PacketWatch Threat Intelligence

I (don't) like to MOVEit MOVEit: MOVEit Transfer Zero-Day Exploit (Updated June 15, 2023)

Written by The PacketWatch Intelligence Team | Jun 1, 2023 6:10:41 PM
NOTICE

As this is actively being investigated and new information is continuously coming out, this information is subject to change. Please reach out to our team for corrections and see if PacketWatch can help detect and respond to any potential incidents.

June 15, 2023 Update

A new and separate vulnerability of critical severity again impacts MOVEit transfer, CVE-2023-35036. This SQL injection does not currently lead to RCE, but "could lead to escalated privileges and potential unauthorized access to the environment." (Source) Of particular concern, proof of concept code is online, increasing the risk of exploitation of web-facing MOVEit Transfer infrastructure.

Mitigations are in the article by Progress, which involves restricting HTTP and HTTPS traffic to the MOVEit Transfer server. Unfortunately, this will also impact usability until further information or a patch is released.

CVE-2023-34362: MOVEit File Transfer Software Critical Vulnerability

PacketWatch was made aware of a critical vulnerability being actively exploited with a file transfer software MOVEit, from the company Progress. In Progress’ article addressing these security concerns, there is currently a patch available, along with additional mitigation techniques if immediate patching is not possible.[1] This is being tracked under CVE-2023-34362 as an SQL injection vulnerability, which can also lead to Remote Code Execution (RCE).[5][6]

Security professionals in the links below have been actively working on aggregating information concerning this. BleepingComputer has also published an article with useful information.[2][3][4]

Am I Affected?

If you are a PacketWatch customer, we currently have no indications that our customers have been exploited. Please follow up with the PacketWatch team to discuss additional concerns and questions.

For everyone else, we want to echo the work done at large by other teams, such as Huntress Labs and individual security professionals, to ensure this message quickly gets out. Twitter user @UK_Daniel_Card shared ways to identify publicly exposed MOVEit instances via Shodan, an online scanning tool.

Additionally, Twitter user @JimSycurity shared that businesses partnered with Fiserv may want to follow up with their reps to see if they may be potentially affected.

The most important step any company can take is actively and quickly responding to these threats as they emerge. Your security team, IT team, and leveraged security resources should be available to help.

If you still need assistance or have any active incidents, PacketWatch specializes in network detection, threat hunting, and incident response to meet your business needs.

Indicators of Compromise (IOCs)

Last Updated June 2, 2023

A security researcher Florian Roth on Twitter has created a comprehensive list of IOCs and references to IOCs other organizations have compiled in this thread: 

 

File:

  • human2.aspx [3][4]

IP:

  • 89.39.105[.]108 [3]
  • 5.252.190[.]197 [3][4]
    • Also noted by the user that the entire 5.252.190.0/24 range is potentially suspect.

References