moveIT - a series of breaches, all enabled by APIs
A file transfer software called moveIT experienced a vulnerability starting in mid-2023 that created a mass breach across many organizations and geographies. The breach is started by injection against an API administrative endpoint, and data is exfiltrated via administrative API calls.
In mid-2023, a software vulnerability was discovered in a file transfer application known as moveIT. Because of the application's popularity, numerous companies and organizations have found themselves vulnerable to the breach. This blog post will attempt to explain the vulnerability, map out the kill chain (also sometimes called attack path), document the scale of the breaches* and discuss the event in more detail.
What is the vulnerability?
The vulnerability has come to be classified as CVE-2023-34362, generally described as “a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database”. The moveIT application is generally used for secure file transfer between organizations, so its core functionality is uploading, downloading and viewing electronic documents on a moveIT server.
What is the impact of the moveIT breach event?
This is one of the largest and broadest API-enabled data breaches of the past decade. As of the time of publication, more than 700 individual organizations and more than 47 million data records have been confirmed breached. According to a tracker of this specific event:
“U.S.-based organizations account for 79.4 percent of known victims, Germany-based 4.8 percent, Canada-based 3.3 percent, and U.K.-based 2.7 percent.”
What is the attack path for moveIT?
While disclosures and analysis around the moveIT vulnerability vary, there are some patterns that are consistent across publications. One very likely attack path for bad actors to leverage this vulnerability is multi-step:
An API can be fooled with manipulated headers to allow an attacker to set variables without being sanitized from MOVEit’s input sanitization function
Via that sanitization bypass call, an SQL injection was possible to a guest registration endpoint
Through the SQL injection, the attacker sets the foundation to gain administrator privileges via an API that is fooled by sending a JWT (JSON Web Token), referencing an external endpoint - controlled by the bad actor - to validate the token
The attacker gains administrative rights and can access functions that allows them to further leverage the SQL injection to achieve remote code execution:
This is done by leveraging a flaw in the file upload, where an API call that declares the upload to “Resume” a previously interrupted upload, will not be checked by the server. The server will assume that it is indeed a resumed upload, and will act accordingly.
The logic behind this resumed upload is that a serialized - a form of encoding - malicious payload can be included through that SQL injection.
The malicious payload is passed directly to the moveIT application server function, and executed. The malicious payload triggers the remote code execution. Data exfiltration from the organization may happen as a result.
How do APIs connect to the vulnerability?
How does this vulnerability align to the OWASP API Top 10?
As per the attack path above, there are 3 separate API touchpoints leveraged for this breach. Each one has a slightly different problem.
Unauthenticated access; OWASP API 2023:2
Authentication that doesn’t leverage a controlled pre-defined identity server; this does not map directly to the OWASP API Top 10, from either 2023 or 2019
Manipulated calls that trigger bad behavior; API8:2019 Injection
How can FireTail help?
FireTail’s API discovery and inventory capabilities will keep organizations aware of all the APIs run in their cloud environments, including moveIT. Secondly, FireTail’s API logging capabilities can help understand the scope, timing and scale of any API data breach.