Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

CVE-2023-34362: MOVEIt Transfer Critical Zero-Day Vulnerability Exploited in the Wild

CVE-2023-34362, a critical zero-day vulnerability in  MOVEIt Transfer has been exploited in the wild

Discovery of a new zero-day vulnerability in MOVEit Transfer becomes the second zero-day disclosed in a managed file transfer solution in 2023, with reports suggesting that threat actors have stolen data from a number of organizations.

Update June 15: The Tenable Security Response Team is aware of an additional SQL injection vulnerability in Progress MOVEit Transfer. At this time, there is no patch available. Please refer to Progress Software's latest advisory for more information. We will provide an update once more information becomes available.

View Change Log

Background

On May 31, Progress Software Corporation (“Progress Software”), published an advisory for a “critical” vulnerability in MOVEit Transfer, a secure managed file transfer (MFT) software used by a variety of organizations. Following the publication of its advisory, reports have emerged that the flaw had been exploited in the wild as a zero-day.

CVE Description CVSSv3 VPR*
CVE-2023-34362 Progress MOVEit Transfer SQL Injection Vulnerability 9.8 9.2

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was updated on June 9 and reflects VPR at that time.

On June 9, Progress Software published a new advisory for additional SQL injection vulnerabilities that were discovered as part of a security audit conducted after the discovery of CVE-2023-34362.

CVE Description CVSSv3 VPR*
CVE-2023-35036 Progress MOVEit Transfer SQL Injection Vulnerabilities N/A N/A

Analysis

CVE-2023-34362 is a SQL injection vulnerability in the MOVEit Transfer web application. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable MOVEit Transfer instance. Successful exploitation would give an attacker access to the underlying MOVEit Transfer instance. Additionally, Progress Software notes that an attacker “may be able to infer information about the structure and contents of the database” depending upon the specific database engine in use (such as MySQL, Microsoft SQL Server, or Azure SQL).

In addition to the on-prem version of MOVEit Transfer, Progress Software confirmed in a statement to BleepingComputer that MOVEit cloud was also impacted, adding that it “took immediate action, including bringing down MOVEit Cloud, to ensure the safety of our customers, while we reviewed the severity of the situation.”

Critical MOVEit vulnerability has been exploited in the wild as a zero-day

While Progress Software has not explicitly referred to it as a zero-day, BleepingComputer reports that they have learned that “threat actors have been exploiting” the flaw as a zero-day to “perform mass downloading of data from organizations.” At the time this blog post was published, we are unaware of any specific threat actor that is responsible for the attacks. However, since publication, the Clop ransomware group has claimed responsibility for the attacks.

Clop claims it downloaded “lots of data” and U.S. agencies issued cybersecurity advisory

Image Source: Tenable, June 2023

In a notice on its data leak site, Clop states they were able to “download alot of” data using the “exceptional exploit,” adding that they are the “only one who perform (sic) such attack (sic).” Instead of contacting or naming the victims beforehand, Clop has instructed potentially affected companies to “call” them before their “company name is publish (sic) here.” The group plans to publish the names of victim organizations on June 14.

The note also includes a message to specific entities, such as governments, cities or police services, claiming the group “erased all” data associated with these entities, adding that they have “no interest to expose such information.”

Image Source: Tenable, June 2023

Additionally, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) published a joint cybersecurity advisory (CSA) on June 7 about the Clop ransomware group. In it, both agencies confirmed the attribution of the MOVEit attacks to the Clop ransomware group. Additionally, the CSA includes details about the tactics, techniques, and procedures (TTPs) associated with the Clop ransomware group.

At least 2,500 MOVEit Transfer potentially vulnerable instances publicly accessible

Based on a Shodan query from Shodan itself, there were 2,526 MOVEit Transfer potentially vulnerable instances publicly accessible as of June 2, 2023, with nearly three-quarters originating in the United States (73.4%) followed by the United Kingdom at 5% and Germany at 4.6%.

Image Source: Tenable, June 2023

Second MFT zero-day vulnerability discovered in 2023

The discovery of CVE-2023-34362 in MOVEit marks the second time in 2023 that a zero-day in an MFT solution has been exploited. In February, Fortra (formerly HelpSystems), disclosed a pre-authentication command injection zero-day vulnerability in its GoAnywhere MFT solution to customers as part of a technical bulletin as shared by journalist Brian Krebs. Identified as CVE-2023-0669, Fortra confirmed that GoAnywhere customers’ systems were accessed between January 28 and January 30 using the flaw as part of its summary investigation. The Clop ransomware group took credit for the attacks, claiming it had stolen data from “over 130 organizations.” Additionally, the BlackCat/ALPHV ransomware group was also observed exploiting CVE-2023-0669.

