Last week, Progress Software reported a critical security vulnerability (CVE-2023-34362) in its MOVEit Transfer product and related MOVEit cloud solutions. The APT group CLOP, which also issued an ultimatum until June 14.06, carried out mass attacks and data theft on the software that is often used around the world.
As the name suggests, MOVEit Transfer is a system that allows for easy storage and sharing of files across a team, department, company, or even a supply chain. The software is also used by the AOK, for example. In the current case, it turned out that MOVEit's web-based front end, which allows files to be shared and managed via a web browser, has a SQL injection vulnerability. This type of file sharing is very popular as the process is generally considered to be less prone to misdirected or "lost" files than email sharing.
Good news and bad news
The good news in this case is that Progress patched all supported MOVEit versions as well as its cloud-based service as soon as the company became aware of the vulnerability. Customers using the cloud version are automatically up to date. Versions running on their own network must be actively patched. MOVEit customers are required to run a compromise scan IN ADDITION to installing the patch. Patching alone is NOT enough.
The bad news is that this vulnerability was a zero-day vulnerability, meaning Progress found out about it because cybercriminals had already exploited it. In other words, before the patch is released, MOVEit SQL backend databases may have already been injected with fraudulent commands, with a number of possible consequences:
- Deletion of existing data: The classic result of a SQL injection attack is large-scale data destruction.
- Exfiltration of existing data: Instead of deleting SQL tables, attackers could inject their own queries and thus not only learn the structure of internal databases, but also extract and steal important parts.
- Change of existing data: Attackers might choose to corrupt or destroy data instead of stealing it.
- Implantation of new files, including malware: Attackers could inject SQL commands, which in turn launch external system commands, allowing arbitrary remote code execution within a network.
A group of attackers whom Microsoft believes to be (or are associated with) the infamous CLOP ransomware gang have apparently already exploited this vulnerability to inject so-called webshells on affected servers.
What to do for more security?
- If you are a MOVEit user, make sure all instances of the software on your network are patched.
- If you are unable to patch at this time, turn off the web-based (HTTP and HTTPS) interfaces to your MOVEit servers until you can. Apparently, this vulnerability is only revealed via MOVEit's web interface, not via other access paths such as SFTP.
- Check your logs for newly added web server files, newly created user accounts, and unexpectedly large data downloads. Progress has a list of places to search, along with the filenames and places to search.
- If you are a programmer, clean up your inputs.
- If you're a SQL programmer, use parameterized queries instead of generating query commands that contain characters controlled by the person sending the query.
In many, if not most, of the webshell-based attacks examined to date, Progress suspects that a rogue webshell file named human2.aspx can likely be found, possibly along with newly created malicious files with a .cmdline extension. Sophos products detect and block webshell files known as Troj/WebShel-GO, whether they are named human2.aspx or not.
However, it is important to remember that if other attackers knew about this zero-day before the patch was released, they may have injected different and more subtle commands. These may not be detected by simply scanning for residual malware or by looking for known filenames that may appear in logs.
Countdown runs until 14.06.2023/XNUMX/XNUMX
The The CLOP group has issued an ultimatum to all companies that have been attacked by the APT group: The companies should report by e-mail to specific e-mail addresses. After that, they would receive an email with a link to a chat room. There they should then negotiate the ransom demand. Anyone who does not comply will be pilloried by CLOP: in other words, the company name will be published first. Later they also want to publish parts of the captured data to increase the pressure.
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.