On May 31, 2023, Progress published details of a critical remote code execution (RCE) 0-day vulnerability in MOVEit Transfer being exploited in-the-wild (CVE-2023-34362).
CVE-2023-34362 was assigned to this vulnerability on June 2, 2023, and according to the vendor exploitation has been observed since May 2023, though there have been reports of possible exploitation going back to March 2023 or even mid-2021. Users are urgently advised to patch to the fixed version, and stay up-to-date on the latest information about this ongoing issue.
June 10 update:
On June 9, 2023, Progress published details of a second critical SQL injection vulnerability in MOVEit Transfer (CVE-2023-35036). An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.
June 20 update:
On June 15, 2023, Progress published details of a third critical SQL injection vulnerability in MOVEit Transfer (CVE-2023-35708).
What is MOVEit Transfer?
MOVEit Transfer is a Windows-Server-based managed file transfer (MFT) service developed by Ipswitch, a subsidiary of Progress.
What is CVE-2023-34362?
An SQL injection vulnerability (CVE-2023-34362) has been found in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to MOVEit Transfer's database.
Depending on the database engine being used by MOVEit Transfer (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.
Wiz Research data: what’s the risk to cloud environments?
According to Wiz Data less than 1% of cloud environments have instances running MOVEit Transfer, though according to Censys, most publicly exposed instances of this software are indeed hosted in the cloud, particularly in Azure. We estimate that the low prevalence of MOVEit Transfer in cloud environments is due to customers preferring to use the SaaS offering of this product rather than installing the standalone on-premises version.
What sort of exploitation has been identified in the wild?
Multiple organizations have come forward to publicly disclose that they have been compromised, and the Cl0p ransomware group have named multiple companies which they claim to have successfully targeted by exploiting this vulnerability and exfiltrating their data.
GreyNoise has observed scanning activity for the login page of MOVEit Transfer as early as March 3rd, 2023, and Kroll has identified potentially related activity going back as far as June 2021, which may indicate that Cl0p were in possession of this vulnerability for a very long time.
Who is behind this activity?
Since MOVEit Transfer is an MFT application, suspicions arose in the security industry that the threat actor behind this activity may be Cl0p, who have previously had success at exploiting 0day vulnerabilities in similar software (such as GoAnywhere) in order to steal sensitive data from their victims. Subsequently, Microsoft publicly attributed the exploitation of CVE-2023-34362 to Cl0p, and Mandiant published a report with their findings related to the malware and attack techniques utilized by the threat actor. The group has since claimed that they were indeed behind this activity.
Indicators of compromise
For full list of IoCs refer to the vendors advisory.
Which products are affected?
| Affected major version | Fixed minor version |
|---|---|
| 2023.0.0 | 2023.0.3 (15.0.3) |
| 2022.1.x | 2022.1.7 (14.1.7) |
| 2022.0.x | 2022.0.6 (14.0.6) |
| 2021.1.x | 2021.1.6 (13.1.6) |
| 2021.0.x | 2021.0.8 (13.0.8) |
| 2020.1.x | 2020.1.10 (12.1.10) |
Which actions should security teams take?
Affected customers should update to patched versions immediately, while prioritizing publicly exposed instances of this software. This is important whether or not your organization has been compromised, since Cl0p and other threat actors are most likely still scanning for vulnerable instances to exploit.
Additionally, Progress has recommended temporarily blocking HTTP access to MOVEit Transfer instances, and relying on FTP instead (which is not affected by these vulnerabilities).
As best practice, we recommend reducing your cloud environment's attack surface by ensuring that applications such as MOVEit Transfer are located behind a firewall, VPN or SSO landing page. You should avoid exposing data-rich applications directly to the Internet, otherwise your environment may be only one 0day away from compromise, no matter how fast you patch.
If you have previously granted access to MOVEit Transfer to utilize cloud storage instances in your environment as part of the service's Azure integration, and if you have reason to believe that any of your workloads hosting MOVEit Transfer have been compromised, we recommend rotating the relevant cloud keys in case these were compromised as well, and then updating the MOVEit Transfer configuration with the new keys.
Similarly, if you have allowed MOVEit Transfer to use an online SQL database such as Azure SQL, you should rotate credentials for the relevant database as well.
Wiz customers can use the pre-built queries and advisory in the Wiz Threat Center to know if and where it's in use in their environment, particularly any instances directly exposed to the Internet.
References
