MOVEit

Last updated
MOVEit
Developer(s) Ipswitch, Inc. (Now part of Progress Software)
Stable release
MOVEit Transfer 2023.0.6 [1]
MOVEit Automation 2023.0.2 [2] / September 20, 2023;7 months ago (2023-09-20)
Website Official site

MOVEit is a managed file transfer software product produced by Ipswitch, Inc. (now part of Progress Software). [3] MOVEit encrypts files and uses file transfer protocols such as FTP(S) or SFTP to transfer data, as well as providing automation services, analytics and failover options. [3] [4] The software has been used in the healthcare industry by companies such as Rochester Hospital [5] and Medibank, [6] as well as thousands of IT departments in high technology, government, and financial service companies like Zellis. [7]

Contents

History

MOVEit was released in 2002 by Standard Networks. [8] In 2006, the company released integration between MOVEit and antivirus software to stop the transfer of infected files. [9]

Ipswitch acquired MOVEit in 2008 when the company purchased Standard Networks. [10] MOVEit Cloud was announced in 2012 as a cloud-based file transfer management software. [11] MOVEit Cloud was the first enterprise-class cloud managed file transfer software. It is scalable and can share files system-to-system, with groups, or person-to-person. [12]

In 2013, MOVEit clients were released for the iOS and Android platforms. The release included a configuration wizard, as well as email encryption. [3] [13]

Ipswitch Analytics was released in 2015 to monitor and report data through the MOVEit software. The analytic data includes an activity monitor and automated report creation. Ipswitch Analytics can access data from MOVEit file transfer and automation servers. [14] [15] That same year, Ipswitch Failover was released. The software can return recovery point objectives (RPO) in seconds with a recovery time objectives (RTO) of less than a minute, which increases the availability of MOVEit. [16]

2023 data breach

On 31 May 2023, Progress reported a SQL injection vulnerability in MOVEit Transfer and MOVEit Cloud (CVE-2023-34362). The vulnerability's use was widely exploited in late May 2023. [17] The 31 May vulnerability allows an attacker to access MOVEit Transfer's database from its web application without authenticating. The attacker may then be able to execute SQL statements that alter or delete entries in the database, and infer information about the structure and contents of the database. [18] [19] Data exfiltration in the widespread May-June attacks by the Russian-speaking cyber crime group Cl0p may have been primarily focused on data stored using Microsoft Azure. [20] Upon discovery, Progress launched an investigation, alerted its customers of the issue and provided mitigation steps (blocking all HTTP and HTTPS traffic to MOVEit), followed by the development and release of a security patch. [21] On 15 June, another vulnerability that could lead to unauthorized access became public (CVE-2023-35708). [22]

In 2023, it was published that the 31 May 2023 zero-day vulnerability had been exploited by attackers. [23] On 7 June 2023, cyber gang Clop, believed to be Russian-based, made a blog posting saying that they had gained access to MOVEit transactions worldwide, and that organisations using MOVEit had until 14 June to contact Clop and pay a ransom, otherwise stolen information would be published. Details typically include payroll data with fields such as home addresses, National Insurance numbers, and bank details, but vary. The group said that they had information from eight UK organisations including the BBC, derived by an attack on payroll services provider Zellis. It was surmised that contact via blog post rather than email to victims might be due to the enormous number of victims, being too many to handle individually. [24]

Response

The MOVEit team has worked with industry experts to investigate the May 31 incident. Cybersecurity and Infrastructure Security Agency (CISA), [25] CrowdStrike, [26] Mandiant, [27] Microsoft, [28] Huntress [29] and Rapid7 [30] have assisted with incident response and ongoing investigations. [31] Cyber industry experts[ who? ] have credited the MOVEit team for its response and handling of the incident by quickly providing patches, as well as regular and informative advisories that helped support rapid remediation. [32] [33] [34] Despite the attempts by the company to remediate the vulnerabilities, hundreds of companies across the world had exorbitant amounts of confidential information stolen due to the weaknesses in the software. The effects of the MOVEit breach are still being revealed as of November 2023. It is estimated that the stolen data will be abused for many years to come.

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

<span class="mw-page-title-main">Denial-of-service attack</span> Type of cyber-attack

In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. The range of attacks varies widely, spanning from inundating a server with millions of requests to slow its performance, overwhelming a server with a substantial amount of invalid data, to submitting requests with an illegitimate IP address.

Microsoft Exchange Server is a mail server and calendaring server developed by Microsoft. It runs exclusively on Windows Server operating systems.

Progress Software Corporation (Progress) is an American public company that produces software for creating and deploying business applications. Founded in Burlington, Massachusetts with offices in 16 countries, the company posted revenues of $531.3 million (USD) in 2021 and employs approximately 2100 people.

