CVE-2023-34362 outlines a SQL injection vulnerability found in Progress Software MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer’s database. MOVEit supports database engines such as MySQL, Microsoft SQL Server, and Azure SQL The vulnerability impacts the following versions: MOVEit Transfer 2023.0.0, MOVEit Transfer 2022.1.x, MOVEit Transfer 2022.0.x, MOVEit Transfer 2021.1.x, MOVEit Transfer 2021.0.x, MOVEit Transfer 2020.1.x, and MOVEit Transfer 2020.0.x.
NIST has rated the CVSS (Common Vulnerability Scoring System) a 9.8/10.
CLOP ransomware group is known to exploit public facing applications and issue large scale phishing campaigns. The group exploited the SQL injection zero-day vulnerability by dropping a web shell named LEMURLOOT on MOVEit Transfer web applications back in May 2023. After successful installation of the web shell it is capable of
- Retrieving Microsoft Azure system settings and enumerate the underlying SQL database.
- Storing a string sent by the operator and then retrieve a file with a name matching the string from the MOVEit Transfer system.
- Creating a new administrator privileged account with a randomly generated username and LoginName and RealName values set to “Health Check Service.”
- Deleting an account with LoginName and RealName values set to ‘Health Check Service.’
MOVEit has 3.5 million users and most widely used by the healthcare sector. According to an article by StateScoop, CLOP has disclosed that it has used MOVEit to breach hundreds of companies since May 31st of this year. The Minnesota Department of Education announced on Friday, June 9th that it had suffered a data breach impacting 95,000 students’ personal information via 24 files that had been accessed via the vulnerability. Since then multiple others are now reporting data breaches including US government agencies and Johns Hopkins University and Health System resulting from the zero-day vulnerability.
CISA has provided a list of MOVEit and Go AnyWhere Campaign IOCs, in addition to email addresses, malicious domains, and IP addresses. Recommendations for mitigation include but are not limited to:
- Patching vulnerabilities with the latest know safe updates
- Audit remote access tools and keep operating systems, software, and firmware up to date
- Implement MFA
- Segment networks to avoid spread of ransomware
- Disable unused ports
- Implement 3rd party continuous monitoring to monitor traffic traversing your network systems
- Investigate suspicious network activity
SecuLore™ OverWatch provides continuous network monitoring through our patented Paladin™ technology to detect vulnerabilities in your network and detect anomalous behavior. The technology passively captures all traffic on your network to identify threats that are often missed by other layers of security. The packet captures are sent to our Security Operations Center to be processed via a unique behavioral analysis that is constantly reviewed by our team of CEH (Certified Ethical Hackers).
Contact SecuLore for more information to get started with a monitoring option to detect malicious traffic attempting to exploit vulnerabilities on your network.security. The packet captures are sent to our Security Operations Center to be processed via a unique behavioral analysis that is constantly reviewed by our team of CEH (Certified Ethical Hackers).
SecuLore Support Team