最后更新于2023年8月10日星期四20:59:08 GMT
The following article was written by Drew Burton and Cynthia Wyre.
Rapid7继续跟踪的影响 cve - 2023 - 34362, a critical zero-day vulnerability in 软件进展’s MOVEit Transfer solution. cve - 2023 - 34362允许SQL注入, which can result in unauthorized access to sensitive data, 比如密码, 信用卡资料, 或用户个人信息.
Rapid7 is not currently seeing evidence that commodity or low-skill attackers are exploiting the vulnerability. However, the exploitation of available high-value targets globally across a wide range of org sizes, 垂直, and geo-locations indicates that this is a widespread threat. We expect to see a longer list of victims come out as time goes on.
We’ve put together a timeline of events to date for your reference.
MOVEit时间表
5月27 - 28日: Rapid7 services teams have so far confirmed 妥协指标 and data exfiltration dating back to at least May 27 and May 28, 2023(分别).
May 31: 软件进展 发布 an advisory on a critical SQL injection vulnerability in their MOVEit Transfer solution.
May 31: Rapid7 begins investigating exploitation of MOVEit Transfer.
June 1: Rapid7 发表初步分析 of MOVEit Transfer attacks after responding to incidents across multiple customer environments.
June 1: 安全社区发布了 技术细节 and 妥协指标.
June 1: Compromises continue; Rapid7 responds to alerts.
June 1: CISA 发布 安全咨询.
June 2: cve - 2023 - 34362 是否分配给零日漏洞.
June 2: Mandiant 属性 the attack to a threat cluster with unknown motives.
June 2: 伶盗龙 releases an artifact to detect exploitation of MOVEit File Transfer critical vulnerability.
June 4: Rapid7 发布 a method to identify which data was stolen.
June 4: Nova Scotian government discloses it is investigating privacy breach.
June 5: 微软 属性 对蕾丝风暴的袭击 Cl0p勒索软件附属公司 that has previously exploited vulnerabilities in other file transfer solutions (e.g.、Accellion FTA、Fortra GoAnywhere MFT).
June 5: UK companies BA, BBC, and Boots disclose breaches as victims 在MOVEit文件传输.
June 5: Cl0p勒索软件组 claims 零日攻击的责任.
June 6: 安全公司猎人发布了 video 据称是在复制漏洞利用链.
June 6: Cl0p勒索软件组织 发布通信 on their leak site demanding that victim organizations contact them by June 14 to negotiate extortion fees in exchange for the deletion of stolen data.
June 7: 中钢协发布 # StopRansomware Cybersecurity Advisory regarding MOVEit File Transfer 脆弱性 cve - 2023 - 34362.
June 9: 软件进展 updates advisory to include a patch for a 第二个MOVEit传输漏洞, which was uncovered by Huntress during a third-party code review. 稍后分配漏洞 cve - 2023 - 35036.
6月12日: Rapid7释放a 完整的开发链 for MOVEit Transfer 脆弱性 cve - 2023 - 34362.
June 15: Progress discovers a new vulnerability, CVE-2023-35708, and 发布 advisory.
July 6: Progress discloses three additional CVEs in MOVEit Transfer. CVE-2023-36934 is a critical, unauthenticated SQL injection vulnerability. CVE-2023-36932 is a high-severity SQL injection vulnerability that could allow authenticated attackers to gain access to the MOVEit Transfer database. CVE-2023-36933 is an exception handling issue that could allow an attacker to crash the application. 缓解 directions and latest versions are in 软件进展's advisory here.
缓解
5月31日之前的所有MOVEit Transfer版本, 2023易受cve - 2023 - 34362攻击, 以及6月9日前的所有MOVEit Transfer版本, 2023易受cve - 2023 - 35036攻击. 如上所述, 有固定版本的软件, and patches should be applied on an emergency basis.
补丁可通过 软件进展的cve - 2023 - 34362建议. 另外, because cve - 2023 - 34362 is a zero-day vulnerability, 软件进展 is advising MOVEit Transfer and MOVEit Cloud customers to check for indicators of unauthorized access over "at least the past 30 days."
根据公司的状态页面, Progress also took the following steps aimed at increasing security monitoring and defending against further exploitation or attack:
- Developed specific monitoring signatures on Progress’ endpoint protection system.
- Validated that the newly developed patch corrected the vulnerability.
- Tested detection rules before finalizing to ensure that notifications are working properly.
- Engaged outside cybersecurity experts and other incident response professionals to conduct a forensic investigation and assess the extent and scope of the incident.
如上所述的时间轴, Rapid7 has added capabilities across our portfolio that can help users identify and resolve risk from cve - 2023 - 34362. We have also identified a method to identify exfiltrated data from compromised MOVEit customer environments.
要了解更多信息,请查看: Rapid7 Observed Exploitation of Critical MOVEit Transfer 脆弱性
