Progress Software Alerts of New MOVEit Zero-Day Vulnerability – Quick Action Necessary
Progress Software has released an alert concerning a new vulnerability identified in its MOVEit Transfer file transfer software program. It is an exploit that is available in the public domain. The announcement is given since the Clop ransomware group begins to identify organizations that were attacked by taking advantage of a distinct zero-day bug in May. CISA verifies the victims including a number of government agencies.
The newest vulnerability, CVE-2023-35708, is a critical bug that enables privilege escalation and possible unauthorized access to the system. A security researcher on Twitter shared the Proof-of-Concept (PoC) exploit for the new zero-day vulnerability, though during release, code execution is not yet reached. The Clop group attacks show that it’s possible to weaponize MOVEit vulnerabilities and they are taken advantage of in mass attacks. Therefore, mitigations must be enforced right away and patches implemented when they are launched.
MOVEit Transfer Zero Day Mitigations and Solutions
As per Progress Software, all end users need to do something to handle the most recent MOVEit zero-day bug. The actions that must be undertaken are determined by whether patches were used. The patch for the zero-day vulnerability (CVE-2023-34362) exploited by Clop was released on May 31, 2023. The patch for the second critical SQL injection vulnerability (CVE-2023-35036) was released on June 9. Both patches and remediation actions must be implemented first. If they were not yet done, then use the June 15, 2023 patch to correct the third zero-day vulnerability (CVE-2023-35708).
If it isn’t possible to quickly use the June 15, 2023 patch, users must deactivate all HTTP and HTTPs to block traffic going to the MOVEit Transfer environment (ports 80 and 443) right away to avoid unauthorized access. HTTP and HTTPs traffic must not be re-activated until the application of the June 15, 2023 patch. Although this mitigation will keep users logging into their accounts through the web user interface, transfers will remain available because the SFTP and FTP/s protocols will still function, and admins can still access MOVEit Transfer by linking to the Windows server through remote desktop, and then going to https://localhost/
Information on patching the three vulnerabilities and the mitigation actions are available in the most recent Progress Software advisory.
Progress Software stated that it took down the HTTPs traffic for MOVEit Cloud because of the recently identified vulnerability and is requesting all MOVEit Transfer clients to quickly stop their HTTP and HTTPs traffic to protect their environments until the patch is completed.
Clop Begins Posting the Names of Victims on Its Data Leak Site
The Clop gang professed responsibility for the attacks which took advantage of the May 2023 vulnerability (CVE-2023-34362), and although the number of victims is not known, a few hundred organizations are known to have been impacted. Clop gave until June 14, 2023, for the victims to pay the ransom demand, after which the stolen data will be leaked by the group. On June 14, the group started publishing the names on its data leak site including the oil and gas corporation Shell, the University System of Georgia (USG), the University of Georgia (UGA), UnitedHealthcare Student Resources (UHSR), Heidelberger Druck, Landal Greenpark, and Putnam Investments. A number of other companies including Aer Lingus, Zellis, Boots, and the BBC, have stated that they were impacted though their names are not yet posted on the data leak website.
Government Agencies Affected by Clop Attack
The Cybersecurity and Infrastructure Security Agency (CISA) has reported that it is helping a number of government agencies that suffered Clop gang attack through exploitation of the May 2023 vulnerability. CISA executive assistant director for cybersecurity, Eric Goldstein, stated that it is presently attempting to know the effect of those attacks. According to CISA Director, Jen Easterly, the opportunistic May 2023 attacks were not really targeting government agencies. Clop is a ransomware group from Russia, but it is believed the attacks are not connected to the government of Russia. Government agencies that were impacted by the attack include two entities within the Energy Department.
Active Exploitation of Critical Vulnerability in VMware Aria Operations for Networks
VMware confirms the exploitation in the wild of the remote code execution vulnerability in the network analytics tool called VMware Aria Operations for Networks (formerly known as vRealize Network Insight). The vulnerability is monitored as CVE-2023-20887 with a CVSS severity rating of 9.8. It is fixed in the newest version of the analytics tool.
On June 13, 2023, security researcher Sina Kheirkhah of Summoning Team published a proof-of-concept exploit for the pre-authentication command injection vulnerability. Vulnerability exploitation on unpatched systems began two days afterward. Experts at the cybersecurity company GreyNoise found a mass-scanning activity to distinguish unpatched systems immediately after publishing the PoC exploit. This is one among three new vulnerabilities identified in VMware Aria Operations for Networks. The other vulnerabilities are another critical vulnerability tracked as CVE-2023-20888, and an important vulnerability tracked as CVE-2023-20889. VMWare introduced patches to correct all three vulnerabilities about two weeks back. Kheirkhah identified all three and reported it to VMWare, however, the exploited CVE-2023-20887 vulnerability was earlier found and reported to VMware by an unknown security specialist.
A malicious actor can exploit CVE-2023-20887 if with network access to VMware Aria Operations for Networks during a command injection attack that could result in remote code execution. A malicious actor can exploit CVE-2023-20888 if with network access to VMware Aria Operations for Networks and permits a deserialization attack, leading to remote code execution. Exploiting the third vulnerability could allow a command injection attack that leads to data sharing.
VMware states there is no other solution. The only way to deal with the vulnerabilities is to upgrade to a fixed version https://www.vmware.com/security/advisories/VMSA-2023-0012.html. All VMware Aria Operations Networks 6.x on-prem installations should be patched to avoid exploitation. All three vulnerabilities are resolved in version KB92684.
PoC Exploit Released for CISCO AnyConnect Secure Vulnerability
There is a proof-of-concept exploit code available for a high-severity vulnerability in Cisco Secure Client Software for Windows and
AnyConnect Secure Mobility Client Software for Windows. To prevent exploitation, customers should apply the patch immediately. Malicious actors have targeted unpatched vulnerabilities in Cisco Secure Client Software before.
Cisco Secure Client Software is a remote access solution that makes it possible for workers to be connected to the network anywhere through a Virtual Private Network and IT admins use it for endpoint management. The vulnerability is monitored as CVE-2023-20178 and has a CVSS base rating of 7.8.
The vulnerability impacts the client update procedure. An authenticated, local attacker could exploit the vulnerability to change privileges to the SYSTEM level. Incorrect permissions on a temporary directory that is created at the time of the update process resulted in the vulnerability, which could be exploited by abusing a particular functionality of the Windows installer process. The vulnerability can be exploited in an attack with low complexity and doesn’t call for user interaction. Security researcher, Filip Dragovic, discovered the vulnerability and reported it to CISCO. He just released the PoC exploit after being able to test it on AnyConnect Secure Mobility Client version 4.10.06079 and Secure Client version 5.0.01242.
According to CISCO, there is no other solution to fixing the vulnerability except patching. A patch to address the vulnerability was provided on June 13, 2023. During the time of release, there were no discovered cases of exploitation. The vulnerability has been addressed in Cisco Secure Client for Windows 5.0MR2 and AnyConnect Secure Mobility Client for Windows 4.10MR7.
