CVE-2023-34362: MOVEIt Transfer Critical Zero-Day Vulnerability Exploited in the Wild
Discovery of a new zero-day vulnerability in MOVEit Transfer becomes the second zero-day disclosed in a managed file transfer solution in 2023, with reports suggesting that threat actors have stolen data from a number of organizations.
Background
On May 31, Progress Software Corporation (“Progress Software”), published an advisory for a “critical” vulnerability in MOVEit Transfer, a secure managed file transfer (MFT) software used by a variety of organizations. Following the publication of its advisory, reports have emerged that the flaw had been exploited in the wild as a zero-day.
CVE | Description | CVSSv3 | VPR |
---|---|---|---|
CVE-2023-34362 | MOVEit Transfer SQL Injection Vulnerability | N/A | N/A |
Analysis
CVE-2023-34362 is a SQL injection vulnerability in the MOVEit Transfer web application. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable MOVEit Transfer instance. Successful exploitation would give an attacker access to the underlying MOVEit Transfer instance. Additionally, Progress Software notes that an attacker “may be able to infer information about the structure and contents of the database” depending upon the specific database engine in use (such as MySQL, Microsoft SQL Server, or Azure SQL).
In addition to the on-prem version of MOVEit Transfer, Progress Software confirmed in a statement to BleepingComputer that MOVEit cloud was also impacted, adding that it “took immediate action, including bringing down MOVEit Cloud, to ensure the safety of our customers, while we reviewed the severity of the situation.”
Critical MOVEit vulnerability has been exploited in the wild as a zero-day
While Progress Software has not explicitly referred to it as a zero-day, BleepingComputer reports that they have learned that “threat actors have been exploiting” the flaw as a zero-day to “perform mass downloading of data from organizations.” At the time this blog post was published, we are unaware of any specific threat actor that is responsible for the attacks.
At least 2,500 MOVEit Transfer potentially vulnerable instances publicly accessible
Based on a Shodan query from Shodan itself, there were 2,526 MOVEit Transfer potentially vulnerable instances publicly accessible as of June 2, 2023, with nearly three-quarters originating in the United States (73.4%) followed by the United Kingdom at 5% and Germany at 4.6%.
Image Source: Tenable, June 2023
Second MFT zero-day vulnerability discovered in 2023
The discovery of CVE-2023-34362 in MOVEit marks the second time in 2023 that a zero-day in an MFT solution has been exploited. In February, Fortra (formerly HelpSystems), disclosed a pre-authentication command injection zero-day vulnerability in its GoAnywhere MFT solution to customers as part of a technical bulletin as shared by journalist Brian Krebs. Identified as CVE-2023-0669, Fortra confirmed that GoAnywhere customers’ systems were accessed between January 28 and January 30 using the flaw as part of its summary investigation. The Clop ransomware group took credit for the attacks, claiming it had stolen data from “over 130 organizations.” Additionally, the BlackCat/ALPHV ransomware group was also observed exploiting CVE-2023-0669.
File transfer applications are a boon for data theft and extortion
Preceding the discovery of CVE-2023-0669, the Clop ransomware group was linked to a number of attacks stemming from four flaws in Accellion’s File Transfer Appliance (FTA), an end-of-life solution that was exploited in mid-to-late December 2020.
File transfer solutions are uniquely positioned as a valuable target for cybercriminals, particularly ransomware groups. While the rise in ransomware attacks over the last five years is largely attributed to the adoption of double-extortion, a technique that involves both data encryption as well as data theft and threatening to publish the stolen data on data leak sites, new groups have emerged foregoing data encryption altogether or existing groups have pivoted away from it, opting to focus on data theft.
The compromise of MFT solutions by threat actors creates a snowball-like effect, as in the coming days and weeks ahead, we’ll likely learn which organizations were impacted by this flaw, either through ransomware data leak sites or breach disclosures from affected organizations.
MOVEit Transfer customers should assume compromise; initiate incident response
As this vulnerability was exploited as a zero-day, MOVEit Transfer customers should view this as a suspected compromise and start the incident response (IR) process. The advisory from Progress Software includes a list of indicators of compromise (IOCs), including a webshell named “human2.aspx” and “human2.aspx.lnk” along with a list of command and control traffic signals that can be used as part of an IR investigation.
For additional technical analysis, please refer to several blog posts that have been published [1, 2, 3] since the advisory was released. Additionally, our partners at GreyNoise have recommended reviewing systems for IOCs dating back to at least 90 days prior to the public disclosure of this flaw.
Proof of concept
At the time this blog post was published, there was no proof-of-concept (PoC) exploit for CVE-2023-34362.
Solution
Progress Software has released the following fixed versions of MOVEit Transfer on-prem:
Fixed MOVEit Transfer Version |
---|
2021.0.6 |
2021.1.4 |
2022.0.4 |
2022.1.5 |
2023.0.1 |
If upgrading to a fixed version is not feasible at this time, Progress Software recommends disabling HTTP (port 80) and HTTPS traffic (port 443) to MOVEit Transfer in the interim in order to prevent exploitation.
Identifying affected systems
Our detection plugin for MOVEit Transfer (ID: 90190) has been updated and a version check plugin (ID:176567) has been released. Additional plugins to identify this vulnerability can be found here. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
Get more information
Join Tenable’s Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.