Horizon3.ai’s Attack team has published MOVEit Transfer CVE-2023-34362 Deep Dive and Indicators of Compromise over the weekend, which includes a proof of concept (POC) remote code execution (RCE) for the vulnerability, as well as indicators of compromise.
Zach Hanley, Chief Attack Engineer, said in part:
“On May 31, 2023, Progress released a security advisory for their MOVEit Transfer application which detailed a SQL injection leading to remote code execution and urged customers to update to the latest version. The vulnerability, CVE-2023-34362, at the time of release was believed to have been exploited in-the-wild as a 0-day dating back at least 30 days.
“Soon after publication, a flurry of threat intelligence by various companies was released which indicated that this vulnerability was exploited further back than initially thought – GreyNoise seeing activity 90 days prior and Kroll reporting similar activity as far back as 2021. The attacks have been attributed to the cl0p ransomware gang, which is attributed to several other recent 0-day ransomware campaigns such as PaperCut, GoAnywhere MFT, SolarWinds Serv-U, and Accellion FTA.”
The deep dive then illustrates the POC, points out differences between the vulnerable and patched MOVEit versions, and offers indicators of compromise.
You can read the deep dive here.
Zach noted that after execution of the POC exploit offered: “cleartext credentials for the provisioned sysadmin account, database credentials, and the service credential. All great targets for lateral movement.”
Related
This entry was posted on June 12, 2023 at 2:43 pm and is filed under Commentary with tags horizon3.ai. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Horizon3.ai Does A Deep Dive Into The MOVEit Transfer Vulnerability
Horizon3.ai’s Attack team has published MOVEit Transfer CVE-2023-34362 Deep Dive and Indicators of Compromise over the weekend, which includes a proof of concept (POC) remote code execution (RCE) for the vulnerability, as well as indicators of compromise.
Zach Hanley, Chief Attack Engineer, said in part:
“On May 31, 2023, Progress released a security advisory for their MOVEit Transfer application which detailed a SQL injection leading to remote code execution and urged customers to update to the latest version. The vulnerability, CVE-2023-34362, at the time of release was believed to have been exploited in-the-wild as a 0-day dating back at least 30 days.
“Soon after publication, a flurry of threat intelligence by various companies was released which indicated that this vulnerability was exploited further back than initially thought – GreyNoise seeing activity 90 days prior and Kroll reporting similar activity as far back as 2021. The attacks have been attributed to the cl0p ransomware gang, which is attributed to several other recent 0-day ransomware campaigns such as PaperCut, GoAnywhere MFT, SolarWinds Serv-U, and Accellion FTA.”
The deep dive then illustrates the POC, points out differences between the vulnerable and patched MOVEit versions, and offers indicators of compromise.
You can read the deep dive here.
Zach noted that after execution of the POC exploit offered: “cleartext credentials for the provisioned sysadmin account, database credentials, and the service credential. All great targets for lateral movement.”
Share this:
Like this:
Related
This entry was posted on June 12, 2023 at 2:43 pm and is filed under Commentary with tags horizon3.ai. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.