The MOVEit Cyber Attack: A Deep Dive into the Breach

In the world of cybersecurity, the only constant is change. Threat actors are always on the prowl, looking for new vulnerabilities to exploit and new ways to breach defenses. One such recent incident that has sent shockwaves across the cybersecurity landscape is the MOVEit cyber attack. This post will delve into the details of this attack, its impact, and the lessons we can learn from it.

The Attack

The MOVEit cyber attack, which took place in June 2023, was a global cyberattack that targeted several US federal government agencies and hundreds of companies and organizations in the US. The attack was carried out by Russian cybercriminals, exploiting a critical vulnerability in the widely used MOVEit Transfer software, developed by Progress Software. 

The software, used for secure data transfer, had a SQL injection flaw that allowed for escalated privileges and potential unauthorized access. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint, resulting in modification and disclosure of MOVEit database content. The vulnerability was serialized with two separate CVEs: CVE-2023-35708 and CVE-2023-35036.

The Impact

The Department of Energy, among other federal agencies, confirmed that they were breached in this ongoing global hacking campaign. The education sector was also targeted, with Johns Hopkins University and the University of Georgia system confirming that sensitive personal and financial information, including health billing records, may have been stolen in the hack.

The software is used by multiple organizations in the Health and Public Health (HPH) sector, including hospitals, clinics, and health insurance groups. Sensitive information such as medical records, bank records, social security numbers, and addresses were at risk if this vulnerability was leveraged. The targeted organization could be subject to extortion by financially motivated threat groups.

The Response

In response to the attack, Progress Software discovered a second vulnerability in the code and worked urgently to fix it. They communicated with customers on the steps they needed to take to further secure their environments and took MOVEit Cloud offline as they urgently worked to patch the issue.

The US Cybersecurity and Infrastructure Security Agency (CISA) provided support to several federal agencies that experienced intrusions affecting their MOVEit applications. They worked urgently to understand impacts and ensure timely remediation.

Lessons Learned

The MOVEit cyber attack underscores the importance of maintaining up-to-date software and applying patches as soon as they become available. In this case, Progress Software had released a patch for the vulnerability, but not all users had applied it, leaving their systems vulnerable to attack.

The attack also highlights the need for robust cybersecurity measures, including regular vulnerability assessments, intrusion detection systems, and employee training on cybersecurity best practices.

In the wake of the MOVEit cyber attack, it's clear that cybersecurity is not a one-time effort but an ongoing process. As threat actors continue to evolve their tactics, so too must our defenses.