MOVEit and HR Systems: Who Is Responsible For the Cybersecurity of our SAS?

SAS (Software-as-a-Service) for HR systems has always bothered me. I basically log into my HR system, and it sends me off to a cloud…
Photo by Dylan Gillis on Unsplash

MOVEit and HR Systems: Who Is Responsible For the Cybersecurity of our SAS?

SAS (Software-as-a-Service) for HR systems has always bothered me. I basically log into my HR system, and it sends me off to a cloud provider. But, the HR system has some sensitive information contained in it, and who is responsible for assessing the security of that service? Do companies perform full on-site (cloud-based) audits of the system? Do they check who has access to these systems? Do they check the tools that are used? Do they comply with the company’s security policy? The answer is possibly “No” to most of these. We often off-shore the service and responsibilities. Rather than run our own service, we let others do it for us.

So, how is responsible when something goes wrong? The CEO of the consumer, or the CEO of the SAS? And, so, who is responsible for the MOVEit hack?

The MOVEit Zero Day and The Payroll Hack
The MOVEit Transfer managed file transfer (MFT) software [here] has been developed by Ipswitch (and which is a…medium.com

Is it the BBC and British Airways? Is it Ipswitch who created the MOVEit software? Or is it Zellis (the provider of the SAS)? I believe that the customer should bare a good deal of responsibility in auditing the SAS that they use, and make sure that it is up to the standards required to protect sensitive information.

MOVEit

The MOVEit Transfer managed file transfer (MFT) software [here] has been developed by Ipswitch (and which is a subsidiary of Progress Software). It allows for the secure transfer of files, and where encrypts files, and then uses the Secure File Transfer Transfer (sFTP) protocol to transfer them to a remote destination. Its typical use is in log automation, crash recovery, and data analytics, and is fully cloud-based:

Many applications thus integrate with the Cloud-based service in order to move files around in a secure way. Unfortunately, it has been identified as having a zero-day vulnerability:

The vulnerability could allow an adversary to escalate their privileges and uses an SQL injection. With this, it is possible that the adversary can discover the structure and the contents of the database, and then modify the database elements on the MOVEit site.

It seems that the zero-day vulnerability has already been seen in the wild with some security researchers pin-pointing the Lace Tempest group and which is thought to be affiliated with the Clop ransomware gang:

Several companies are already identifying that they have been hit, including Zellis (a UK-based HR/payroll software provider) [here]:

Zellis has identified that eight companies have been affected by the breach, including British Airways, the BBC, and Boots. British Airways has already written to UK-based staff outlining that the hack may have exposed personal data including their name, address, NI (National Insurance) number and banking details.

The government of Nova Scotia, toom also uses MOVEit, and has taken its payroll system off-line [here]:

A search of Shodan identifies that there are currently over 2,500 MOVEit servers across the World:

Overall, the hack involves the presence of the human2.aspx file in the wwwroot on an IIS server (whereas human.aspx is a default file installed on the system and is a legitimate file). This human2.aspx can activate a Web shell on the system and allow an adversary to view the structure of the files, and then issue SQL commands to the database. Along with this, MOVEit can keep Windows event logs and which are stored in C:\Windows\System32\winevt\Logs\MOVEit.evtx, and then contain details about file downloads such as file names and paths file size, IP addresses, and usernames.

John Hammond has even found that the human2.aspx file can allow remote code execution, and drop ransomware onto a system:

GreyNoise has observed scanning of the human.aspx file as far back as 3 March 2023, and the advice for companies is to disable all HTTP and HTTPS traffic related to MOVEit activity.

Conclusions

Companies should not be able to off-shore their cybersecurity responsibilities to others. I appreciate that this is a Zero Day vulnerability, but the point is that companies must audit their service providers in the way that they would audit their own systems. HR systems and contact databases are a key focus for many adversaries, as they could cripple companies in an instant. So, hopefully, these systems are well protected against attack, especially against ransomware and data exfiltration.

Subscribe: https://billatnapier.medium.com/membership