A third MOVEit vulnerability is patched as Cl0p ransom notes arrive.
By Tim Nodar, CyberWire senior staff writer.
Jun 20, 2023

Another vulnerability in MOVEit has been found and patched as Cl0p continues its ransomware campaign.

A third MOVEit vulnerability is patched as Cl0p ransom notes arrive.

Progress Software has disclosed and patched a third vulnerability in its MOVEit file transfer application. The flaw is a SQL injection vulnerability (CVE-2023-35708) that could allow an attacker to “submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.” A proof-of-concept for the vulnerability was published on June 15th.

The company stated, “We have not seen any evidence that the vulnerability reported on June 15 has been exploited. Taking MOVEit Cloud offline for maintenance was a defensive measure to protect our customers and not done in response to any malicious activity. Because the new vulnerability we reported on June 15 had been publicly posted online, it was important that we take immediate action out of an abundance of caution to quickly patch the vulnerability and disable MOVEit Cloud.

“Our product teams and third-party forensics partner have reviewed the vulnerability and associated patch and have deemed that the issue has been addressed. This fix has been applied to all MOVEit Cloud clusters and is available for MOVEit Transfer customers.”

US offers reward for information on Cl0p ransomware gang.

Ransom demands have begun to arrive at US Government agencies and other victims. According to Reuters, the US Department of Energy has received two such notices.

BleepingComputer reports that the US State Department's Rewards for Justice program is offering up to $10 million for information tying the Cl0p ransomware gang to a foreign government. Cl0p has used the MOVEit vulnerabilities to compromise at least two dozen entities, including some US government agencies, SecurityWeek reports

Industry expert sees this as an instance of third-party risk.

Marc Gaffan, CEO of IONIX, commented, “Enterprises increasingly rely on third-party web services, vendors, and platforms to accelerate growth, scale operations, and increase efficiencies. What they are also doing is increasing their attack surface. For all the go-to-market and bottom-line benefits, there is a real security risk involved. A partner's security problems quickly become yours in a connected digital supply chain. Accelerating zero-day response is one of the most impactful benefits of attack surface management. MOVEit is just the latest example of how one impacted organization can lead to problems for hundreds of others. These impacted organizations often need more visibility into their IT landscape, let alone their digital supply chain. In less than a month, the third SQL injection vulnerability shows how these services are frequently targeted and often fragile.”

(Added 12:45 PM ET, June 20th, 2023. From Jeff Shiner, CEO of 1Password, pointed out that this incident isn't a one-off. "While the MOVEit breach was unique to its file-sharing software, it shows just how vulnerable our online information truly is," he wrote. "Cybersecurity attacks continue to rise and will become increasingly sophisticated and complex as generative AI continues to evolve. But there are some simple things that individuals can do to help reduce their risk if caught in a breach. These include keeping your devices and software up to date, utilizing strong, unique passwords for all your accounts, and keeping a close eye on your credit and personal identification information, so you can take timely action if needed to protect your important information.")

(Added, 9:45 AM ET, June 22nd, 2023. Dale Zabriskie, Field CISO at Cohesity. elaborated with comments on how convenience can be in tension with security. "The MOVEit transfer threat incident exemplifies how file-transfer applications and other SaaS offerings are now a double-edged sword, popular not only among businesses but also with ransomware groups who know these assets are a top source from which to steal sensitive data. For business leaders, particularly CISOs, it is paramount to tighten up their organizations’ security posture, including their entire software supply chain, to determine if they have become vulnerable to the Clop attack. And, to ensure compliance and security isn’t compromised, effective patch management, supply-chain security and always-on observability of their IT environments must become a business priority.”)