It became known that during the audit in the solution for managing file transfer MOVEit Transfer, new critical vulnerabilities were discovered. Previously, due to the exploitation of a 0-day vulnerability in MOVEit Transfer, hundreds of companies have already been compromised, and hacking has affected such giants as British Airways and the BBC.
Background
A 0-day vulnerability (CVE-2023-34362) in the MOVEit Transfer file transfer management solution was discovered in early June 2023. All versions of MOVEit Transfer were affected by the problem, and it was reported that attacks on them began as early as May 27, 2023. The bug was a SQL injection that leads to remote code execution. For example, exploitation of a vulnerability can lead to privilege escalation and give third parties unauthorized access to the MOVEit Transfer environment.
Attackers used the vulnerability to deploy custom web shells on affected servers, allowing them to list files stored on the server, download files, and steal Azure Blob Storage account credentials and secrets, including the AzureBlobStorageAccount, AzureBlobKey, and AzureBlobContainer settings. Microsoft analysts have linked these attacks to the Clop ransomware hack group (aka Lace Tempest, TA505, FIN11, or DEV-0950). This group is known for the fact that Clop ransomware operators leaked data from two universities.
MOVEit Developers React to Vulnerabilities
It soon became known that a total of hundreds of companies were compromised during the attacks, and the hack was confirmed by the Irish airline Aer Lingus, British Airways, the BBC and the British pharmacy chain Boots. Now MOVEit Transfer developers have warned customers about new critical vulnerabilities in their file transfer management product. New bugs were found during a security audit, which, after massive attacks, was carried out by experts from the Huntress company.
According to the manufacturer, the new vulnerabilities are SQL injections and affect all versions of MOVEit Transfer, allowing unauthenticated attackers to hack Internet-accessible servers, changing or stealing user information.
The developers note that all MOVEit Cloud clusters have already received fresh fixes that have protected them from potential attack attempts.
It is also worth noting that a PoC exploit for the original zero-day vulnerability (CVE-2023-34362) appeared recently, which began massive attacks on MOVEit Transfer clients. The exploit, as well as a detailed technical analysis of the vulnerability and a list of indicators of compromise that network defenders can use to detect the exploitation of a bug on vulnerable servers, were published by researchers from Horizon3. Information security experts warn that after the release of this exploit, more attackers are likely to use it in attacks or create their own versions to attack unpatched servers still available on the Internet.
