Progress Software has issued a security advisory about another zero-day bug in its MOVEit Transfer file transfer solution that requires immediate mitigation. The flaw can be exploited to escalate privileges and potentially allow access to customers’ environments. Progress Software released a patch to fix the vulnerability, tracked as CVE-2023-35708, on June 15, 2023; however, patches for two previous zero-day vulnerabilities should be applied before the latest flaw is addressed – the CVE-2023-34362 vulnerability that was patched on May 31, 2023, and the CVE-2023-35036 vulnerability that was patched on June 9, 2023.
If for any reason the patches cannot be immediately applied, action should be taken to prevent unauthorized access until the issues are addressed. Users should immediately disable all HTTP and HTTPs traffic to the MOVEit Transfer environment by modifying the firewall to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443. The firewall rules should not be updated to permit HTTP and HTTPs traffic until the June 15 patch has been applied.
This mitigation will prevent users from logging into the MOVEit Transfer web UI, and MOVEit Automation tasks that use the native MOVEit Transfer host will no longer work. REST, Java, and .NET APIs and the MOVEit Transfer add-in for Outlook will also not work, although the SFTP and FTP/s protocols will continue to work as normal and admins will still be able to access MOVEit Transfer by using a remote desktop to access the Windows machine and then accessing https://localhost/. The mitigations and security alerts about all three MOVEit zero days are detailed in the Progress Software security alert.
The Clop ransomware group exploited the CVE-2023-34362 vulnerability in mass attacks in late May and is believed to have known about the vulnerability since at least 2021. The group claims several hundred companies have been attacked by exploiting the vulnerability. Ransom demands were issued with a deadline of June 14 for payment. A dozen companies were listed on the group’s data leak site on Wednesday. Emsisoft Threat Analyst, Brett Callow, said there have been 50 confirmed victims of the attacks so far. The latest confirmed victim is the Oregon Department of Transportation. The identities of 3.5 million Oregonians are believed to be at risk due to the attack, which involved 90% of Oregonians’ driver’s licenses and state IDs.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that some federal agencies fell victim to the Clop attacks and said it is providing assistance. CISA Director, Jen Easterly, said at this stage of the investigation it does not appear that specific, high-level information was stolen, and said “This is not a campaign like SolarWinds that presents a systemic risk to our national security.”