Healthcare File Transfer Data Breaches 2023
We are only halfway through 2023 and already multiple critical vulnerabilities have been discovered in major secure file transfer applications. The news of the latest MoveIT Transfer vulnerability comes just a few months after a vulnerability in GoAnywhere MFT, another file transfer software, was exploited in a set of attacks which began in late 2021. These vulnerabilities have disproportionately impacted the healthcare sector, including hospitals, health systems, and government agencies [source]. The Russia-linked ransomware group Clop reportedly took responsibility for the mass attack on more than 130 organizations using a zero-day vulnerability in GoAnywhere MFT [source]. The same group is now responsible for a zero day vulnerability in MoveIt Transfer [source].
A zero day vulnerability is a software or hardware flaw that has been discovered and for which no patch exists. White hat security researchers (i.e. “the good”) who discover a flaw may contact the vendor in confidence so that a patch can be developed before the flaw's existence is widely known. Some malicious hackers or state-sponsored hacking groups, meanwhile, may discover the flaw themselves and keep knowledge of the vulnerability secret so that they can exploit it.
According to The Identity Theft Research Center (ITRC) Annual Data Breach Report, 2022 had the second-highest number of data compromises in the U.S. in a single year [source]. At least 422 million individuals were impacted with 1802 data compromises reported. 2021 leads only slightly with 1862 data compromises, but considering the devastating impact of these file transfer software vulnerabilities, 2023 may end up being particularly significant for cyber crime statistics, identity theft and data compromises [source].
It is highly suggested to take immediate action by contacting respective vendors or IT teams to verify whether or not vendors or your organization directly use Progress MoveIt Secure Managed File Transfer Software or GoAnywhere MFT to determine if your users or customers have been impacted by these vulnerabilities. It is essential to follow up with the necessary steps recommended by the respective vendors to mitigate the risks associated with these vulnerabilities.
Here are some proactive measures you can take to protect your data and minimize potential damage:
- Contact your vendor or IT team: Reach out to your software vendors or internal IT team to inquire about your usage of MoveIt and ascertain whether you are susceptible to the identified vulnerabilities. Promptly follow their guidance to address any potential risks.
- Patch and update: Apply any available patches or updates provided by your vendor to remediate the vulnerabilities. Regularly check for new releases or security updates to ensure you are using the latest version of MoveIt that addresses these issues.
- Monitor system activity: Keep a close eye on your MoveIt & GoAnywhere MFT system's activity and logs for any suspicious or unauthorized access attempts. Report any anomalies to your IT team immediately.
- User awareness and training: Educate your employees about these vulnerabilities and the potential risks they pose. Continue to foster a vigilant user base by promoting best practices such as strong password management, cautious file sharing, and being vigilant about phishing attempts or suspicious emails.
- Data backup and disaster recovery: Maintain regular backups of your critical data and test the restoration process periodically. Having a reliable backup strategy can help mitigate the impact of potential security incidents.
This is specifically a perfect opportunity for further staff education and awareness of increased risk regarding phishing emails and contact from malicious actors. Be sure to remind your users what the correct process, procedures and policies are for reporting such activities, as these vulnerabilities are being used in conjunction with ransomware attacks.
By following these steps and staying vigilant, you can help protect your organization from cyber threats and securely use file transfer protocol software.
Below are the currently tracked CVEs (Common Vulnerabilities and Exposures) for Fortra GoAnywhere MFT and MOVEit Transfer.
CVE-2023-0669: Published February 6, 2023 - Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2.
CVE-2023-34362: Published June 6, 2023 - Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.
CVE-2023-35036: Published June 11, 2023 - Progress MOVEit Transfer before 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2), SQL injection vulnerabilities have been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database.
CVE-2023-35708: Published June 16, 2023 - Progress MOVEit Transfer before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. These are fixed versions of the DLL drop-in: 2020.1.10 (12.1.10), 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3).