{"id":9079,"date":"2023-08-15T10:30:39","date_gmt":"2023-08-15T07:30:39","guid":{"rendered":"https:\/\/oberig-it.com\/?p=9079"},"modified":"2023-08-15T10:35:50","modified_gmt":"2023-08-15T07:35:50","slug":"new-moveit-vulnerability-what-to-do-now-to-protect-your-organization","status":"publish","type":"post","link":"https:\/\/oberig-it.com\/en\/articles\/new-moveit-vulnerability-what-to-do-now-to-protect-your-organization\/","title":{"rendered":"New MOVEit Vulnerability: What to Do NOW to Protect Your Organization"},"content":{"rendered":"

Overview<\/strong>
\nOn May 31, 2023 Progress Software disclosed a SQL injection vulnerability (CVE-2023-34362) in the MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment. Progress emphasized to its customers that it is extremely important to take immediate action.<\/p>\n

Affected versions<\/strong>
\nMOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1)<\/p>\n

Details<\/strong>
\nThe SQL injection vulnerability found in the MOVEit Transfer web application allows an unauthenticated attacker to gain access to MOVEit Transfer\u2019s database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements. The vendor added that this is exploited in the wild in May and June 2023. Exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.<\/p>\n

The CVSS Base score for this vulnerability is 9.8 and the vector is below:<\/p>\n

\"\"<\/p>\n

The above CVSS vector indicates that it\u2019s a remotely exploitable network vulnerability. The access complexity is low meaning that an attacker can expect repeatable success when attacking the vulnerable component. There are no special privileges required and therefore an unauthorized attacker without any special access can successfully exploit this issue. The vulnerable system can be exploited without interaction from any user. No one needs to click on open any file or perform any other action. The vulnerability is wormable. And lastly, there is a complete compromise of confidentiality, integrity, and availability of the impacted system.<\/p>\n

On June 2, CISA added this vulnerability to the Known Exploited Vulnerabilities (KEVs) Catalog<\/span><\/a><\/p>\n

On June 7, The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory<\/span><\/a> to disseminate known CL0P ransomware IOCs and TTPs identified through FBI investigations. According to the report beginning on May 27, 2023, CL0P Ransomware Gang, also known as TA505, began exploiting a previously unknown SQL injection vulnerability which was later disclosed by the vendor on May 31.<\/p>\n

Fidelis Cybersecurity Response<\/strong>
\nFidelis Cybersecurity has released detection for various indicators of compromise and indicators of attacks. Customers should patch immediately or deny HTTP\/HTTPs traffic to the MOVEit transfer environment. Customers should review Fidelis alerts and act accordingly to delete any instances of human2.aspx and delete all APP_WEB_[random].dll files. Fidelis\u2019 threat research team is continually tracking this and other emerging and evolving threats to ensure our customers are protected against the latest threats.<\/p>\n

Customers should also review various remediation instructions from the vendor<\/span><\/a> and the CISA<\/span><\/a> advisory. If you are unable to follow the recommended mitigation steps then taking the below security steps to help reduce risk to your MOVEit Transfer environment from unauthorized access. Please see here for MOVEit Security Best Practices<\/span><\/a>.<\/p>\n