MOVEit Exploit & Ransomware Attack: Why SaaS Security Is Critical During a Cyberattack

Originally published by Reco.

Written by Gal Nakash.

Introduction

In the ever-changing landscape of cybersecurity threats, the MOVEit zero-day exploit and ransomware attack has been a reminder why a security program can’t be limited to just endpoint security & cloud security. Earlier in 2023, the personal information of almost 6,800 employees and family members was exposed in a hack by Clop, a ransomware group. This occurred after the hackers exploited a vulnerability in MOVEit Transfer Progress Software's third-party file transfer software, unleashing a wave of data theft and compromise. MOVEit Transfer SaaS platform was also impacted by the vulnerability, making the potential victim base much larger.

The zero-day exploited was CVE-2023-34362, a critical-severity SQL injection flaw that leads to remote code execution and mass downloading of data from organizations. This breach affected more than 100 organizations, including notably the U.S. Department of Energy, the BBC, and British Airways, as well as Calpers and Genworth, causing massive damage to their customer databases.

‍

A Closer Look at CVE-2023-34362

Following the steps of infiltration, data exfiltration, and then system lockup via encryption, Clop executed commands allowing the threat actor to download various information from MOVEit Transfer's MySQL server. They were then able to perform damaging actions, including:

• Retrieving a list of stored files, the username of who uploaded the files, and their file paths.
• Inserting and deleting a new random MOVEit Transfer user with the login name 'Health Check Service' and creating new MySQL sessions.
• Retrieving information about the configured Azure Blob Storage account. The threat actors can use this information to steal data directly from the victim's Azure Blob Storage containers.
• Download files from the server.

How was this zero-day exploit successful? Configuration drift can lead to vulnerabilities over time, and misconfigurations create vulnerability systems and often act as gateways for attackers, as seen with this SQL injection. The exploitation of these unpatched systems can occur via HTTP or HTTPS.

‍

SaaS Security: A Critical Line of Defense

As the MOVEit exploit and ransomware attack demonstrate, breaches can happen to even the most well-prepared organizations. Regular audits and proactive maintenance are crucial to detecting and fixing misconfigurations, significantly reducing the attack surface. In the context of zero-day exploits like CVE-2023-34362, swift patching and continuous configuration monitoring are important steps to secure against emerging threats and maintain a robust security posture.

SaaS security solutions detect security threats that mirror the tactics of groups like Clop. By combining contextual analysis & user behavior analytics, posture management, and detection and response, organizations can prevent exploits from being carried out.

Full Visibility into Entire SaaS Environment:

• SaaS security discovers all SaaS applications connected to your environment, including managed apps and third-party apps. This visibility is crucial in understanding your attack surface and potential vulnerabilities.

Monitoring Identities and Permissions:

• By tracking who has access to your SaaS applications and their permission levels, SaaS security solutions can detect unauthorized or suspicious activities promptly and enforce the principle of least privilege.

Ready-to-Use Policies for Cyber Attack Scenarios:

• SaaS security solutions offer hundreds of ready-to-use policies designed to address real-world cyber attack scenarios based on Tactics, Techniques, and Procedures (TTPs). These policies can help you proactively defend against attacks like ransomware.

Insider Threat Detection:

• SSPM can help identify insider threats by monitoring user behavior and detecting anomalies, potentially stopping an attack before it escalates.

Integration with SIEMs, SOARs, & Ticketing Tools:

• SaaS security solutions can seamlessly integrate with existing Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) systems, streamlining your incident response processes.

‍

In Conclusion

The MOVEit exploit and ransomware attack underscores the critical need for robust SaaS security. The repercussions of a breach extend far beyond immediate financial losses; they can damage an organization's reputation and erode trust. SaaS security solutions provide organizations with the tools and capabilities to bolster their security posture, detect threats, and respond effectively in the face of cyberattacks. As organizations continue to navigate the ever-changing landscape of cybersecurity threats, investing in SaaS security becomes not just a choice, but a necessity.