CVE-2023-34362 - Zero-Day Vulnerability Discovered in MOVEit Transfer is Exploited in the Wild by Cl0p Ransomeware — Here’s What you Need to Know
On May 29, 2023, a critical security vulnerability, identified as CVE-2023-34362, was published, leaving users of MOVEit Transfer software at high risk.
According to Progress, organizations have reported possible exploitation in the wild. Therefore it’s crucial that any business using MOVEit Transfer to take immediate action, especially since all versions of this popular file transfer software are affected by this vulnerability.
This blog post covers the details of this vulnerability, discusses its implications, and provides recommendations for users to mitigate the risk.
Overview
MOVEit Transfer, a Windows-based managed file transfer service, can be used either on the cloud or installed on-premises.
A SQL Injection has been found on an API in the web application of MOVEit, which enables attackers to exfiltrate data. In some cases, it allows them to execute commands on the server and potentially gain access to other areas of the network and do lateral movement.
The recently discovered vulnerability in MOVEit Transfer poses a serious threat to organizations utilizing this file transfer service. Attackers have reportedly been able to exploit this vulnerability since March 2023.
There have been reports that on May 27, CL0P Reandomware Gang exploited this vulnerability. By taking advantage of the vulnerability, the group uploaded a web shell named LEMURLOOT. They could access the underlying database of MOVEit and execute arbitrary code remotely, compromising the integrity, confidentiality, and availability of the system.
According to CISA (CyberSecurity Infrastructure Security Agency), the CL0P group has been known since 2019, when it launched a large-scale spear-phishing campaign. The tactic is to use ransomware to steal and encrypt victim data, refuse to restore access until fully paid, and even publish exfiltrated data on TOR and other public media. This tactic of exfiltrating a victim's sensitive data in addition to encrypting it is also known as “double extortion.”
The group typically targets sizable corporations, specifically those operating in the financial, healthcare, manufacturing, and media sectors. They have been observed to set their sights on small and medium-sized enterprises as well.
Given the speed and ease of the current MOVEit exploitation, and based on the group’s past campaigns, the FBI and CISA expect to see a large-scale exploitation of this service.
Given the severity of this vulnerability, MOVEit users must patch their installations as soon as possible. Until the patch is applied, it is strongly recommended to disable HTTP/HTTPS access to the MOVEit servers to prevent any unauthorized access.
This recent incident serves as a reminder that critical vulnerabilities can occur, and traditional security measures are not always sufficient. While network monitoring can assist in detecting data exfiltration, it is important to acknowledge that threat actors may employ techniques to bypass detection. A WAF (web application firewall) should theoretically detect SQLi attacks, but these devices have their limitations, including not being able to detect low-and-slow attacks on APIs. Plenty of publicly disclosed breaches included attackers bypassing WAFs.
Therefore, adopting a multi-layered security approach is essential, including proactive measures such as secure coding practices and continuous monitoring for suspicious activities using advanced techniques like behavioral analytics, anomaly detection, and machine learning to identify suspicious activities accurately, especially for detecting API abuses and attacks.
The Salt Security API Protection Platform applies cloud-scale big data, and ML and AI to enable organizations to catalog their APIs, see where they expose sensitive data, detect and block API attackers, and provide remediation insights that developers can use to improve API security posture over time. The platform’s ability to baseline user and API behavior over time enables it to identify the malicious behaviors of bad actors performing reconnaissance to learn a company’s APIs, attempting account takeovers, or abusing APIs to exfiltrate data.
Recommended Actions for Users
To ensure the security of your MOVEit installation, take the following actions:
- Disable HTTP/HTTPS access: Until the patch is installed, disable HTTP/HTTPS access to the MOVEit servers to prevent potential unauthorized access by threat actors.
- Conduct a thorough review: Perform a comprehensive review of your MOVEit server, paying particular attention to the "C:\MOVEit Transfer\wwwroot" directory for any suspicious files or web shells/ You should also search for a file called “human2.aspx” in your system.
- Apply the patch: Monitor official communications from MOVEit for the release of a security patch addressing the vulnerability. Apply the patch promptly to safeguard your system.
- Read more in the official Progress post: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023. This article covers more recommended remediation steps.
To learn more about how Salt can help defend your organization from API risks, you can connect with a rep or schedule a personalized demo.
