New research reveals rapid remediation of MOVEit Transfer vulnerabilities

New research reveals rapid remediation of MOVEit Transfer vulnerabilities
Pedro Umbelino
Written by Pedro Umbelino
Principal Research Scientist
Written by Noah Stone
Senior Manager, Thought Leadership

The recent discovery of a critical vulnerability in the MOVEit file transfer software is the latest driver in a series of high-profile software supply chain incidents. On May 31st 2023, Progress – the developer of MOVEit – published an advisory alerting the community to a critical vulnerability in its MOVEit Transfer product. The vulnerability, now tracked as CVE-2023-34362, allows an attacker to gain access to MOVEit’s database to steal and/or alter the contents. Attackers are actively exploiting this vulnerability, impacting government agencies and corporations worldwide.

Two more vulnerabilities — CVE-2023-35036 and CVE-2023-35708 — were identified on June 9th and June 15th, respectively, but reports claim these flaws have not been exploited in any attacks thus far. Three more vulnerabilities — CVE-2023-36932, CVE-2023-36933, and CVE-2023-36934 — together dubbed CVE-2023-3693X in this blog, were discovered on July 5th.

To understand current global exposure, Bitsight leveraged its proprietary scanning infrastructure and patented entity mapping methods, revealing:

  • The current state of organizational exposure to each MOVEit Transfer CVE;
  • How quickly organizations are remediating each CVE;
  • Which sectors are remediating the fastest/slowest; and
  • Geographic and sector impact.

Bitsight shared this information with Progress Software to assist in their tracking of exposed systems and remediation efforts.

Now let’s dive into the latest data on the MOVEit Transfer vulnerabilities to see how organizations have been managing the situation.

Rapid Remediation Underway but Risks Remain

Organizations are rapidly remediating the MOVEit vulnerabilities. Since the announcement of CVE-2023-34362 on May 31st to July 12th, the number of organizations vulnerable to CVE-2023-34362 has dropped such that at least 77 percent of the originally affected organizations are no longer vulnerable. See the chart below showing the decline in vulnerable organizations as a percentage of those vulnerable on May 31st.

On the other hand, at most 23 percent of the initially affected organizations are still vulnerable while higher rates of vulnerability exist among the later CVEs. In fact, at most 56 percent of organizations originally affected by the newest collection of CVEs — CVE-2023-3693X — remain vulnerable to CVE-2023-3693X.

Bitsight was unable to observe patches for major versions 12 and 13, and minor version 14.0. Our lack of visibility in this respect could be for several reasons, with the most likely explanation being that patches do not result in changes in version number.

Accordingly, Bitsight was unable to determine if some organizations are vulnerable. We can, however, objectively state the maximum percentage of vulnerable organizations by considering unknown and known-vulnerable organizations in the above chart and those throughout this blog.

CISA alerts and Progress’ diligence may have catalyzed rapid remediation

CISA issued alerts for all but one CVE assigned to vulnerabilities in MOVEit Transfer — CVE-2023-35036 — but across all CVEs, we observe rapid declines in the maximum number of vulnerable organizations. In fact, recent research found that CISA alerts tend to improve the likelihood of organizations rapidly remediating a given vulnerability; what we’re seeing with MOVEit could be a real-time example of this promising trend.

We are observing what Bitsight calls "rapid remediation" for these vulnerabilities. Typical remediation rates for software vulnerabilities are at a mere 5 percent per month, while these remediation rates are significantly faster. In a typical vulnerability remediation pattern, it would take 29 months to reach the same level of remediation we observe happening for MOVEit after just 42 days. In other words, organizations are remediating CVE-2023-34362 roughly 21X faster than what’s considered typical. The point? Organizations are taking these MOVEit vulnerabilities very seriously, and rightfully so.

Another factor potentially catalyzing remediation rates is Progress’ diligence in publishing timely and informative advisories. Progress has published an advisory for each CVE, detailing mitigations, patches, and more.

Organizations widely adopting patched versions

Bitsight leveraged its proprietary scanning technology and unique fingerprinting capabilities to observe the adoption of versions over time and effectively measure patching rates.

With each CVE announcement, we observe a steep rise in patched versions and sharp declines in other versions (Figure 2). When CVE-2023-35036 was announced, the adoption of patched versions 14.1.6.97 and 15.0.2.39 rose while the prevalence of other versions declined or stagnated. Likewise, when CVE-2023-35708 was announced, the use of versions 14.1.7.100 and 15.0.3.42 increased while use of other versions declined or stagnated. And finally, when CVE-2023-3693X was announced, 14.1.8.106 and 15.0.4.49 increased in prevalence and use of the others dropped or stagnated. This is great news, indicating that organizations are promptly moving from vulnerable to patched versions.

Notice that we observe no patched versions of major versions 12 and 13, and minor version 14.0. As explained earlier, this is likely due to patches not resulting in changes in version number.

Sector Impact: These Sectors are Rapidly Remediating the MOVEit Vulnerabilities

Impacted organizations are overwhelmingly headquartered in the United States and mostly from the technology, government/politics, and finance sectors. We consider an organization to be impacted if it was vulnerable at any point in time of our analysis.

Bitsight identified the three sectors remediating MOVEit vulnerabilities the fastest. Figure 3 shows the number of organizations vulnerable to all MOVEit CVEs as a percentage of the affected organizations at the time of each CVE announcement. The three sectors are:

  1. Government/Politics (at least 73 percent of organizations remediated);
  2. Manufacturing (at least 52 percent of organizations remediated); and
  3. Business Services (at least 46 percent of organizations remediated).

It is not clear why these particular sectors are achieving higher remediation rates compared with other sectors. However, for government/politics, one contributing factor may be the prevalence of regulation and government mandates. This sector is trusted with sensitive information – secret or otherwise sensitive government information; and personal identifiable information (PII). The breadth and scope of the data for which this sector is responsible could potentially be one reason why they prioritized remediation of these CVEs. Another factor could be CISA’s heavy involvement in the matter.

How Bitsight can Help

Vulnerabilities in MOVEit Transfer represent a critical supply chain risk to organizations. Security leaders need a way to identify vulnerable instances not only deployed within their own organizations but also in their third-party ecosystem. Attackers are increasingly targeting less secure third parties via vulnerabilities like CVE-2023-34362 to steal a target’s information and deploy ransomware.

Detecting vulnerabilities is critical

In your own systems

If you can’t detect it, then you can’t protect against it. That’s where external attack surface management comes in – detecting and responding to cyber risk at scale. Bitsight Security Performance Management (SPM) offers key External Attack Surface Management (EASM) capabilities, helping your organization continuously discover its attack surface, identify where exposure exists, and prioritize remediating vulnerable areas of infrastructure. Take MOVEit Transfer instances for example – Bitsight allows you to quickly and efficiently identify deployed MOVEit Transfer systems in your organization and then take steps to remediate vulnerabilities in those systems, like CVE-2023-34362.

In your third parties’ systems

Managing vendor exposure to critical vulnerabilities quickly, effectively, and at scale is crucial to protect your network. When a major security event hits the news, how do you know which of your vendors is affected? How are they potentially exposing your organization? In the heat of the moment, you need to be able to answer these questions quickly and confidently.

With Bitsight’s Vulnerability Detection & Response capabilities, included in our Continuous Monitoring solution, you can gain insights into vendor exposure to vulnerabilities and take action on high-priority incidents impacting your vendors at a moment’s notice, while communicating critical information to board- and executive-level stakeholders during high-stress situations.

Take Action Now

Bitsight is your trusted partner in your journey to a stronger security posture. Contact us today to learn more!