Four-step Mitigation Strategy for MOVEit Attacks
MOVEit Transfer, previously known as MOVEit DMZ or MOVEit File Transfer, makes it easier to move files and data between servers, applications, and systems within and between organizations, also between groups and people using a common shared folder with simple browser access. The MOVEit attack is a ransomware campaign targeting many users, including US and UK commercial companies and government agencies. The MOVEit breach highlights a vulnerability that lets bad actors obtain data from multiple companies in a single attempt.
Why is it hard to fix the vulnerability in MOVEit attack?
When a product has a vulnerability, it’s usually easier to determine whether or not we have a susceptible version in our environment. We can look at file hashes, paths, banners, and names to find vulnerable product versions. However, searching the environment to identify every exposed asset is challenging; hence, MOVEit attack vulnerabilities are hard to fix.
What immediate mitigating strategies should be deployed?
You must immediately take the following steps to reduce the attack surface while continuing to identify vital assets, address incidents, and look for risks that may have occurred in the past.
1. Protect vital assets publicly visible on your network
Since it is difficult to identify every weak point in the network, it is advisable to begin with vital assets visible to the public to reduce the attack surface. Remember that black-box external scanning has little influence on MOVEit vulnerabilities. This scan only looks for vulnerable services based on banners from web servers like Apache Tomcat and cannot identify weak assets on larger attack surfaces.
2. Verify security measures on the network
Mimic attacks to check if security devices are stopping them. Look out for unusual traffic, particularly evasive payloads, to determine how effective your security products are against MOVEIT file transfers and zero-day assaults. You should also test LDAP and API-related services like DNS, RMI, etc. Generating all relevant payloads is time-consuming, so we suggest setting up a test environment and running the security controls against all of these payloads.
3. Make use of your network security settings
Web application firewalls (WAF), safe coding standards like the OWASP Top 10, and intrusion prevention systems (IPS) can prevent the effort to exploit vulnerabilities in programs through remote code execution (RCE).
4. Update your assets and continue simulating attacks and fortifying your perimeter defense
CVE-2023-34362 is a severe zero-day vulnerability in MOVEit Transfer. It allows SQL injection and can result in unauthorized access to sensitive data like passwords, credit card numbers, and user identities. A new patch is available for CVE-2023-34362. Monitoring vendor updates is critical because additional patches are released regularly. Also, you should actively run attack simulations to identify and fix gaps in your security.
How can Zensar assist you?
- Simulate vulnerability exploits such as web shell assaults. You can test your WAF, NGFW, and IPS against web shell and Log4j attacks to find vulnerabilities.
- Close gaps, activate preventive signatures, and stop assaults.
- Protect your network against zero-day attacks.
- Regular assessment of the efficacy and resilience of your security measures.
Need of the hour
Ransomware attacks are going to be more common in the future. However, if you are one step ahead of the bad actors, you can save a lot of headaches and problems. Investing in cybersecurity tools should be your top priority since prevention is always better than cure. Ensure you regularly back up data, patch all vulnerabilities in operating systems and software, set a strict password policy across the company, and educate employees on common scams and attacks.
Security vulnerabilities are part of digital products. Don’t be surprised when a threat is coming for you. Always be ready to mitigate attack impact to protect yourself and your organization.
