There has been much discussion around the recently discovered MOVEit zero-day vulnerability, which is a Managed File Transfer solution that is deployed widely across Critical infrastructure providers, US government and commercial enterprises.
One of the main problems is simply having an internet-facing Managed File Transfer solution. It is still early days, but it looks like the exploit uses an SQL injection vulnerability in the internet facing half of the software.
This then allows the attacker to gain a foothold where they can then gain persistence using webshell code that allows for a command and control infrastructure to be set up. This allows the attacker to then do the following on the server:
- Retrieve a list of stored files, the username who uploaded the files, and their file paths.
- Insert and delete a new random named MOVEit Transfer user with the login name 'Health Check Service' and create new MySQL sessions.
- Retrieve information about the configured Azure Blob Storage account, including the AzureBlobStorageAccount, AzureBlobKey, and AzureBlobContainer settings, as described in this Progress help article.
The threat actors can use this information to then steal data directly from victim's Azure Blob Storage containers.
- Download files from the server.
Mitigating the attack using Cross Domain technologies
Cross Domain Technologies are used widely within governments around the world to mitigate advanced attacks. Within the Forcepoint product portfolio, there are two commercially available products that would have mitigated this attack if paired with the MOVEit software. These products are Data Guard and the High Speed Verifier. The Data Guard can be used as an SCP file transfer solution. By using the Data Guard as a way of separating the two networks, this would ensure that any basic SQL injection attacks against the MOVEit software would be stopped. Then the MOVEit transfer software can move the file into the destination folder:
For added assurance, the Forcepoint High Speed Verifier can be deployed. The deployment of a hardware verification appliance between the two networks ensures that the data traversing between them remains uncompromised by malware, enhancing the levels of assurance even further.
In conclusion, Cross Domain Data Transfer solutions play a crucial role in safeguarding organizations against a wide range of attacks, both advanced and basic. By implementing either software or hardware separation between an organization's internal network and its internet-facing network, these solutions provide a robust defence mechanism. They effectively prevent unauthorized access and mitigate the risk of data breaches, ensuring the integrity and security of sensitive information. Whether it's defending against sophisticated cyber threats like the MOVEit zero-day or stopping more conventional attack vectors, Cross Domain Data Transfer solutions offer a comprehensive solution that empowers organizations to protect their digital assets with confidence.