The estimated reading time is approximately 4 to 5 minutes.
Opening a concerning chapter in cybersecurity, the discovery of the third flaw in MOVEit, known as CVE-2023-35708, which is an SQL injection vulnerability with a potential escalation privilege technique. MOVEit urges clients to turn off all HTTP and HTTPS traffic on ports 80 and 443 to MOVEit Traffic to safeguard the environment. Theoretically, a threat actor could submit a crafted payload to a MOVEit Transfer application endpoint that would modify and disclose MOVEit database content. The vulnerability impacts MOVEit Transfer versions before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3).
Two other vulnerabilities were discovered last week: CVE-2023-35036 and CVE-2023-34362. CVE-2023-35036 is another SQL Injection that can be used to access the application's database content, which was disclosed on June 9, 2023. The bright(ish) news is that the second vulnerability has not been exploited in the wild. Not the same can be said about the 0-day that began this all. CVE-2023-34362 is the 0-day exploit that started it all, which has been present since at least July 2021 but remained undisclosed until May 31st.
Cl0p^, known as a ransomware group, has broadcast their use of the 0day to attack over 27 organizations and counting, including the US Department of Energy. Unfortunately, according to Censys, a web-based search platform, close to 31% of over 1,400 exposed hosts running MOVEit are in the financial services industry, 16% in healthcare, 9% in information technology, and 8% in government and military sectors, while almost 80% of the servers are in the U.S.
Progress Software has released an update to address the third vulnerability which is impacting its MOVEit Transfer application in the following versions: 2020.1.10 (12.1.10), 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3).
Threat actors will not wait until your organization is all patched up. Most do not have any mercy. If there is one entry point, it's enough for them to weasel their way in.
We recommend installing the patches available on all systems with vulnerable MOVEit. With Cl0p^ going through the list of possible targets, there is a better time to play the risk.