BLOG

Meditology Services, your trusted partner in healthcare cybersecurity, is issuing an emergency alert for all healthcare organizations using MOVEit Transfer software. A security vulnerability potentially exposing sensitive information has recently been discovered.

This vulnerability was identified early in June and could allow unauthorized access to transmitted files under certain conditions. All MOVEit users are urged to apply the latest security patches immediately to mitigate the risk. For multiple remediation proof-of-concepts, refer to GitHub.

For more information, please refer to the official Health and Human Services (HHS) notice.

What is the MOVEit vulnerability?

The MOVEit vulnerability is a security flaw that can potentially allow malicious actors to exploit and gain access to sensitive data. This poses a significant risk to healthcare organizations, where the protection of patient data is paramount.

The MOVEit vulnerability could potentially provide a gateway for cyber criminals to access sensitive health information. Unauthorized access to such data could lead to a multitude of negative impacts, including violation of privacy laws, financial penalties, operational disruptions, and harm to the organization's reputation.

Technical Summary

MOVEit- Improper Authentication vulnerability in Progress’ MOVEit Gateway that can allow for authentication bypass (CVE-2024-5806)

Overview

This vulnerability is an authentication bypass vulnerability which affects the SFTP module of MOVEit file transfer software. Two attack paths have been discovered which can be utilized by attackers to potentially gain remote, authenticated access to the targeted MOVEit server. Both attack paths rely on a misconfiguration in the server’s authentication process, wherein the server attempts to open the authentication package as a file path on the server.

Affected Versions

• 0.0 (before 2023.0.11)
• 1.0 (before 2023.1.6)
• 0.0 (before 2024.0.2)

Attack Path 1: Arbitrary Public-Key Authentication

This attack is performed by taking advantage of a misconfiguration in the MOVEit authentication error handlers. An authentication request containing a public key can be loaded onto the target server as a file path; however, the key itself is not passed to the MOVEit Authenticate function.

This allows an attacker to upload a null-length string as a public key to the target server. Supplying a filename instead of a public key will trigger the target server to read the file on the server and use it to verify the authentication request. The key itself is not forwarded to the Authenticate function, but rather an empty string, which the server then recognizes as valid. With a valid username, an attacker can authenticate to the target system as that user, while only supplying the null-length string for authentication.

Attack Path 2: Forced Authentication

This attack is performed by injecting a malicious IP file path, such as an SMB server, into the authentication request. The target server will attempt to open the file path in the request on the server and be prompted for authentication by the malicious server. The target server will then attempt to authenticate to the malicious server using Net-NTLMv2, and hashed credentials can be captured from this authentication exchange using a man-in-the-middle tool such as responder.

Impact

Both vulnerabilities pose a critical risk to vulnerable MOVEit systems, particularly those which are internet accessible. Attackers have already been aggressively utilizing these attack paths to target internet-accessible, vulnerable systems across the world. Successful attacks allow access to target servers including the ability to read, write, and delete files, or as an initial access point for entry into an organization’s internal network. PHI or PII stored on a vulnerable MOVEit system may be accessible to attackers or may be used as an avenue to move laterally and access sensitive information elsewhere in an organization’s environment.

Meditology Services in Action

Meditology Services cybersecurity testing solutions are designed to identify such vulnerabilities. We offer comprehensive penetration and technical testing, cloud security testing, medical device and IoT security testing, and incident response testing. Our services are specifically tailored to meet the unique cybersecurity needs of healthcare organizations, helping to identify and mitigate potential risks before they lead to costly incidents.

Furthermore, with our RITHM™ subscription-based IT risk management program, we provide core risk and compliance services with a predictable spend. This allows healthcare organizations to maintain a consistent cybersecurity cadence, continually assessing and addressing vulnerabilities like the MOVEit vulnerability.

Conclusion

As always, Meditology Services remains committed to providing robust cybersecurity solutions tailored to the unique needs of healthcare organizations. With offerings that include risk assessments, cybersecurity testing, and incident response, we are here to provide support and guidance as you navigate this urgent situation.

Please do not hesitate to reach out if you need assistance or have any questions. Your cybersecurity is our priority.

Together, let's move cybersecurity forward in healthcare.