HHS alerts of MOVEit Transfer critical vulnerability putting healthcare sector at risk, as Mandiant offers more detail
The Health Sector Cybersecurity Coordination Center (HC3) at the U.S. Department of Health & Human Services (HHS) assessed that the critical vulnerability that exists in MOVEit Transfer software could result in unauthorized access and privilege escalation across the healthcare sector. MOVEit Transfer is commonly used by healthcare organizations to securely transfer large files and data between their internal and external networks.
On Friday, threat intelligence firm Mandiant disclosed that it currently attributes this activity to UNC4857, a newly created threat cluster, with unknown motivations, that has impacted organizations operating in a wide range of industries based in Canada, India, and the U.S., but their impact is almost certainly broader. The seemingly opportunistic nature of this campaign and subsequent data theft activity is consistent with previous activity seen from extortion actors, which means victim organizations could potentially receive ransom emails in the coming days to weeks.
“The software is used by multiple organizations in the HPH sector, including hospitals, clinics, and health insurance groups. Sensitive information such as medical records, bank records, social security numbers, and addresses are at risk if this vulnerability is leveraged,” the HC3 said in its sector alert issued Friday. “The targeted organization could be subject to extortion by financially motivated threat groups. HC3 recommends that any HPH organization that currently utilizes MOVEit take immediate action, as noted below in the Mitigations section, while the software company produces a patch.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) in an alert also urged “users and organizations to review the MOVEit Transfer Advisory, follow the mitigation steps, apply the necessary updates, and hunt for any malicious activity. A cyber threat actor could exploit this vulnerability to take over an affected system,” it added.
Presently, there are no patches for this latest vulnerability, but there are mitigation measures that can be taken to help prevent unauthorized access to MOVEit Transfer software, the HC3 alerted. “The vulnerability is a SQL injection flaw that allows for escalated privileges and potential unauthorized access. As of May 31, 2023, the vulnerability does not have a CVE. File transfer solutions are frequently targeted by multiple threat actors, including ransomware groups,” it added.
Last week, Progress Software (formerly IPSwitch) disclosed the presence of the critical vulnerability that exists in MOVEit Transfer software. The MOVEit Transfer SQL injection vulnerability could lead to remote code execution and does not currently have a CVE assigned to it. It is reported that there are 2,500 exposed MOVEit Transfer servers, with the majority located in the U.S., and that the same webshell was found on all exploited devices. The company has yet to report any attempts of extortion due to exposure to the vulnerability, nor is there any attribution to any specific threat actors.
The HC3 alert highlighted that ‘due to its wide footprint, exploitation of this vulnerability can greatly impact the HPH sector.’ Any attack could potentially allow the attacker to disrupt normal operations, access sensitive information, or launch attacks against other connected systems within the healthcare organization’s network.
HC3 evaluates that the exploitation is very similar to the January 2023 mass exploitation of a GoAnywhere MFT zero-day and the December 2020 zero-day exploitation of Accellion FTA servers. Both of these products are managed on file transfer platforms that were heavily exploited by the Clop ransomware gang to steal data and extort organizations.
“This zero-day vulnerability could allow an attacker to escalate privileges and gain unauthorized access to the healthcare environment, potentially compromising any number of victims,” the alert said. “Presently, there are no patches for this latest vulnerability, but there are mitigation measures that can be taken to help prevent unauthorized access to MOVEit Transfer software.”
The HC3 alert also recommends that healthcare organizations disable all HTTP and HTTPs traffic to the MOVEit Transfer environment. “Modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443. If you require additional support, please immediately contact Progress Technical Support by opening a case via https://community.progress.com/s/supportlink-landing,” it added.
“As a workaround, administrators will still be able to access MOVEit Transfer by using a remote desktop to access the Windows machine and then accessing ‘https://localhost/.’ For more information on localhost connections, please refer to MOVEit Transfer
“Following exploitation of the vulnerability, the threat actors are deploying a newly discovered LEMURLOOT web shell with filenames that masquerade as human[dot]aspx, which is a legitimate component of the MOVEit Transfer software,” Mandiant researchers wrote in a Friday blog post. “Mandiant has observed several POST requests made to the legitimate guestaccess[dot]aspx file before interaction with the LEMURLOOT webshell, indicating SQLi attacks were directed towards that file.”
Mandiant said that preliminary analysis has not yet yielded evidence of concrete overlaps between UNC4857 and existing threat clusters at this time. “However, there are some notable, but broad similarities between the tactics, techniques, and procedures (TTPs) used by UNC4857 and those associated with FIN11 data theft extortion activity.”
The researchers added that they have observed LEMURLOOT samples with the filenames human2[dot]aspx and _human2[dot]aspx. “Various samples with the name human2.aspx were uploaded to VirusTotal beginning on May 28, 2023. Samples of LEMURLOOT have been uploaded to public repositories from several additional countries—including Italy, Pakistan, and Germany—suggesting that UNC4857 has also impacted organizations in these nations,” they added.
Additionally, LEMURLOOT provides functionality tailored to execute on a system running MOVEit Transfer software, including the ability to generate commands to enumerate files and folders, retrieve configuration information, and create or delete a user with a hard-coded name. Initial analysis suggests that the LEMURLOOT web shell is being used to steal data previously uploaded by the users of individual MOVEit Transfer systems.
Mandiant is aware of multiple cases where large volumes of files have been stolen from victims’ MOVEit transfer systems, the post identified. “LEMURLOOT can also steal Azure Storage Blob information, including credentials, from the MOVEit Transfer application settings, suggesting that actors exploiting this vulnerability may be stealing files from Azure in cases where victims are storing appliance data in Azure Blob storage, although it is unclear if theft is limited to data stored in this way.”
In many cases, the scanning and exploitation leading to the delivery of LEMURLOOT were sourced from IP addresses in the range 5.252.188.0/22, however interaction with the web shell and data theft came from different systems, the researchers outlined. “Many of the hosts used to support these second-stage operations hosted RDP services with certificates generated between May 19 and 22, which is suggestive of when this infrastructure may have been staged.”
Last month, U.S. and international cybersecurity partners released a joint Cybersecurity Advisory (CSA) highlighting malicious activity executed by a People’s Republic of China (PRC) state-sponsored cyber hacker group known as Volt Typhoon. The agencies have so far revealed that private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and believe the hacker could apply the same techniques against these and other sectors worldwide.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
