Threat Actors Aggressively Exploiting MOVEit Vulnerability

Summary

Multiple threat actors are actively exploiting CVE-2023-34362, a critical zero-day SQL injection vulnerability found in Progress Software’s MOVEit Transfer server application. The SQL injection flaw allows a remote threat actor to gain unauthorized access to MOVEit Transfer's database and sensitive information and alter or delete databases. MOVEit is used widely across various organizations, including government and financial institutions. A quick Shodan search reveals that over 440 vulnerable instances in the United States are publicly exposed, increasing the likelihood of a successful cyberattack. The NJCCIC observed scanning activity associated with recently shared known CL0P ransomware indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs). The US Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities catalog, and federal civilian agencies must patch vulnerable instances by June 23.

Recommendations

The NJCCIC urges organizations to patch vulnerable MOVEit Transfer instances immediately after appropriate testing. Additionally, if upgrades cannot be performed, the system should be taken offline until it can be upgraded. Ensure your security team can access and analyze application logs from servers that run MOVEit Transfer, including Microsoft IIS logs. Further IOCs, TTPs, and mitigations can be found in the Joint Cybersecurity Advisory AA23_158A.