Context over chaos. Disconnected technologies, siloed data, and reactive processes can only get you so far. Protecting businesses in today’s threat landscape demands more than a set of security tools – it requires context.
That's where Avertium comes in
Security. It’s in our DNA. It’s elemental, foundational. Something that an always-on, everything’s-IoT-connected world depends on.
Helping mid-to-enterprise organizations protect assets and manage risk is our only business. Our mission is to make our customers’ world a safer place so that they may thrive in an always-on, connected world.
Best-in-class technology from our partners... backed by service excellence from Avertium.
Interested in becoming a partner?
With Avertium's deal registration, partners can efficiently and confidently connect with Avertium on opportunities to protect your deals.
Microsoft Copilot for Security analyzes and synthesizes high volumes of security data which can help healthcare cybersecurity teams do more with less.
Dive into our resource hub and explore top
cybersecurity topics along with what we do
and what we can do for you.
UPDATE 6/16/2023 - Last night, Progress published an advisory notifying users of another critical MOVEit Transfer vulnerability tracked as CVE-2023-35708. According to Progress, the SQL injection vulnerability could lead to escalated privileges and potential unauthorized access to the MOVEit Transfer database.
CVE-2023-35708 could allow an attacker to submit a crafted payload to a MOVEit Transfer application endpoint which could modify and disclose MOVEit database content. MOVEit Transfer versions released before the following are vulnerable:
It’s important to note that several U.S. federal agencies have been breached via MOVEit vulnerabilities. On the heels of these attacks, the Cybersecurity and Infrastructure Security Agency (CISA) has ordered all federal agencies to restrict access to Internet exposed networking equipment. Progress highly recommends that users apply the below mitigation steps to prevent unauthorized access to their MOVEit Transfer environments.
Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment. More specifically:
UPDATE 6/9/2023 - Last week, Avertium published a Flash Notice warning of a SQL injection vulnerability found in Progress Software’s MOVEit Transfer managed file transfer solution (MFT). At the time, the vulnerability did not have a CVE number, that has since changed. The vulnerability, now tracked as CVE-2023-34362, was given a patch and organizations were advised to apply the patch as soon as possible. We have also learned that Clop ransomware has leveraged CVE-2023-34362, attacking several organizations. Those organizations include the UK based payroll provider Zellis. Some of the company’s customers include the Minnesota Department of Education and British Airways.
This week, while Progress and their third-party security experts were investigating the original MOVEit vulnerability, they uncovered new critical SQL injection vulnerabilities in MOVEit Transfer MFT. These vulnerabilities allow attackers to steal information from customer databases. The vulnerabilities, discovered by Huntress, do not have CVE numbers assigned to them. However, they affect all versions of MOVEit Transfer. If an attacker successfully exploits these vulnerabilities, they can compromise Internet-exposed servers and manipulate or extract customer information without authentication.
According to Progress’s advisory, an attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content. Progress has provided patches for the vulnerabilities, which are available for all supported versions. Although the vulnerabilities have not been exploited in the wild, it is highly recommended that you apply the patches as soon as possible. Also, if you have not already done so, please apply the patches for CVE-2023-34362 as well.
INDICATORS OF COMPROMISE (IoCs)
At this time, there are no known IoCs associated with the new MOVEit vulnerabilities. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.
overview
This week, Progress Software’s managed file transfer solution MOVEit Transfer is actively being exploited by attackers to steal corporate data. While the SQL injection vulnerability does not have an official CVE number, Progress released a security advisory stating that vulnerability is critical, and it could lead to escalated privileges and potential unauthorized access to the environment. The researchers at Mandiant stated that “mass exploitation and broad data theft has occurred over the past few days.”
Patches have officially been released and Progress Software has issued mitigations to prevent further exploitation. Progress Software also stated that they are upgrading the MOVEit Cloud clusters for customers. The company recommends that admins block external traffic to ports 80 and 443 on the MOVEit server. Progress Software stated that blocking these ports will prevent external access to the web UI, stop some MOVEit Automation tasks from working, block APIs, and stop the Outlook MOVEit plugin from working. Admins are also advised to thoroughly inspect the 'c:\MOVEit Transfer\wwwroot' folder for any suspicious files, such as backups or substantial file downloads.
Also, considering the blocked ports and the very specific location to check for unusual files, it is likely that the vulnerability is web facing. The MOVEit Transfer vulnerability is similar to another zero-day (GoAnywhere/CVE-2023-0669) exploited by the Clop ransomware group in January 2023. This vulnerability allowed the threat actors to exfiltrate data and extort organizations.
It is highly recommended that organizations shut down all MOVEit Transfers and investigate to identify potential compromises before applying a patch (when it becomes available) and bringing the server back online.
Progress recommends the following mitigation steps to prevent unauthorized access to your MOVEit Transfer environment:
Affected Version |
Fixed Version |
Documentation |
MOVEit Transfer 2023.0.0 |
||
MOVEit Transfer 2022.1.x |
||
MOVEit Transfer 2022.0.x |
||
MOVEit Transfer 2021.1.x |
||
MOVEit Transfer 2021.0.x |
INDICATORS OF COMPROMISE (IoCs)
IP Addresses
HTTP POST
SHA256 Hashes
File Names
SUPPORTING DOCUMENTATION
MOVEit Transfer Critical Vulnerability (May 2023) - Progress Community
New MOVEit Transfer zero-day mass-exploited in data theft attacks (bleepingcomputer.com)
Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability | Rapid7 Blog
Critical zero-day vulnerability in MOVEit Transfer exploited by attackers! - Help Net Security
MOVEit Transfer and MOVEit Cloud Vulnerability (progress.com)
MOVEit Transfer Critical Vulnerability – CVE-2023-35708 (June 15, 2023) - Progress Community
CISA Order Highlights Persistent Risk at Network Edge – Krebs on Security