MOVEit explained

MOVEit is a managed file transfer software product produced by Ipswitch, Inc. (now part of Progress Software). MOVEit encrypts files and uses file transfer protocols such as FTP(S) or SFTP to transfer data, as well as providing automation services, analytics and failover options.^[3] The software has been used in the healthcare industry by companies such as Rochester Hospital and Medibank, as well as thousands of IT departments in high technology, government, and financial service companies like Zellis.

History

MOVEit was released in 2002 by Standard Networks. In 2006, the company released integration between MOVEit and antivirus software to stop the transfer of infected files.

Ipswitch acquired MOVEit in 2008 when the company purchased Standard Networks. MOVEit Cloud was announced in 2012 as a cloud-based file transfer management software. MOVEit Cloud was the first enterprise-class cloud managed file transfer software. It is scalable and can share files system-to-system, with groups, or person-to-person.

In 2013, MOVEit clients were released for the iOS and Android platforms. The release included a configuration wizard, as well as email encryption.

Ipswitch Analytics was released in 2015 to monitor and report data through the MOVEit software. The analytic data includes an activity monitor and automated report creation. Ipswitch Analytics can access data from MOVEit file transfer and automation servers. That same year, Ipswitch Failover was released. The software can return recovery point objectives (RPO) in seconds with a recovery time objectives (RTO) of less than a minute, which increases the availability of MOVEit.

2023 data breach

See main article: 2023 MOVEit data breach. On 31 May 2023, Progress reported a SQL injection vulnerability in MOVEit Transfer and MOVEit Cloud (CVE-2023-34362). The vulnerability's use was widely exploited in late May 2023.^[4] The 31 May vulnerability allows an attacker to access MOVEit Transfer's database from its web application without authenticating. The attacker may then be able to execute SQL statements that alter or delete entries in the database, and infer information about the structure and contents of the database.^{[5] [6]} Data exfiltration in the widespread May-June attacks by the Russian-speaking cyber crime group Cl0p may have been primarily focused on data stored using Microsoft Azure.^[7] Upon discovery, Progress launched an investigation, alerted its customers of the issue and provided mitigation steps (blocking all HTTP and HTTPS traffic to MOVEit), followed by the development and release of a security patch.^[8] On 15 June, another vulnerability that could lead to unauthorized access became public (CVE-2023-35708).^[9]

In 2023, it was published that the 31 May 2023 zero-day vulnerability had been exploited by attackers.^[10] On 7 June 2023, cyber gang Clop, believed to be Russian-based, made a blog posting saying that they had gained access to MOVEit transactions worldwide, and that organisations using MOVEit had until 14 June to contact Clop and pay a ransom, otherwise stolen information would be published. Details typically include payroll data with fields such as home addresses, National Insurance numbers, and bank details, but vary. The group said that they had information from eight UK organisations including the BBC, derived by an attack on payroll services provider Zellis. It was surmised that contact via blog post rather than email to victims might be due to the enormous number of victims, being too many to handle individually.^[11]

Response

The MOVEit team has worked with industry experts to investigate the May 31 incident. Cybersecurity and Infrastructure Security Agency (CISA),^[12] CrowdStrike,^[13] Mandiant,^[14] Microsoft,^[15] Huntress^[16] and Rapid7^[17] have assisted with incident response and ongoing investigations.^[18] Cyber industry experts have credited the MOVEit team for its response and handling of the incident by quickly providing patches, as well as regular and informative advisories that helped support rapid remediation.^{[19] [20] [21]} Despite the attempts by the company to remediate the vulnerabilities, hundreds of companies across the world had exorbitant amounts of confidential information stolen due to the weaknesses in the software. The effects of the MOVEit breach are still being revealed as of November 2023. It is estimated that the stolen data will be abused for many years to come.

Notes and References

1. https://docs.progress.com/bundle/moveit-transfer-release-notes-2023/page/Whats-New-in-MOVEit-Transfer-2023.html
2. https://docs.progress.com/bundle/moveit-automation-release-notes-2023/page/Whats-New-in-MOVEit-Automation-2023.html
3. Web site: Managed File Transfer Software - MOVEit MFT - Ipswitch . 2023-07-23 . www.ipswitch.com . en.
4. Web site: Arghire . Ionut . 2023-06-19 . MOVEit Customers Urged to Patch Third Critical Vulnerability . 2023-06-19 . SecurityWeek . en-US.
5. Web site: NVD - CVE-2023-34362 . 2023-06-19 . nvd.nist.gov.
6. Web site: 5 July 2023 . MOVEit Transfer and MOVEit Cloud Vulnerability .
7. Web site: Goodin . Dan . 2023-06-06 . Mass exploitation of critical MOVEit flaw is ransacking orgs big and small . 2023-06-19 . Ars Technica . en-us.
8. Web site: Progress Customer Community . 2023-06-19 . community.progress.com.
9. Web site: Progress Customer Community . 2023-06-19 . community.progress.com.
10. Web site: Page . Carly . 2023-06-02 . Hackers launch another wave of mass-hacks targeting company file transfer tools . 2023-06-04 . TechCrunch . en-US.
11. Web site: Tidy . Joe . BBC, BA and Boots issued with ultimatum by cyber gang Clop . BBC News . 7 June 2023 . 7 June 2023.
12. Web site: #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability . June 7, 2023 . June 7, 2023.
13. Web site: Movin’ Out: Identifying Data Exfiltration in MOVEit Transfer Investigations . June 5, 2023 . Lioi . Tyler . Palka . Sean . June 5, 2023.
14. Web site: Zero-Day Vulnerability in MOVEit Transfer Exploited for Data Theft . June 2, 2023 . Zaveri . Nader . Kennelly . Jeremy . Stark . Genevieve . June 2, 2023.
15. Web site: Attack Surface: CVE-2023-34362 MOVEit Transfer Zero-Day Exploitation (May 2023) . June 4, 2023 . June 4, 2023.
16. Web site: MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response . June 1, 2023 . Hammond . John . June 1, 2023.
17. Web site: Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability . June 1, 2023 . Condon . Caitlyn . June 1, 2023.
18. Web site: MOVEit mass exploit timeline: How the file-transfer service attacks entangled victims . June 14, 2023 . Kapko . Matt . June 26, 2023.
19. Web site: Cyberdefenders respond to hack of file-transfer tool . June 7, 2023 . Starks . Tim . . June 7, 2023.
20. Web site: Inside the MOVEit Attack: Decrypting Clop's TTPs and Empowering Cybersecurity Practitioners . July 4, 2023 . July 4, 2023.
21. Web site: New research reveals rapid remediation of MOVEit Transfer vulnerabilities . July 20, 2023 . Stone . Noah . . July 20, 2023.