the reason behind this is security.

Security Legacy

It does feel like many older products are carrying a security legacy, created from the way they are built and maintained, and the technologies they use. It’s certainly easier to build more secure products from scratch than it is it update older applications with security. Of course, cloud-based SaaS products can and do have security issues, but at least in the worst case they’re not inside your office network or connected to your file storage platform.

It’s a good argument for End-to-End Encryption (E2EE) of user data in an application - it means that even if the SaaS application is compromised, much of the data won’t be available to the hackers (I say much as there’s always going to be some plaintext customer data in any SaaS backend). Whilst we wanted E2EE in Trebuchet to provide customers privacy from us (we can’t decrypt the content of user transfers), it also provides protection in the event of a compromise of the architecture.

As a security company building security products, we’ve always had to set a high bar for our own security standards. We’ve at least had the advantage of starting from scratch, but there’s always more to do. Adding an attack surface product to our offerings definitely made it harder to ignore or put off fixing any remaining minor issues we have in our our infrastructure, although on last check we still had some HTTP headers to apply here or there…

Affected Companies (Updated 20/06/23)

The full list of victims in the MOVEit hack are coming to light, however the following high-profile organisations have confirmed they were affected by the attack:

• BBC
• British Airways
• Boots
• Aer Lingus
• US Department Of Energy

The list continues to grow as more victims come forward, the full list of companies impacted by the MOVEit hack can be found here.

• The (In)Security of Network Hardware
• What policies do I need in place as a small business?
• Getting Started with Microsoft Intune - Part 2

About Scott Lester

Scott is a technical cyber security professional with over fifteen years’ experience across a broad range of roles within the public and private sectors. With a deep understanding of cyber security, he has in his career focused on applied cryptography, network technologies, digital forensics and security research. At Red Maple he leads the delivery of all of our cyber security services.