Progress Software has alerted its customers to a critical vulnerability in its file transfer software, Moveit Transfer. The SQL injection bug has been assigned the vulnerability number CVE-2023-34362. Progress advised customers to mitigate the flaw and update their software once a patch became available. The bug was found to have already been under attack. According to security vendors, the threat was identified soon after Progress highlighted it, despite the vendor failing to note active exploitation at the time. Microsoft has attributed the attacks to a group it has called Lace Tempest. This is thought to be linked to the Clop ransomware gang. Following the revelation of the vulnerability and its exploitation, several organizations were affected. HR software provider Zellis confirmed that it had suffered data breaches, as did the BBC and the government of Nova Scotia, Canada.
Progress Software had to act quickly following the revelation of the vulnerability, according to Alex Culafi, writing for TechTarget’s online publication. He noted that two weeks after the announcement, a patch became available, but instances of the managed file transfer service were already under attack. Although the vendor was quick to respond, Lace Tempest had already struck, affecting all kinds of organizations. It became clear that smaller organizations had been particularly badly hit. They were being forced to pay hefty sums of money to recover their data.
Following the attack, a number of experts noted that attacks on supply chain vendors – such as Moveit – are becoming more common. In a blog post for Hyve Managed Hosting, Andrew Peck wrote that “As more businesses rely on third-party applications and software to run their operations, they’re also becoming more vulnerable to cyberattacks… The supply chain is seen as a new and lucrative target for cyberattacks. Hackers target the weakest link which can be any organisation within the supply chain.”
According to Peck, supply chain attacks have increased by more than 78% annually. Meanwhile, the number of critical vulnerabilities found in third-party software has gone up by almost a third over the past three years. These trends have prompted calls for vendors to spend more time on security testing and securing software. However, Peck insisted that it is not realistic to expect perfect security. Instead, he said it is the responsibility of security teams to identify issues and fix them as quickly as possible.
Peck’s comments have been echoed by other experts, including Michael Daniel, the CEO of the Cyber Threat Alliance. Writing for the Financial Times, Daniel noted that supply chain attacks are increasingly being used as a way of bypassing security defences. He said that attacks were becoming “ever more sophisticated and difficult to detect… While these campaigns are complex, they often rely on exploiting simple vulnerabilities in third-party, or even fourth-party, systems that may be overlooked by security teams or not prioritised for patching.”
The Moveit Transfer case underlines these concerns and provides something of a cautionary tale. While Progress acted relatively quickly, and the subsequent damage suffered was not severe in global terms, it is clear that such attacks present a danger to many organizations. Culafi was clear in his conclusion: “While vulnerabilities are always going to exist, organizations need to do everything possible to reduce the risks inherent in third-party software and over-reliance on vendors for security. Smaller businesses, for example, may lack the security budgets of large organizations, but they too are at risk – and up against an ever-more sophisticated set of attackers.”