In computer security, arbitrary code execution (ACE) is an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in software or hardware allowing arbitrary code execution. A program that is designed to exploit such a vulnerability is called an arbitrary code execution exploit. The ability to trigger arbitrary code execution over a network is often referred to as remote code execution.

WS_FTP File Transfer Protocol client

WinSock File Transfer Protocol, or WS_FTP, is a secure file transfer software package produced by Ipswitch, Inc. Ipswitch is a Massachusetts-based software producer established in 1991 that focuses on networking and file sharing. WS_FTP consists of an FTP server and an FTP client and has over 40 million users worldwide.

The National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics. NVD supports the Information Security Automation Program (ISAP). NVD is managed by the U.S. government agency the National Institute of Standards and Technology (NIST).

Managed file transfer (MFT) is a technology that provides the secure transfer of data in an efficient and reliable manner. MFT software is marketed to companies as a more secure alternative to using insecure protocols like FTP and HTTP to transfer files. By using an MFT solution, companies can avoid custom scripting and meet compliance requirements.

Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

Ipswitch is an IT management software developer for small and medium sized businesses. The company was founded in 1991 and is headquartered in Burlington, Massachusetts and has operations in Atlanta (Alpharetta) and Augusta, Georgia, American Fork, Utah, Madison, Wisconsin and Galway, Ireland. Ipswitch sells its products directly, as well as through distributors, resellers and OEMs in the United States, Canada, Latin America, Europe and the Pacific Rim. Since 2019, Ipswitch is part of Progress Software.

Kiteworks, formerly known as Accellion, Inc., is an American technology company that secures sensitive content communications over channels such as email, file share, file transfer, managed file transfer, web forms, and application programming interfaces. The company was founded in 1999 in Singapore and is now based in San Mateo, California.

<span class="mw-page-title-main">Shellshock (software bug)</span> Security bug in the Unix Bash shell discovered in 2014

Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests.

Intel Software Guard Extensions (SGX) is a set of instruction codes implementing trusted execution environment that are built into some Intel central processing units (CPUs). They allow user-level and operating system code to define protected private regions of memory, called enclaves. SGX is designed to be useful for implementing secure remote computation, secure web browsing, and digital rights management (DRM). Other applications include concealment of proprietary algorithms and of encryption keys.

<span class="mw-page-title-main">Stagefright (bug)</span> Software bug in Android

Stagefright is the name given to a group of software bugs that affect versions from 2.2 "Froyo" up until 5.1.1 "Lollipop" of the Android operating system exposing an estimated 950 million devices at the time. The name is taken from the affected library, which among other things, is used to unpack MMS messages. Exploitation of the bug allows an attacker to perform arbitrary operations on the victim's device through remote code execution and privilege escalation. Security researchers demonstrate the bugs with a proof of concept that sends specially crafted MMS messages to the victim device and in most cases requires no end-user actions upon message reception to succeed—the user doesn't have to do anything to 'accept' exploits using the bug; it happens in the background. A phone number is the only information needed to carry out the attack.

<span class="mw-page-title-main">DROWN attack</span> Security bug

The DROWN attack is a cross-protocol security bug that attacks servers supporting modern SSLv3/TLS protocol suites by using their support for the obsolete, insecure, SSL v2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure. DROWN can affect all types of servers that offer services encrypted with SSLv3/TLS yet still support SSLv2, provided they share the same public key credentials between the two protocols. Additionally, if the same public key certificate is used on a different server that supports SSLv2, the TLS server is also vulnerable due to the SSLv2 server leaking key information that can be used against the TLS server.

<span class="mw-page-title-main">Sandworm (hacker group)</span> Russian hacker group

Sandworm is an advanced persistent threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include Telebots, Voodoo Bear, IRIDIUM, Seashell Blizzard, and Iron Viking.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

Log4Shell (CVE-2021-44228) is a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online. Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.

A wave of cyberattacks and data breaches began in June 2023 after a vulnerability was discovered in MOVEit, a managed file transfer software.

Clop is a cybercriminal organization known for its multilevel extortion techniques and global malware distribution. It has extorted more than $500 million in ransom payments, targeting major organizations worldwide. Clop gained notoriety in 2019 and has since conducted high-profile attacks, using large-scale phishing campaigns and sophisticated malware to infiltrate networks and demand ransom, threatening to expose data if demands are not met.

