Warning: Critical actively exploited Unauthenticated Remote Code Execution 0-Day Vulnerability affects MOVEit Transfer, Patch and verify your systems asap!
CVE-2023-34362 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2023-35708 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2023-36934 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Bronnen
https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023
https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pack-July-2023
Risico’s
Progress published a security advisory for an actively exploited 0-day vulnerability in the wild. The manufacturer recommends taking immediate action to avoid a compromise. Any organization using MOVEit Transfer should forensically examine vulnerable systems to verify if they were compromised and if data was exfiltrated.
All MOVEit Transfer versions are affected by this vulnerability!
Managed file transfer platforms are very lucrative for ransomware operators and are often leveraged to gain initial access for a double extortion campaign (encryption + data exfiltration). Mass exploitation and broad data theft has occurred over the past few days.
Mandiant is currently investigating several intrusions related to the exploitation of the MOVEit managed file transfer zero-day vulnerability.
The vulnerability has a high impact on all vertices of the CIA triad (Confidentiality, Integrity, Availability).
Beschrijving
Successful exploitation of the 0-day vulnerability could allow an unauthenticated attacker to execute SQL injection commands on the appliance on an affected device. This access could be used for data exfiltration and/or data manipulation.
SQL injection commands allow a threat actor to manipulate the MOVEit Transfer’s database and perform a variety of actions including data manipulation and/or user creation to ensure a foothold on a compromised system, even after patching.
It is crucial to investigate if your system was compromised before applying the patch!
Aanbevolen acties
The Centre for Cyber security Belgium strongly recommends system administrators to follow the guidelines from Progress and implement them as soon as possible.
The Centre for Cyber security Belgium strongly recommends system administrators to check their MOVEit transfer appliances for a possible compromise and check if their appliance is running the latest software version.
Progress provided a detailed guide with recommendations, additional security best practices and Indicators of compromise: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023 .
Referenties
https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/
https://www.zerodayinitiative.com/advisories/ZDI-23-897/