A recent exploit in Progress Software’s MOVEit file transfer application has left over 130 organizations vulnerable to SQL injection. SQL injection allows an attacker to send specially crafted commands to a database server, and it can result in data disclosure from tables storing sensitive information. The MOVEit vulnerability has resulted in over 15 million users losing their sensitive information to cyber-criminals, and more people are expected to be affected in the future.
MOVEit Exploit Details
The extent of the MOVEit exploit is explained in the Common Vulnerabilities and Exposures (CVE) database as CVE-2023-34362. SQL injection vulnerabilities have a wide range of potential for cyber-criminals, and the MOVEit vulnerability allowed them to view database structure and potentially drop tables or alter their configuration. Specially crafted SQL statements also disclosed table data, so sensitive information was vulnerable to the MOVEit exploit.
In a SQL injection (SQLi) attack, the vulnerability is usually a combination of a poorly configured database and unvalidated user-generated input from an application sending commands to the database. Developers should always have their applications tested for SQLi vulnerabilities. Still, database administrators must also limit permissions on the database for the account used to run SQL statements from the application. Both cybersecurity strategies were non-existent with the MOVEit cloud software, so cyber-criminals could take advantage of elevated privileges on the database and user-generated input injected into the application database requests.
The Progress MOVEit application was a web-based service for the enterprise used to safely transfer files between users within an organization or between organization employees and public customers. Because the organization handles susceptible files and information, the MOVEit exploit resulted in the potential disclosure of enterprise secrets, intellectual property, customer data, and employee information.
Progress released a public statement to help notify clients and published a security patch for their cloud file transfer software. In addition to releasing a security patch, Progress also announced a regular update schedule on July 5, 2023, to remediate security vulnerabilities in the future. A third-party forensics consultant signed off on the remediation and confirmed that Progress had effectively patched the vulnerability.
The Aftermath of the SQLi Exploit
Although unconfirmed, the cyber-criminal group Cl0p ransomware took credit for the exploit. Security researchers estimate that dozens of organizations fell victim to third-party cloud vulnerability. The extent of data disclosure depends on the files transferred using MOVEit. Still, any organization using the Progress cloud software should have forensic consultants monitor the dark web for any signs of data disclosure.
Because the exploit affected the third-party cloud application, local infrastructure for affected organizations should not need any updates or configuration changes. However, the exploit highlights the importance of security for third-party applications supporting businesses. MOVEit file transfer service is advertised as a safe method for sharing documents, but organizations should always use layers of cybersecurity to protect from third-party software failure. Cybersecurity should overlap and create additional layers that act as failover, and proper implementation will eliminate a single point of failure.
An unfortunate component in third-party compromises is the businesses and individuals affected. The MOVEit compromise affected over 130 organizations, and these organizations needed the help of Progress to figure out their level of damage. Organizations can’t control a third party’s security, but they can take some steps to protect their assets.
Zero-Day Exploit Prevention is Necessary
After cybersecurity professionals and manufacturers remediate a single threat, cyber-criminals immediately author several new threats to bypass the latest cyber-defense innovation. The cybersecurity world is a constant cat-and-mouse game, and zero-days are effective ways to achieve the same goal, even with remediation efforts.
Most organizations rely on at least one third-party vendor. For example, Google Suite and Microsoft Office 365 are two productivity applications typical in an enterprise environment. You can’t control the security of these platforms, but you can take necessary steps to protect the damage done should cyber-criminals compromise the third-party software. Zero-day prevention should be a component of any cybersecurity strategy, but it’s not as complex as you might think.
You can’t eliminate the risk of a compromise from a zero-day exploit, but you can reduce risk by taking preventive measures. Reducing risks might not stop the zero-day, but steps to minimize risks can limit the damage. Mitigating risks from a third-party application is also tricky, especially if you rely on an application like MOVEit to stay secure but can’t control its management or patching workflows.
Here are a few steps you can take to avoid risks:
- Set up email filters: Should a third-party application get hacked, cyber-criminals with access to email addresses will use them to craft future phishing campaigns for additional compromises. Email filters will stop these emails from threatening your employees.
- Monitor your environment for suspicious activity: It might be time to check compliance violations if you don’t already have monitoring systems. Most compliance regulations require data access and network traffic monitoring, but monitoring also detects suspicious traffic that could indicate a compromise.
- Perform background checks on third-party applications: Third-party management systems monitor cloud applications, but performing a background check will allow you to assess the risks of a compromise when you can validate the cybersecurity and risk management of all vendors with access to your systems.
- Keep archives and backups of your data: In case of a compromise – especially with ransomware – you’ll need backups to recover data. Archives are necessary for legal issues, and backups are immediate remediation for irrecoverable data damage.
How TitanHQ Can Help with Zero-Day Threats
For any cybersecurity strategy, every aspect of your network should have a layer covering its protection. This means that threats must bypass several layers before obtaining unauthorized access to data. Cybersecurity layers include monitoring systems that detect suspicious activity and alert administrators.
TitanHQ can help with a layered approach to cybersecurity with our anti-spam, archiving, anti-phishing, web content filtering, cybersecurity awareness, and encryption products. With these products, you can protect your environment proactively so that zero-day threats are stopped at the very beginning – when cyber-criminals target your employees, which are always your weakest link.
Prevent zero-day attacks with a multi-layered security: SpamTitan and WebTitan. Get in touch with a TitanHQ team member today to learn more about preventing zero-day vulnerabilities. Contact us.