Analysis
Attacks and Vulnerabilities
CISA
Critical infrastructure
News
Threat Landscape
Vulnerabilities

US, Canadian agencies warn of potential risks from MOVEit Transfer software vulnerabilities

June 19, 2023
US, Canadian agencies warn of potential risks from MOVEit Transfer software vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) re-released on Friday an earlier cybersecurity advisory covering that the CL0P ransomware gang is reportedly exploiting a previously unknown structured query language (SQL) injection vulnerability (CVE-2023-34362) in Progress Software’s managed file transfer (MFT) solution known as MOVEit Transfer. The agency updated the document to remove old Fortra GoAnywhere Campaign IP addresses and to add new IP addresses.

Last week, the agency also published an alert that Progress Software has released a security advisory for a privilege escalation vulnerability in managed file transfer software MOVEit Transfer. The latest security vulnerability is listed in MITRE’s critical vulnerability database as CVE-2023-35708.

“A cyber threat actor could exploit this vulnerability to take control of an affected system,” CISA added. Progress released a second patch on June 9th to cover critical vulnerability CVE-2023-35036. 

Organizations have been called upon to take an inventory of assets and data, identify authorized and unauthorized devices and software, and grant admin privileges and access only when necessary, establishing a software allow list that only executes legitimate applications. Additionally, they must monitor network ports, protocols, and services, activate security configurations on network infrastructure devices, regularly patch and update software and applications to their latest versions, and conduct regular vulnerability assessments.

The Health Sector Cybersecurity Coordination Center (HC3) in the Department of Health & Human Services (HHS) warned the healthcare sector of potential risk from the critical vulnerability in the MOVEit Transfer software. The targeted organization could be subject to extortion by financially motivated threat groups. The agency recommends that any healthcare and public health (HPH) organization that currently utilizes MOVEit take immediate mitigation action, apart from applying updates outlined on the Progress Security Center webpage. 

“On May 31, 2023, a Progress Software (formerly IPSwitch) published a notification disclosing that a critical vulnerability exists in their MOVEit Transfer software, which could result in unauthorized access and privilege escalation,” the HC3 said in its sector alert. “The vulnerability is a SQL injection flaw that allows for escalated privileges and potential unauthorized access. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content. As of June 15, 2023, the vulnerability has been serialized with two separate CVEs: CVE-2023-35708 and CVE 2023-35036. The updates can be found on the Progress Security Center webpage.” 

The agency identified that the software is used by multiple organizations in the HPH sector, including hospitals, clinics, and health insurance groups. Sensitive information such as medical records, bank records, social security numbers, and addresses are at risk if this vulnerability is leveraged.

The alert comes amid reports last week that multiple local, state, and federal agencies were the target of cyber threat hackers leveraging the MOVEit transfer vulnerabilities. Oregon and Louisiana transportation departments have warned millions of residents their identities are at risk after a cyberattack Thursday stole names, addresses, and social security numbers. 

Additionally, two Department of Energy (DOE) entities were among the impacted federal agencies. The education sector was also targeted; Johns Hopkins University in Baltimore and the university’s renowned health system said in a statement this week that sensitive personal and financial information, including health billing records, may have been stolen in the hack. The University of Georgia school system is currently investigating the scope and severity of the hack.

“While the exact number of victims remains unknown, CL0P on Wednesday listed the first batch of organizations it says it hacked by exploiting the MOVEit flaw,” the HC3 identified. “The victim list, which was posted to Clop’s dark web leak site, includes U.S.-based financial services organizations 1st Source and First National Bankers Bank; Boston-based investment management firm Putnam Investments; the Netherlands-based Landal Greenparks; and the U.K.-based energy giant Shell.”

The zero-day vulnerability could allow an attacker to escalate privileges and gain unauthorized access to the healthcare environment, potentially compromising any number of victims, HC3 alerted. “This vulnerability also follows previous MOVEit vulnerabilities as reported in NIST, including CVE-2023-30394 (May 19, 2023), CVE-2021-37614 (August 17, 2021), CVE-2021-33894 (June 22, 2021), CVE-2021-31827 (May 25, 2021), and CVE-2020-12677 (May 19, 2020).”

All MOVEit Transfer customers must take action and apply the patch to address the June 15th CVE-2023-35708 vulnerability discovered in MOVEit Transfer. 

“To help prevent unauthorized access to your MOVEit Transfer environment, we strongly recommend that you immediately apply the following mitigation measures until you are able to apply the June 15th patch (CVE-2023-35708),” HC3 advised the HPH sector. 

The agency also suggests disabling all HTTP and HTTPs traffic to the MOVEit Transfer environment. More specifically, modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443. It is important to note that until HTTP and HTTPS traffic is enabled again, users will not be able to log on to the MOVEit Transfer web UI, MOVEit Automation tasks that use the native MOVEit Transfer host will not work, REST, Java and [dot[NET APIs will not work, MOVEit Transfer add-in for Outlook will not work, and SFTP and FTP/s protocols will continue to work as normal. 

Furthermore, “as a workaround, administrators will still be able to access MOVEit Transfer by using a remote desktop to access the Windows machine and then accessing https://localhost/.” 

As patches for supported MOVEit Transfer versions become available, links will be provided below, the HC3 noted. “Supported versions are listed at the following link: https://community.progress.com/s/products/moveit/product-lifecycle. Please note, the license file can remain the same when staying on a major release to apply the patch. Enable all HTTP and HTTPs traffic to your MOVEit Transfer environment,” it added. 

Reacting to the global cyberattack that compromised the Department of Energy (DOE), as well as several other federal agencies, House Energy and Commerce Committee Chair Cathy McMorris Rodgers, a Republican from Washington, and Committee Ranking Member Frank Pallone, Jr., a Democrat from New Jersey, wrote in a statement last week that the wide-scale nature of this attack underscores the importance of bolstering the ability of industry-specific federal agencies to secure America’s critical infrastructure and respond to complex attacks. 

“Our energy infrastructure security requires the vigilance of sector-specific experts to ensure Americans are safe. We continue to monitor the situation and are requesting briefings from the Biden administration, including from DOE, in order to gain a complete understanding of the severity of this attack,” according to Rodgers and Pallone. “As we learn more, Energy and Commerce will continue to lead to ensure our energy grid, hospitals, supply chains, and American homes and businesses are protected and prepared when attacks occur. People’s lives and livelihoods are counting on it.”

On Friday, the Canadian Centre for Cyber Security (Cyber Centre – a part of the Communications Security Establishment) is urging Canadian organizations to be vigilant and prepared for potential disruptive cyber activity, based on public threats made by Russian-aligned malicious cyber actors. This follows a February alert that previously warned Canadian organizations and critical infrastructure operators to be prepared for the possible disruption and defacement of websites by cyber threat actors aligned with Russian interests. 

“The Cyber Centre continues to remind the Canadian cyber security community – especially the operators of government and critical infrastructure web sites – to adopt a heightened state of vigilance, and to bolster their awareness of and protection against malicious cyber threats,” the latest alert warned. “Russian-aligned malicious cyber actors have publicly stated their intention to target nations united in supporting Ukraine’s defence against Russia’s attacks and aggression.” 

The Cyber Centre also continues to share valuable cyber threat information with Canadian critical infrastructure and government partners through protected channels and monitor the cyber threat environment in Canada and globally, it added.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation