Clearly, the MOVEit secure transfer software was particularly vulnerable to computer attacks. Progress Software, the publisher of this software targeted by the cybercriminals of Cl0p, has indeed announced three new vulnerabilities, including a critical one, on the occasion of the publication of a new pack of updates.
The most concerning vulnerability (CVE-2023-36934), discovered by a Trend Micro researcher, allowed an unauthenticated hacker to access the MOVEit Transfer database after an SQL injection. Same thing for the second (CVE-2023-36932), except that the attacker had to be authenticated beforehand this time, while the third could cause the application to stop.
Extortion without encryption
Progress Software had already declared three other critical vulnerabilities since the discovery, on May 31, of a serious flaw in its transfer software. The hole in the application’s racket, an SQL injection attack, had been massively exploited by Cl0p cybercriminals from May 27 to steal documents exchanged on this service.
The two other critical vulnerabilities discovered (CVE-2023-35036 and CVE-2023-35708) also allowed an unauthenticated attacker to elevate his privileges, extract or modify the software database, recalled Anssi in a report published a few days ago. However, they would not have been exploited by pirates.
As of July 5, Cl0p cybercriminals had however managed to pin 80 organizations to their impressive list, including three French companies. This is extortion without encryption. Cybercriminals did not attempt to deploy ransomware, presumably to move as quickly as possible and avoid detection. In a classic way, they now threaten to publish stolen data in the event of refusal to pay the demanded ransom. Stolen data is also offered for sale, raising fears of new bounce attacks.
Six vulnerabilities in all
With a total of six flaws discovered in two months, the reputation of MOVEit – supposed to be a secure transfer software – seems to be permanently damaged. The publisher is now even facing a class action launched in Massachusetts by plaintiffs, reports The Record. But Progress Software is not the first publisher of software for a secure transfer solution to suffer from the interest of cybercriminals.
As Anssi reminds us, several other campaigns of the same type have been deplored in recent years. And for good reason: this software allows “immediate access to many documents, in particular data of interest”, while “the search for vulnerabilities by the community of cybersecurity researchers on these solutions seems limited”. As such, the cyber-firefighter of the State considers that other similar software could in turn be targeted in the years to come. It is therefore better to be very careful about the data stored on this kind of platform.