References

  1. https://docs.progress.com/bundle/moveit-transfer-release-notes-2023/page/Whats-New-in-MOVEit-Transfer-2023.html
  2. https://docs.progress.com/bundle/moveit-automation-release-notes-2023/page/Whats-New-in-MOVEit-Automation-2023.html
  3. 1 2 3 Alex Woodie (September 24, 2013). "Ipswitch Adds iOS and Android Clients to MFT Suite". IT Jungle. Retrieved July 20, 2016.
  4. "Managed File Transfer Software - MOVEit MFT - Ipswitch". www.ipswitch.com. Retrieved 2023-07-23.
  5. "Rochester General Hospital MOVEit Case Study". HealthData Management. Retrieved July 20, 2016.
  6. Chris Player (November 13, 2014). "Medibank employs Ipswitch MOVEit MFT". ARN. Retrieved July 20, 2016.
  7. "Ipswitch launches new tools to protect critical and confidential date". TYN Channel. January 4, 2016. Retrieved July 20, 2016.
  8. "Standard Networks releases secure transfer client". WTN News. March 24, 2004. Retrieved July 20, 2016.
  9. "MOVEit Central File Transfer Management Offers Real-Time". Business Wire. April 18, 2006. Retrieved July 20, 2016.
  10. Tom Jowitt (February 19, 2008). "Ipswitch gets compliance with Standard Networks buy". Network World. Retrieved July 20, 2016.
  11. Brandon Butler (November 13, 2012). "File transfer systems adapting to today's cloudy conditions". Network World. Retrieved July 20, 2016.
  12. "Ipswitch FIlp Transfer Launches MOVEit Cloud & MOVEit Ad Hoc Transfer". Compliance Week. November 6, 2012. Retrieved July 20, 2016.
  13. Chris Talbot (November 15, 2015). "Ipswitch Adds Mobile Support to MOVEit Cloud 8.0". Talkin Cloud. Retrieved July 20, 2016.
  14. Nathan Eddy (June 8, 2015). "Ipswitch Analytics Offers Auditable File Transfers". eWeek. Retrieved July 20, 2016.
  15. Kathrin Jannot (April 4, 2016). "MOVEit organized file transfers from a single interface". Cyber Press. Retrieved July 20, 2016.
  16. "Ipswitch Delivers Zero Downtime and No Data Loss with New Failover Solution for Managed File Transfer". APM Digest. September 23, 2015. Retrieved July 20, 2016.
  17. Arghire, Ionut (2023-06-19). "MOVEit Customers Urged to Patch Third Critical Vulnerability". SecurityWeek. Retrieved 2023-06-19.
  18. "NVD - CVE-2023-34362". nvd.nist.gov. Retrieved 2023-06-19.
  19. "MOVEit Transfer and MOVEit Cloud Vulnerability". 5 July 2023.
  20. Goodin, Dan (2023-06-06). "Mass exploitation of critical MOVEit flaw is ransacking orgs big and small". Ars Technica. Retrieved 2023-06-19.
  21. "Progress Customer Community". community.progress.com. Retrieved 2023-06-19.
  22. "Progress Customer Community". community.progress.com. Retrieved 2023-06-19.
  23. Page, Carly (2023-06-02). "Hackers launch another wave of mass-hacks targeting company file transfer tools". TechCrunch. Retrieved 2023-06-04.
  24. Tidy, Joe (7 June 2023). "BBC, BA and Boots issued with ultimatum by cyber gang Clop". BBC News. Retrieved 7 June 2023.
  25. "#StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability". June 7, 2023. Retrieved June 7, 2023.
  26. Lioi, Tyler; Palka, Sean (June 5, 2023). "Movin' Out: Identifying Data Exfiltration in MOVEit Transfer Investigations" . Retrieved June 5, 2023.
  27. Zaveri, Nader; Kennelly, Jeremy; Stark, Genevieve (June 2, 2023). "Zero-Day Vulnerability in MOVEit Transfer Exploited for Data Theft" . Retrieved June 2, 2023.
  28. "Attack Surface: CVE-2023-34362 MOVEit Transfer Zero-Day Exploitation (May 2023)". June 4, 2023. Retrieved June 4, 2023.
  29. Hammond, John (June 1, 2023). "MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response" . Retrieved June 1, 2023.
  30. Condon, Caitlyn (June 1, 2023). "Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability" . Retrieved June 1, 2023.
  31. Kapko, Matt (June 14, 2023). "MOVEit mass exploit timeline: How the file-transfer service attacks entangled victims" . Retrieved June 26, 2023.
  32. Starks, Tim (June 7, 2023). "Cyberdefenders respond to hack of file-transfer tool". The Washington Post . Retrieved June 7, 2023.
  33. "Inside the MOVEit Attack: Decrypting Clop's TTPs and Empowering Cybersecurity Practitioners". July 4, 2023. Retrieved July 4, 2023.
  34. Stone, Noah (July 20, 2023). "New research reveals rapid remediation of MOVEit Transfer vulnerabilities". BitSight . Retrieved July 20, 2023.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.