Demo Request
Take a personalized product tour with a member of our team to see how we can help make your existing security teams and tools more effective within minutes.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Home
Blog

MOVEit Exploit & Ransomware Attack: Why SaaS Security Is Critical During a Cyberattack

Gal Nakash
Updated
November 1, 2023
November 29, 2024
3 min read

In the ever-changing landscape of cybersecurity threats, the MOVEit zero-day exploit and ransomware attack has been a reminder why a security program can’t be limited to just endpoint security & cloud security. Earlier in 2023, the personal information of almost 6,800 employees and family members was exposed in a hack by Clop, a ransomware group. This occurred after the hackers exploited a vulnerability in MOVEit Transfer Progress Software's third-party file transfer software, unleashing a wave of data theft and compromise. MOVEit Transfer SaaS platform was also impacted by the vulnerability, making the potential victim base much larger.

The zero-day exploited was CVE-2023-34362, a critical-severity SQL injection flaw that leads to remote code execution and mass downloading of data from organizations. This breach affected more than 100 organizations, including notably the U.S. Department of Energy, the BBC, and British Airways, as well as Calpers and Genworth, causing massive damage to their customer databases.

A Closer Look at CVE-2023-34362

Following the steps of infiltration, data exfiltration, and then system lockup via encryption, Clop executed commands allowing the threat actor to download various information from MOVEit Transfer's MySQL server. They were then able to perform damaging actions, including:

  • Retrieving a list of stored files, the username of who uploaded the files, and their file paths.
  • Inserting and deleting a new random MOVEit Transfer user with the login name 'Health Check Service' and creating new MySQL sessions.
  • Retrieving information about the configured Azure Blob Storage account. The threat actors can use this information to steal data directly from the victim's Azure Blob Storage containers.
  • Download files from the server.

How was this zero-day exploit successful? Configuration drift can lead to vulnerabilities over time, and misconfigurations create vulnerability systems and often act as gateways for attackers, as seen with this SQL injection. The exploitation of these unpatched systems can occur via HTTP or HTTPS. 

SaaS Security: A Critical Line of Defense

As the MOVEit exploit and ransomware attack demonstrate, breaches can happen to even the most well-prepared organizations. Regular audits and proactive maintenance are crucial to detecting and fixing misconfigurations, significantly reducing the attack surface. In the context of zero-day exploits like CVE-2023-34362, swift patching and continuous configuration monitoring are important steps to secure against emerging threats and maintain a robust security posture.

Reco detects security threats that mirror the tactics of groups like Clop. By combining contextual analysis & user behavior analytics, posture management, and detection and response, organizations can prevent exploits from being carried out.

Full Visibility into Entire SaaS Environment:

  • Reco SaaS security discovers all SaaS applications connected to your environment, including managed apps and third-party apps. This visibility is crucial in understanding your attack surface and potential vulnerabilities.

Monitoring Identities and Permissions:

  • By tracking who has access to your SaaS applications and their permission levels, Recodetects unauthorized or suspicious activities promptly and enforces the principle of least privilege.

Ready-to-Use Policies for Cyber Attack Scenarios:

  • SaaS security solutions like Reco offer hundreds of ready-to-use policies designed to address real-world cyber attack scenarios based on Tactics, Techniques, and Procedures (TTPs). These policies can help you proactively defend against attacks like ransomware.

Insider Threat Detection:

  • SSPM can help identify insider threats by monitoring user behavior and detecting anomalies, potentially stopping an attack before it escalates.

Integration with SIEMs, SOARs, & Ticketing Tools:

  • SaaS security solutions can seamlessly integrate with existing Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) systems, streamlining your incident response processes.

Conclusion

The MOVEit exploit and ransomware attack underscores the critical need for robust SaaS security. The repercussions of a breach extend far beyond immediate financial losses; they can damage an organization's reputation and erode trust. SaaS security solutions, like Reco, provide organizations with the tools and capabilities to bolster their security posture, detect threats, and respond effectively in the face of cyberattacks. As organizations continue to navigate the ever-changing landscape of cybersecurity threats, investing in SaaS security becomes not just a choice, but a necessity.

ABOUT THE AUTHOR

Gal Nakash

Gal is the Cofounder & CPO of Reco. Gal is a former Lieutenant Colonel in the Israeli Prime Minister's Office. He is a tech enthusiast, with a background of Security Researcher and Hacker. Gal has led teams in multiple cybersecurity areas with an expertise in the human element.

Technical Review by:
Gal Nakash
Technical Review by:
Gal Nakash

Gal is the Cofounder & CPO of Reco. Gal is a former Lieutenant Colonel in the Israeli Prime Minister's Office. He is a tech enthusiast, with a background of Security Researcher and Hacker. Gal has led teams in multiple cybersecurity areas with an expertise in the human element.

Table of Contents
Get the Latest SaaS Security Insights
Subscribe to receive updates on the latest cyber security attacks and trends in SaaS Security.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.