The MOVEit Hack: How a Simple Web App Flaw led to Compromise of 3k+ Companies & Lessons Learned

In May 2023, a ransomware gang began compromising major companies (BBC, British Airways, Shell) one after the other. Before anyone could fully grasp what was happening, over 3,000 companies had been compromised!

No phishing. No malware. No device compromise.

The ROOT CAUSE for this massive breach: 1 web application!

This is the story of biggest hack of the last year: The MOVEit hack.

Attack Flow:

1. Attacker targets a file-sharing software known as "MOVEit" that is used by thousands of customers worldwide.
    

2. Initially, the attacker starts as an unauthenticated user > Notices HTTP Request headers being used to store key values > Tampers request headers > Establishes a valid session. This gives attacker access to application's internal functionality.
    

3. Attacker further finds 'SQL Injection' vulnerability in one of the input fields > Executes SQL queries to add admin user to database > Grants all privileges.
   

4. Using the admin privilege, attacker hits a privileged API endpoint and uploads a payload (web shell). Now this payload needs to be executed.
    

5. The attacker triggers the payload by making another API call. Due to a vulnerability known as insecure deserialization, the server processes serialized data within the payload > resulting in remote code execution (RCE).
   

6. The web shell creates a back door enabling attackers to access/browse data, and stealthily extract large amounts of information.
   

7. To cover their tracks, the attacker executes SQL queries to remove any evidence of the attack by deleting the modifications made to the database.

   ---

(Click on the image to book a slot)

---

Key Insights:

1. When looked at in isolation, each vulnerability may not seem deadly. But when chained together, they can create a powerful devastating attack path.

2. The most dangerous predators aren’t just the ones that hunt aggressively, but those that can camouflage to hide in plain sight. After gaining admin access, the attacker could have directly downloaded the files (say over SFTP, HTTPs). But they didn't! Instead they took the pain to exploit it further and use MOVEit's own native file transfer features to download (exfiltrate) the data. Due to this, the traffic seemed legit and helped them avoid detection. This is the reason why the exfil wasn't detected by any SOC teams.

3. Reports show threat actors began experimenting with this flaw in April 2022, a year before the attack. If attackers are this well-prepared, what level of preparedness should companies and defenders have?

4. Zero-day attacks are like tsunamis. Its hard to avoid the first wave. But if you're well-prepared, you can respond thereafter. Many victims in this story were compromised several months after a patch was released. Some even after an year! That's totally avoidable with right patch prioritization.

5. After the news broke out, MOVEit software released a patch. The publicity generated from this attack, led researchers to further analyze MOVEit’s code base, resulting in the discovery of 2 more SQL Injection bugs. The level of scrutiny applied to software directly correlates with the likelihood of discovering vulnerabilities. Especially for high critical apps, ensure to incorporate threat modelling, secure code reviews and penetration testing.

6. Apart from SQLi several other app level bugs such as session tampering, insecure file uploads, API validation issues, deserialization issues were abused. While SOC teams often concentrate on monitoring endpoints and network level activities, this is a good case for having Web Application Firewalls for app level monitoring for critical apps.

7. Lastly, the 'butterfly effect' in cybersecurity world is amplified in this supply chain attack. A single bug can cascade into a tsunami of breaches.