File transfer applications are a boon for data theft and extortion

Preceding the discovery of CVE-2023-0669, the Clop ransomware group was linked to a number of attacks stemming from four flaws in Accellion’s File Transfer Appliance (FTA), an end-of-life solution that was exploited in mid-to-late December 2020.

File transfer solutions are uniquely positioned as a valuable target for cybercriminals, particularly ransomware groups. While the rise in ransomware attacks over the last five years is largely attributed to the adoption of double-extortion, a technique that involves both data encryption as well as data theft and threatening to publish the stolen data on data leak sites, new groups have emerged foregoing data encryption altogether or existing groups have pivoted away from it, opting to focus on data theft.

The compromise of MFT solutions by threat actors creates a snowball-like effect, as in the coming days and weeks ahead, we’ll likely learn which organizations were impacted by this flaw, either through ransomware data leak sites or breach disclosures from affected organizations.

MOVEit Transfer customers should assume compromise; initiate incident response

As this vulnerability was exploited as a zero-day, MOVEit Transfer customers should view this as a suspected compromise and start the incident response (IR) process. The advisory from Progress Software includes a list of indicators of compromise (IOCs), including a webshell named “human2.aspx” and “human2.aspx.lnk” along with a list of command and control traffic signals that can be used as part of an IR investigation.

For additional technical analysis, please refer to several blog posts that have been published [1, 2, 3] since the advisory was released. Additionally, our partners at GreyNoise have recommended reviewing systems for IOCs dating back to at least 90 days prior to the public disclosure of this flaw.

Proof of concept

At the time this blog post was published, there was no proof-of-concept (PoC) exploit for CVE-2023-34362.

Solution

Progress Software has released the following fixed versions of MOVEit Transfer on-prem for CVE-2023-34362:

Fixed MOVEit Transfer Version for CVE-2023-34362
2021.0.6
2021.1.4
2022.0.4
2022.1.5
2023.0.1

If upgrading to a fixed version is not feasible at this time, Progress Software recommends disabling HTTP (port 80) and HTTPS traffic (port 443) to MOVEit Transfer in the interim in order to prevent exploitation.

For CVE-2023-35036, which was disclosed on June 9, Progress Software released the following fixed versions of MOVEit Transfer on-prem:

Fixed MOVEit Transfer Version for CVE-2023-35036
2021.0.7
2021.1.5
2022.0.5
2022.1.6
2023.0.2

A special patch is available for MOVEit Transfer 2020.1.x (12.1), while users of MOVEit Transfer 2020.0.x (12.0) or older are instructed to upgrade to a supported version.

Identifying affected systems

This section was updated on June 9.

Our detection plugin for Progress MOVEit Transfer has been updated and an additional version check plugin (ID: 177082) has been created. Both updated plugins should be available to customers shortly.

Plugin ID Title Type CVE
90190 "Progress MOVEit Transfer Installed (Windows)" Detection -
176567 "Progress MOVEit Transfer < 2021.0.6 / 2021.1.0 < 2021.1.4 / 2022.0.0 < 2022.0.4 / 2022.1.0 < 2022.1.5 / 2023.0.0 < 2023.0.1 Critical Vulnerability (May 2023)" Version CVE-2023-34362
177082 "Progress MOVEit Transfer < 2020.1.9 / 2021.0.x < 2021.0.7 / 2021.1.x < 2021.1.5 / 2022.0.x < 2022.0.5 / 2022.1.x < 2022.1.6 / 2023.0.x < 2023.0.2 Critical Vulnerability (June 2023)" Version CVE-2023-35036

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Change Log

Update June 15: The Tenable Security Response Team is aware of an additional SQL injection vulnerability in Progress MOVEit Transfer. At this time, there is no patch available. Please refer to Progress Software's latest advisory for more information. We will provide an update once more information becomes available.

Update June 12: This blog post has been updated to reflect the assignment of CVE-2023-35036 for additional SQL injection vulnerabilities disclosed to Progress Software on June 9.

Update June 9: Updated the Background section with information on a new SQL injection vulnerability in MOVEit Transfer disclosed on June 9 (CVE-Pending), the Analysis section to include attribution of the attack to the Clop ransomware group and the publication of a joint cybersecurity advisory from the FBI and CISA, and the Identifying Affected Systems section to highlight the updated detection plugin and new version check plugin for the new vulnerability.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training