Zero Day Exploit
CVE-2023-34362
The MOVEit transfer application used to transfer files has a zero-day vulnerability in the form of an SQL injection vulnerability.
The impact is still yet to be fully materialised.
Threat Name: CVE-2023-34362
Risk Factor: High
Date: May 2023
Get Help Now
Solace Cyber security specialists can provide technical guidance for assessing a potential supply chain risk
What we know about the MOVEit Transfer vulnerability
The MOVEit transfer application used to transfer files has a zero-day vulnerability in the form of an SQL injection vulnerability. This in turn allows the adversary to drop a web shell on the host inside the MOVEit wwwroot directory. After which time, the attacker could then download any file within MOVEit and install a backdoor.
A known breach involving Zellis, a supplier of IT services for payroll and human resources says a “small number” of organisations have been affected.
The ransomware group “Cl0p” has posted on their ransomware site that they are exploiting the MOVEit vulnerability. Microsoft have also attributed the attack to Cl0p. The recent attacks do not show signs of encryption, although there is potential for this to occur as well as lateral spread.
The group states on their Darknet page that they’ll post the names of the organisations compromised on June 14th 2023 if the targeted organisation hasn’t already contacted them. In the past 24 hours the BBC, Boots and British Airways have confirmed they’ve been impacted.
The UK’s National Cyber Security Centre said it was “monitoring the situation” and urged organisations using the compromised software to carry out security updates. As of today, results from internet reconnaissance show that there are 127 instances in the UK of the MoveIT Transfer application and 1853 in the US.
What’s the impact of the zero-day exploit?
Due to the growing number of compromised organisations and the current supply chain spread the impact is still yet to be fully materialised.
Organisations without the vendor’s latest patch against CVE-2023-34362 should assume breach and conduct investigative and remediation efforts where the service is publicly accessible.
Solace Cyber recommendations
Where applicable we recommend organisations:
- Disconnect MOVEit Transfer servers from the internet
- Search for indicators of compromise
- Rotate credentials for Azure storage keys / Rotate any other SQL credentials
- Perform a forensics investigation of your affected servers
- Restore and rebuild from a backup of the systems last known good state
- Apply the patch
- Continuously monitor all systems
Solace Cyber is here to help with technical guidance to assess a potential supply chain risk or give further support to the recommendations above.
Speak to a cyber security specialist
Solace Cyber offers expert assistance in managing potential supply chain risks.