Horizon3 security researchers have disclosed a proof-of-concept (PoC) exploit for a critical remote code execution (RCE) bug in MOVEit Transfer, which has been leveraged by the notorious Clop ransomware gang in data theft attacks.
The vulnerability, known as CVE-2023-34362, allows unauthenticated attackers to gain access to unpatched MOVEit servers and execute arbitrary code remotely. Following the large-scale exploitation by Clop, Progress released security updates to address the bug and urged customers to apply them promptly. Horizon3 published the PoC exploit and provided indicators of compromise (IOCs) to aid network defenders in detecting exploitation on vulnerable servers.
The PoC exploit demonstrated how an SQL injection is utilized to acquire a sysadmin API access token, which is then abused through a deserialization call to achieve remote code execution.
Although the release of the exploit is expected to prompt more threat actors to deploy attacks or create customized versions, the widespread media coverage of the vulnerability has likely reduced the number of unsecured MOVEit Transfer servers accessible on the internet since Clop’s initial exploitation.
Clop ransomware gang, claiming responsibility for the data theft attacks associated with the MOVEit Transfer zero-day (CVE-2023-34362), has been linked to the Lace Tempest hacking group by Microsoft. Evidence suggests that Clop has actively sought opportunities to exploit the patched vulnerability since 2021, along with finding methods to extract data from compromised MOVEit servers.
Numerous organizations, including EY, the Irish Health Service Executive (HSE), and UK-based provider Zellis and its customers such as British Airways and Aer Lingus, have reported data breaches resulting from these attacks.
The Clop gang has a history of targeting vulnerabilities in managed file transfer platforms, as seen in previous incidents involving Accellion FTA servers, SolarWinds Serv-U Managed File Transfer, and GoAnywhere MFT. Progress has since issued patches for the newly discovered SQL injection vulnerabilities in MOVEit Transfer, emphasizing the importance for customers to safeguard their databases from unauthenticated attackers seeking to steal sensitive information.
