Monday, 05 June 2023 11:12

MOVEit Transfer Zero Day gets added to the KEV and a Cool New Web Shell

Written by

Reading time is around minutes.

Spring, the time of renewal, the time when nature wakes up. It is also a time when Zero-Day flaws hit the web. This year has been no different with many Zero-Day flaws identified in April and May 2023. The reasons for this are varied, but commonly we see Zero-Day flaws identified after everyone comes back from their Holiday vacations and after budgets are done, the money is available and initiatives for thew new year start. One of the more interesting zero-days for 2023 was a flaw found in MOVEit Transfer software.

First disclosed on May 31st, 2023, and tracked as CVE-2023-34362, the flaw allows for a SQL injection attack via the Web Application. The injection allows an unauthenticated attacker to execute SQL statements against the database to affect information stored (including exfiltration). The flaw is accessible over HTTP and HTTPS. It is actively being exploited in the wild and, according to Mandiant, has its own new Web Shell for easier exploitation of unpatched sites. The leading suspect for these attacks seems to be the same people as the ones behind Cl0p. They are known by several names at different security research firms. Microsoft calls them Lace Tempest, they are also known as FIN11, TA505, Storm-0950, and Evil Corp. U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this to the Known Exploited Vulnerability list meaning that all Federal Agencies must pact of mitigate this now.

This new zero day in a file transfer platform is the second one linked to Evil Corp this year with exploitation of GoAnywhere MFT in January 2023. The speed at which threat groups can pivot on a previously unknown attack vector is concerning. As I have said on multiple occasions it shows there is something lacking in the way we currently test public facing software applications. I am willing to bet that these systems have had traditional application penetration tests and passed them. However, most penetration tests only test with known vulnerabilities and exploits. This is why zero-day vulnerabilities are dangerous. Now add in the glacial speed that organizations patch/mitigate identified vulnerabilities and you have a nice target rich environment.

For now, if you use MOVEit you are highly recommended to patch to a non-vulnerable version or shut off all HTTP/HTTPS traffic if you cannot patch.

Read 521 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.