Cybersecurity Vulnerability in MOVEit Transfer Software Poses Threat to Healthcare

June 06, 2023 - A critical cybersecurity vulnerability (CVE-2023-34362) in Progress Software’s MOVEit Transfer software may result in privilege escalation and unauthorized access if exploited, the Health Sector Cybersecurity Coordination Center (HC3) warned in a recent sector alert. The MOVEit Transfer software is a leading secure managed file transfer application widely used by the healthcare sector.

“According to the software company, hundreds of healthcare organizations, including those in the United States, utilize MOVEit products to deliver scalable, secure, and compliant patient care and business services,” HC3 noted.

“These services include healthcare billing, insurance-eligibility inquiries, healthcare claims, detailed audit logs, appointment reminders, patient surveys, and patient retrieval of medical records.”

The vulnerability involves a SQL injection flaw that may allow unauthorized actors to gain access to MOVEit transfer’s database, infer information about the structure and contents of the database, and alter database elements. The vulnerability has not yet received a CVSS score, but Progress Software described it as critical.

There are approximately 2,500 exposed MOVEit Transfer servers, most of which are located in the United States, HC3 noted. Mandiant has released research on the vulnerability and attributed exploitation activity to UNC4857, a new threat cluster with unknown motivations.

“We are already identifying active intrusions at several clients and expect many more in this short term. Everyone needs to move fast to patch,” said John Hultquist, chief analyst at Mandiant Intelligence – Google Cloud.

“Any organization that had a web-exposed MOVEit instance needs to perform forensics to determine if it was compromised and assess the impact. In cases where they suspect exploitation, prepare for possible public release of their data."  

Mandiant’s initial analysis indicated that threat actors began exploiting this vulnerability on May 27 2023, resulting in data theft within minutes of deploying web shells.

“The seemingly opportunistic nature of this campaign and subsequent data theft activity is consistent with activity that we’ve seen from extortion actors, which means victim organizations could potentially receive ransom emails in the coming days to weeks,” the report noted.

Mandiant issued a containment and hardening guide to assist organizations in managing this vulnerability.

Healthcare organizations should take mitigation measures such as disabling all HTTP and HTTPs traffic to their MOVEit Transfer environments and checking for indicators of unauthorized access.

“The probability of cyber threat actors targeting the healthcare industry remains high,” HC3 concluded. “Prioritizing security by maintaining awareness of the threat landscape, assessing their situation, and providing staff with tools and resources necessary to prevent a cyberattack remains the best way forward for healthcare organizations.”

UPDATE - 6/7/2023 - A MOVEit spokesperson provided the following comment: 

“Our customers have been, and will always be, our top priority. When we discovered the vulnerability, we promptly launched an investigation, alerted MOVEit customers about the issue and provided immediate mitigation steps. We disabled web access to MOVEit Cloud to protect our Cloud customers, developed a security patch to address the vulnerability, made it available to our MOVEit Transfer customers, and patched and re-enabled MOVEit Cloud, all within 48 hours. We have also implemented a series of third-party validations to ensure the patch has corrected the exploit.

“We are continuing to work with industry-leading cybersecurity experts to investigate the issue and ensure we take all appropriate response measures. We have engaged with federal law enforcement and other agencies with respect to the vulnerability. We are also committed to playing a leading and collaborative role in the industry-wide effort to combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products. Additional details are available on our knowledge base articles for MOVEit Transfer and MOVEit Cloud.”