Last updated at Thu, 10 Aug 2023 20:59:08 GMT
The following article was written by Drew Burton and Cynthia Wyre.
Rapid7 continues to track the impact of CVE-2023-34362, a critical zero-day vulnerability in Progress Software’s MOVEit Transfer solution. CVE-2023-34362 allows for SQL injection, which can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information.
Rapid7 is not currently seeing evidence that commodity or low-skill attackers are exploiting the vulnerability. However, the exploitation of available high-value targets globally across a wide range of org sizes, verticals, and geo-locations indicates that this is a widespread threat. We expect to see a longer list of victims come out as time goes on.
We’ve put together a timeline of events to date for your reference.
May 27-28: Rapid7 services teams have so far confirmed indicators of compromise and data exfiltration dating back to at least May 27 and May 28, 2023 (respectively).
May 31: Progress Software publishes an advisory on a critical SQL injection vulnerability in their MOVEit Transfer solution.
May 31: Rapid7 begins investigating exploitation of MOVEit Transfer.
June 1: Rapid7 publishes initial analysis of MOVEit Transfer attacks after responding to incidents across multiple customer environments.
June 1: Compromises continue; Rapid7 responds to alerts.
June 1: CISA publishes Security Advisory.
June 2: CVE-2023-34362 is assigned to the zero-day vulnerability.
June 2: Mandiant attributes the attack to a threat cluster with unknown motives.
June 2: Velociraptor releases an artifact to detect exploitation of MOVEit File Transfer critical vulnerability.
June 4: Rapid7 publishes a method to identify which data was stolen.
June 4: Nova Scotian government discloses it is investigating privacy breach.
June 5: Microsoft attributes the attack to Lace Tempest, a Cl0p ransomware affiliate that has previously exploited vulnerabilities in other file transfer solutions (e.g., Accellion FTA, Fortra GoAnywhere MFT).
June 5: UK companies BA, BBC, and Boots disclose breaches as victims in MOVEit File Transfer.
June 5: Cl0p ransomware group claims responsibility for the zero-day attack.
June 6: Security firm Huntress releases a video allegedly reproducing the exploit chain.
June 6: The Cl0p ransomware group posts a communication on their leak site demanding that victim organizations contact them by June 14 to negotiate extortion fees in exchange for the deletion of stolen data.
June 7: CISA publishes #StopRansomware Cybersecurity Advisory regarding MOVEit File Transfer Vulnerability CVE-2023-34362.
June 9: Progress Software updates advisory to include a patch for a second MOVEit Transfer Vulnerability, which was uncovered by Huntress during a third-party code review. The vulnerability is later assigned CVE-2023-35036.
June 12: Rapid7 releases a full exploit chain for MOVEit Transfer Vulnerability CVE-2023-34362.
June 15: Progress discovers a new vulnerability, CVE-2023-35708, and publishes advisory.
July 6: Progress discloses three additional CVEs in MOVEit Transfer. CVE-2023-36934 is a critical, unauthenticated SQL injection vulnerability. CVE-2023-36932 is a high-severity SQL injection vulnerability that could allow authenticated attackers to gain access to the MOVEit Transfer database. CVE-2023-36933 is an exception handling issue that could allow an attacker to crash the application. Mitigation directions and latest versions are in Progress Software's advisory here.
All MOVEit Transfer versions before May 31, 2023 are vulnerable to CVE-2023-34362, and all MOVEit Transfer versions before June 9, 2023 are vulnerable to CVE-2023-35036. As noted above, fixed versions of the software are available, and patches should be applied on an emergency basis.
Patches are available via Progress Software’s CVE-2023-34362 advisory. Additionally, because CVE-2023-34362 is a zero-day vulnerability, Progress Software is advising MOVEit Transfer and MOVEit Cloud customers to check for indicators of unauthorized access over "at least the past 30 days."
According to the company’s status page, Progress also took the following steps aimed at increasing security monitoring and defending against further exploitation or attack:
- Developed specific monitoring signatures on Progress’ endpoint protection system.
- Validated that the newly developed patch corrected the vulnerability.
- Tested detection rules before finalizing to ensure that notifications are working properly.
- Engaged outside cybersecurity experts and other incident response professionals to conduct a forensic investigation and assess the extent and scope of the incident.
As noted in the timeline above, Rapid7 has added capabilities across our portfolio that can help users identify and resolve risk from CVE-2023-34362. We have also identified a method to identify exfiltrated data from compromised MOVEit customer environments.
To learn more, check out: Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability