In today's digital landscape, the security of data transfers is essential. Enterprises globally rely on tools for their data transfer needs in both on-premises and cloud environments. But what happens when these trusted utilities expose vulnerabilities that could lead to escalated privileges and unauthorized access to the environment? The recent discovery of a significant vulnerability in MOVEit—a secure, managed file-transfer utility created by Progress Software— illustrates just how severe the consequences can be.
A Closer Look at CVE-2023-34362
In late May 2023, Progress disclosed a critical vulnerability (tracked as CVE-2023-34362) within the MOVEit Transfer web application. This SQL Injection vulnerability has the potential to allow an unauthenticated attacker to gain access to MOVEit Transfer's database.
The exploitation of these unpatched systems can occur via HTTP or HTTPS. It should also be noted that the vulnerability has been actively exploited in the wild since May 2023 and is essentially a zero-day exploit. This means that attackers began exploiting the vulnerability before Progress could even release a patch.
The Impact: Ransomware Attacks by the Cl0p Group
The severity of this MOVEit vulnerability was not lost on cybercriminals. Cl0p, the notorious ransomware group, leveraged it in a global ransom campaign that affected various organizations worldwide. Some of the more notable victims include British communications regulator Ofcom, the University of Manchester, the Illinois Department of Innovation & Technology and the Minnesota Department of Education.
CISA Advisory and Mitigation Steps
In response to this critical situation, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert, urging users and organizations to review the MOVEit Transfer Advisory and then take steps to follow the mitigation advice. This includes applying the necessary updates and hunting for any malicious activity in their environments.
Protection Against the Vulnerability
Radware provides signatures to detect and block MOVEit exploits through its Security Update Service (SUS). The following two signatures are specifically designed to protect against the vulnerabilities associated with CVE-2023-34362:
- Signature “HTTP-MOVEIT-WEBSHELL-HUM-RCE (RWID 21086)” is designed to protect against the Remote Code Execution vulnerability in MOVEit's web shell.
- Signature “HTTP-MOVEIT-SPIDLL-ATTE-SQLi (RWID 21088)” is specifically developed to protect against the SQL injection vulnerability in MOVEit.
The MOVEit vulnerability CVE-2023-34362 is a critical reminder of the paramount importance of robust cybersecurity measures in today's interconnected digital world. While software providers must ensure that their products are secure, it's equally essential for users and organizations to stay vigilant, update their systems promptly and leverage available protection tools to safeguard against potential attacks.