“Unfortunately, not all organizations might even be aware that they have this vulnerable software as a part of their (indirect) tech stack from another supplier upstream.”
While zero-day vulnerabilities typically make headlines when they are first disclosed, they have lasting long-term impacts in the ensuing weeks, months and years, as threat actors continue to target unpatched instances. In fact, an August report from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) found that the majority of the flaws that attackers routinely exploited over the last year were disclosed in 2021 or earlier, including the Log4Shell flaw from 2021, the ProxyShell bugs in Exchange from 2021 and a Fortinet SSL VPN bug from 2018.
For MOVEit, many of the attacks occurred during an initial rampage on vulnerable MOVEit Transfer servers by the threat actors linked to the Clop ransomware. Some researchers said that they first saw this exploit activity on May 27, while others saw scanning for the MOVEit Transfer logging page as early as March 3 (months before the bug became public on May 31). While victim disclosures are still steadily continuing, many disclosures are stemming from this initial surge. For instance, though it only recently disclosed details on the impact of its breach, National Student Clearinghouse first learned on June 20 that the unauthorized actor had accessed files on May 30.
“It’s still very successful [for threat actors] as far as we know, it’s having a continued impact on a variety of industries and we’re nowhere near to seeing the total impact of that,” said Glenn Thorpe, senior director of Security Research and Detection Engineering with GreyNoise. “We know MOVEit is not over yet – actors haven’t moved away from it and it hasn’t stopped being fruitful for them.”
The obvious lesson here, both with the MOVEit Transfer bug and with other actively exploited flaws, is to patch vulnerabilities that are serious or under active exploitation as soon as possible. In a new survey looking at top exploited vulnerabilities of this year, Qualys researchers calculated that the flaw had a mean time to response/remediate (MTTR) of seven days. This data point, which shows the average time taken to address the vulnerability after detection, is low in comparison to other vulnerabilities like the PaperCut NG/MF bug (CVE-2023-27350), which had an MTTR of 23 days, and the Fortra GoAnywhere MFT remote code execution flaw (CVE-2023-0669) that had one of 31 days. However, Qualys researchers found that the flaw had a patch rate of just over 51 percent, showing that many systems are still exposed.
Beyond patching, however, part of the complexity of the MOVEit bug is that many of the impacted organizations don’t use the software themselves, but instead are part of this “trickle-down” data breach effect. These impacted organizations and individuals should be on alert for phishing emails that may use their stolen data or fraud-related attacks.
“During the early days of June, while our industry was first chasing indicators of compromise and looking for signs of exploitation, this certainly widened the pool of potential victims,” said Hammond. “Unfortunately, not all organizations might even be aware that they have this vulnerable software as a part of their (indirect) tech stack from another supplier upstream.”
Overall, flaws like the ones in MOVEIt Transfer highlight a need for better security practices from manufacturers themselves, particularly for those behind file transfer services that handle a rich bank of data that’s attractive to cybercriminals. The MOVEit bug has left questions about software liability in its wake, and several lawsuits have cropped up over the past months – including ones against Progress Software itself, but also several against companies using the MOVEit Transfer platform.
“The CVE-2023-34362 flaw in MOVEit Transfer signals potential long-term shifts in cybersecurity,” Saeed Abbasi, manager of vulnerability and threat research at Qualys. “Much like the repercussions from Heartbleed on open-source security, this vulnerability highlights the imperative for strengthened secure development practices. It’s a definite call for organizations to intensify their vulnerability assessments, engage in rigorous penetration testing, transition towards zero-trust models, and accelerate a surge in cybersecurity investment. Such high-profile vulnerabilities can spur re-evaluations of vendor trust and catalyze stricter regulatory oversight.”