Cyber Security Threat Summary:
On Thursday, Progress software disclosed yet another vulnerability in its MOVEit Transfer application, making this the third vulnerability the company has addressed since May 2023. Similar to the previous flaws (CVE-2023-34362 (May 31, 2023) & CVE-2023-35036 (June 9, 2023)), the latest vulnerability (CVE-2023-35708 (June 15, 2023)) also relates to a case of SQLi injection and could allow threat actors to escalate privileges and potentially gain unauthorized access to MOVEit Transfer’s database.

According to a security researcher who goes by the handle @MCKSysAr on Twitter, the newest vulnerability seems to be related to a POC that they had been working on for CVE-2023-35036. “As promised, here's a pic of the Poc for CVE-2023-35036 (Progress MOVEit Transfer). As soon as I can get RCE, I'll upload the final PoC to github…this attack works on current version of Progress MOVEit Transfer: 2023.0.2 (15.0.2.49). So I guess that I just dropped a 0 day here” stated the researcher on Twitter.

Progress has yet to disclose how they uncovered the latest bug. The company has, however, released updated security patches which include fixes for both the June 9th (CVE-2023-35036) and June 15th (CVE-2023-35708), 2023 vulnerabilities:

https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023

Security Officer Comments:
The development comes after the Clop ransomware gang on Wednesday started extorting organizations that it claimed were hacked using the MOVEit Transfer zero-day (CVE-2023-34362). According to security experts at Kroll, Clops ransomware actors have been testing exploits for the zero-day since 2021 and ways to exfiltrate data stolen from compromised MOVEit servers since at least April 2022. Looking at Clops’ data leak site, the group has already listed several victim organizations that were targeted in the latest MOVEit attacks including Shell, the University of Georgia, United Healthcare Student Resources, Heidelberger Druck, and Landal Greenparks, among many others. According to a CNN report published yesterday, two U.S. Department of Energy entities were also allegedly compromised as part of the attacks.

Although these two entities haven’t been claimed on Clop’s data leak site, the actors noted the following “If you are a government, city or police service you do not worry, we erased all your data. You do not need to contact us. We have no interest to expose such information.”

Suggested Correction(s):
Progress is urging its customers to apply the patches as soon as possible to prevent potential attacks. If patching is not feasible atm, then the company recommends modifying firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443.

It is important to note that until HTTP and HTTPS traffic is enabled again: