{"id":22219,"date":"2023-06-12T16:10:53","date_gmt":"2023-06-13T00:10:53","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/06\/12\/news-15949\/"},"modified":"2023-06-12T16:10:53","modified_gmt":"2023-06-13T00:10:53","slug":"news-15949","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/06\/12\/news-15949\/","title":{"rendered":"More MOVEit vulnerabilities found while the first one still resonates"},"content":{"rendered":"<p>In early June, we reported on the discovery of&nbsp;a critical&nbsp;<a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/06\/update-now-moveit-transfer-vulnerability-actively-exploited\">vulnerability in MOVEit Transfer<\/a>&mdash;known as <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2023-34362\" target=\"_blank\" rel=\"nofollow\">CVE-2023-34362<\/a>.&nbsp;<\/p>\n<p>After the first vulnerability was discovered, MOVEit&#8217;s owner&nbsp;Progress Software partnered with third-party cybersecurity experts to conduct further detailed code reviews of the software. Now, Progress&nbsp;<a href=\"https:\/\/www.progress.com\/security\/moveit-transfer-and-moveit-cloud-vulnerability\" target=\"_blank\" rel=\"nofollow\">says<\/a>&nbsp;it has discovered multiple SQL injection vulnerabilities in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database.<\/p>\n<p>There are no CVEs yet available for the new vulnerabilities, but Progress has released patches.<\/p>\n<p>Users of Progress MOVEit Transfer versions released before 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), 2023.0.2 (15.0.2)&nbsp;should follow the recommendations in the <a href=\"https:\/\/community.progress.com\/s\/article\/MOVEit-Transfer-Critical-Vulnerability-CVE-Pending-Reserve-Status-June-9-2023\" target=\"_blank\" rel=\"nofollow\">security bulletin about the new vulnerabilities<\/a>.<\/p>\n<p>This code review was undoubtedly triggered by the severe consequences of the first vulnerability that was <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/06\/cl0p-ransomware-gang-claims-first-victims-of-the-moveit-vulnerability\">exploited by the Cl0p ransomware<\/a> gang. Cl0p confirmed it was behind these attacks in responses to inquiries by <a href=\"https:\/\/archive.ph\/dvM5i\" target=\"_blank\" rel=\"nofollow\">Reuters<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/clop-ransomware-claims-responsibility-for-moveit-extortion-attacks\/\" target=\"_blank\" rel=\"nofollow\">BleepingComputer<\/a><\/p>\n<p>Cl0p is showing a very different behavior from other ransomware groups. The gang either found or bought the CVE-2023-34362 vulnerability and <a href=\"https:\/\/www.kroll.com\/en\/insights\/publications\/cyber\/clop-ransomware-moveit-transfer-vulnerability-cve-2023-34362\" target=\"_blank\" rel=\"nofollow\">reportedly<\/a> started testing it against victims as far back as 2021.<\/p>\n<p>They felt comfortable enough to wait with actively deploying their ransomware, and didn&rsquo;t launch a large scale campaign until the 2023 Memorial Day weekend in the US. This demonstrates a&nbsp;level of sophistication and planning that we don&#8217;t see in other ransomware groups.<\/p>\n<p>Victims of this exploitation wave are plentiful and new ones keep <a href=\"https:\/\/ltgov.illinois.gov\/news\/press-release.26572.html\" target=\"_blank\" rel=\"nofollow\">coming forward<\/a>. All the victims of this attack have been told to contact the Cl0p ransomware group before June 14, 2023 or &#8220;face the consequences,&#8221; which tends to suggest that their data will be published online.<\/p>\n<h2>How to avoid ransomware<\/h2>\n<ul>\n<li><strong>Block common forms of entry.<\/strong> Create a plan for <a href=\"https:\/\/www.malwarebytes.com\/business\/vulnerability-patch-management\">patching vulnerabilities<\/a> in internet-facing systems quickly; and disable or <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2022\/03\/blunting-rdp-brute-force-attacks-with-rate-limiting\">harden remote access<\/a> like RDP and VPNs.<\/li>\n<li><strong>Prevent intrusions.<\/strong> Stop threats early before they can even infiltrate or infect your endpoints. Use <a href=\"https:\/\/www.malwarebytes.com\/business\/edr\">endpoint security software<\/a> that can prevent exploits and malware used to deliver ransomware.<\/li>\n<li><strong>Detect intrusions.<\/strong> Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use <a href=\"https:\/\/www.malwarebytes.com\/business\/edr\">EDR<\/a> or <a href=\"https:\/\/www.malwarebytes.com\/business\/managed-detection-and-response\">MDR<\/a> to detect unusual activity before an attack occurs.<\/li>\n<li><strong>Stop malicious encryption.<\/strong> Deploy Endpoint Detection and Response software like <a href=\"https:\/\/www.malwarebytes.com\/business\/edr\">Malwarebytes EDR<\/a> that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.<\/li>\n<li><strong>Create offsite, offline backups.<\/strong> Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.<\/li>\n<li><strong>Don&rsquo;t get attacked twice.<\/strong> Once you&#8217;ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.<\/li>\n<\/ul>\n<hr \/>\n<p dir=\"ltr\">Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.malwarebytes.com\/business\/contact-us\/\" class=\"blue-cta-bttn\">TRY NOW<\/a><\/p>\n<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/06\/more-moveit-vulnerabilities-found-while-the-first-one-still-resonates\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<table cellpadding=\"10\">\n<tr>\n<td valign=\"top\" align=\"left\">\n<p>Categories: <a href=\"https:\/\/www.malwarebytes.com\/blog\/category\/exploits-and-vulnerabilities\" rel=\"category tag\">Exploits and vulnerabilities<\/a><\/p>\n<p>Categories: <a href=\"https:\/\/www.malwarebytes.com\/blog\/category\/news\" rel=\"category tag\">News<\/a><\/p>\n<p>Categories: <a href=\"https:\/\/www.malwarebytes.com\/blog\/category\/ransomware\" rel=\"category tag\">Ransomware<\/a><\/p>\n<p>Tags: MOVEit<\/p>\n<p>Tags:  Progress<\/p>\n<p>Tags:  Cl0p<\/p>\n<p>Tags:  ransomware<\/p>\n<p>Tags:  CVE-2023-34362<\/p>\n<p>A security audit of the MOVEit code has revealed more SQL injection vulnerabilities, while victims of the first vulnerability are coming to the surface.<\/p>\n<table width=\"100%\">\n<tr>\n<td align=\"right\">\n<p><b>(<a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/06\/more-moveit-vulnerabilities-found-while-the-first-one-still-resonates\" title=\"More MOVEit vulnerabilities found while the first one still resonates\">Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/06\/more-moveit-vulnerabilities-found-while-the-first-one-still-resonates\">More MOVEit vulnerabilities found while the first one still resonates<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[24873,29510,22783,29502,32,29501,3765],"class_list":["post-22219","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-cl0p","tag-cve-2023-34362","tag-exploits-and-vulnerabilities","tag-moveit","tag-news","tag-progress","tag-ransomware"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/22219","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=22219"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/22219\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=22219"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=22219"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=22219"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}