The MOVEit Transfer vulnerabilities have been actively exploited since at least May 27. More than 100 organizations have fallen victim, despite the availability of patches from Progress Software for the three flaws that have surfaced so far. All three are SQL injection vulnerabilities that enable privilege escalation and access to entries in the file-transfer software’s database.
Attackers can leverage any of these vulnerabilities by sending a crafted SQL query to a MOVEit application. That query allows access to the database and the ability to steal, modify, or delete data. All versions of MOVEit Transfer are vulnerable.
“If you are a MOVEit Transfer customer, it is extremely important that you take immediate action as noted below in order to help protect your MOVEit Transfer environment,” Progress Software said in its advisory. With the availability of proof-of-concept exploits in the wild, the exposure of vulnerable organizations that have yet to patch is rapidly expanded. As an albeit temporary mitigation, Progress Software recommends disabling all HTTP and HTTPs traffic to MOVEit Transfer environments. The company also took its MOVEit Cloud offline on June 15 as a precautionary measure.
“Taking MOVEit Cloud offline for maintenance was a defensive measure to protect our customers and not done in response to any malicious activity. Because the new vulnerability we reported on June 15 had been publicly posted online, it was important that we take immediate action out of an abundance of caution to quickly patch the vulnerability and disable MOVEit Cloud,” the company wrote in a blog.
“Our product teams and third-party forensics partners have reviewed the vulnerability and associated patch and have deemed that the issue has been addressed,” the company added. “This fix has been applied to all MOVEit Cloud clusters and is available for MOVEit Transfer customers.”
The Cybersecurity Infrastructure Security Agency (CISA) has linked these public exploits to a Russia-linked group called CLOP. CLOP is a prolific threat actor specializing in data theft, extortion, and ransomware against targets in numerous industries, including financial services and government agencies. News reports say more than 100 organizations have been victimized by exploits against these vulnerabilities, most of them in the United States, including government offices and agencies, airlines, educational institutions, and communications companies.
here’s what we know about these flaws:
CVE-2023-34362
CWE-89: Improper Neutralization of Special Elements Used in SQL Command (SQL injection)
CVSS v3: 9.8
Disclosed: May 31
This flaw affects MOVEit Transfer versions prior to 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1). The vulnerability affects the MOVEit Transfer web application, and enables unauthorized access to the app’s database, putting all stored data at risk. In addition, depending on the database engine in use, Progress Software said, an attacker may be able to execute crafted SQL statements on vulnerable applications that could alter or delete elements. CVE-2023-34362 has also been added to CISA’s Known Exploited Vulnerabilities catalog
CVE-2023-35036
CWE-89: Improper Neutralization of Special Elements Used in SQL Command (SQL injection)
CVSS v3: 9.1
Disclosed: June 11
There have been no reports of public exploits against this CVE. Similarly to the two other MOVEit flaws, however, it affects all versions of the software, and enables unauthorized users to access the database and use crafted payloads to alter modification and disclosure of database contents.
CVE-2023-35708
CWE-89: Improper Neutralization of Special Elements Used in SQL Command (SQL injection)
CVSS v3: 9.8
Disclosed: June 16
Published last week, this CVE, like the other two, is a SQL injection that can be used to steal or manipulate data from the MOVEit Transfer database. All versions are affected; Progress Software said it is unaware of publicly available exploit code targeting this vulnerability.
managing MOVEit vulnerabilities with Claroty solutions
Claroty helps our users manage vulnerabilities like these through a variety of means across our solutions. Specifically:
Claroty xDome and the Medigate Platform
Claroty’s SaaS solutions enable users to identify, assess, and mitigate the risks associated with the MOVEit vulnerabilities. Specifics include:
Identifying the MOVEit vulnerabilities:Accurately identifying Progress MOVEit Transfer vulnerabilities requires visibility into the applications installed on each asset. This type of information is not generally available if only a passive asset discovery method is used to create asset profiles. By employing alternative discovery methods, such as safe queries or Claroty Edge, users are able to identify installed applications on network devices and their corresponding vulnerabilities. The MOVEit vulnerabilities are also discoverable via integrations with patch management, vulnerability orchestration, and EDR tools. If discovered through any of the above means, these CVEs will appear on the Vulnerability page of the platform with an adjusted risk score, associated devices, priority group, and more.
Monitoring for exploits: Claroty’s SaaS solutions continuously monitor asset communications for connections to known-risky IP addresses or anomalous activity based on observed behaviors. Any potentially malicious activity — such as attempts to exploit MOVEit vulnerabilities — results in alerts that are mapped to the MITRE ATT&CK framework and provide security teams with further context and mitigation recommendations aligned with common tactics and techniques.
Protecting against exploits: Claroty xDome and the Medigate Platform provide recommended communication policies for all assets within a customer’s environment. These policies can be automatically configured, exported, and enforced through an integrated NAC or Firewall solution to help protect against and contain attempts to exploit vulnerable devices. Policy violation or communication with known-risky IP alerts can be sent to an integrated SIEM solution for security teams to incorporate into existing workflows.
Claroty Continuous Threat Detection (CTD)
Identifying the MOVEit vulnerability: Just as with Claroty xDome and Medigate, CTD’s safe queries and Claroty Edge collection methods are able to identify each asset’s installed applications and can thus reveal whether an asset is running a vulnerable version of the MOVEit Transfer software. Additionally, CTD includes multiple YARA rules specifically for the Progress MOVEit Transfer vulnerability that enable it to be discovered via passive monitoring of asset communications.
Monitoring for exploits: Claroty CTD continuously monitors asset traffic for known signatures, including those associated with the MOVEit Transfer YARA rules, as well as behavioral anomalies indicative of potential exploitation attempts. Any deviation from an asset’s behavioral baseline results in an alert containing information around the chain of events that lead to it, associated assets, and maps to the MITRE ATT&CK for ICS framework to assist security teams with their investigation and response.
Protecting against exploits: CTD’s Virtual Zones feature can be used to create and enablement the enforcement of network segmentation policies to help harden the environment against exploitation attempts Communication violations and known signature alerts that are detected by CTD can be automatically sent to an integrated SIEM or SOAR system and incorporated into existing response workflows.
The discovery of the Progress MOVEit Transfer set of CVEs is another reminder of the continuing growth of malicious actors in our connected world. While the full extent of the Progress MOVEit Transfer vulnerabilities are not known, understanding the signs of risk and best practices for how to protect yourself against it are foundational to maintaining a cyber-resilient organization. If you are an existing Claroty customer and have questions regarding how your solution protects you against vulnerabilities like this, please reach out to your Claroty representative.
