First disclosed on May 31st, 2023, and tracked as CVE-2023-34362, the flaw allows for a SQL injection attack via the Web Application. The injection allows an unauthenticated attacker to execute SQL statements against the database to affect information stored (including exfiltration). The flaw is accessible over HTTP and HTTPS. It is actively being exploited in the wild and, according to Mandiant, has its own new Web Shell for easier exploitation of unpatched sites. The leading suspect for these attacks seems to be the same people as the ones behind Cl0p. They are known by several names at different security research firms. Microsoft calls them Lace Tempest, they are also known as FIN11, TA505, Storm-0950, and Evil Corp. U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this to the Known Exploited Vulnerability list meaning that all Federal Agencies must pact of mitigate this now.

This new zero day in a file transfer platform is the second one linked to Evil Corp this year with exploitation of GoAnywhere MFT in January 2023. The speed at which threat groups can pivot on a previously unknown attack vector is concerning. As I have said on multiple occasions it shows there is something lacking in the way we currently test public facing software applications. I am willing to bet that these systems have had traditional application penetration tests and passed them. However, most penetration tests only test with known vulnerabilities and exploits. This is why zero-day vulnerabilities are dangerous. Now add in the glacial speed that organizations patch/mitigate identified vulnerabilities and you have a nice target rich environment.

For now, if you use MOVEit you are highly recommended to patch to a non-vulnerable version or shut off all HTTP/HTTPS traffic if you cannot patch.