CVE-2023-34362 Detection: Critical MOVEit Transfer Zero-Day Flaw Actively Exploited By Threat Actors to Steal Data from Organizations
Table of contents:
Hot on the heels of the maximum severity flaw in GitLab software known as CVE-2023-2825, another critical vulnerability comes to the scene, creating a significant buzz in the cyber threat landscape. At the turn of June 2023, Progress Software uncovered a critical vulnerability in MOVEit Transfer that can lead to privilege escalation and instantly issued a security advisory covering mitigation measures and remediation activities. As a response to the escalated risks of vulnerability exploitation, CISA has recently released the corresponding alert urging organizations to beware of the threat and risk-optimize their cybersecurity posture.
Updated: Since June 2, 2023, the MOVEit Transfer flaw has been tracked as CVE-2023-34362 and added to the CISA’s Known Exploited Vulnerabilities Catalog with the CVSS score not provided yet.
Detecting Exploits for a CVE-2023-34362 Zero-Day in MOVEit Transfer Application
New week, new zero-day posing a significant menace to cyber defenders. To prevent MOVEit Transfer zero-day exploits from causing any significant damage to your system, utilize the following set of Sigma rules released by a team of keen threat hunting engineers from SOC Prime:
Possible MOVEit Transfer Exploitation Indicator [MOVEit Transfer 0Day] (via file_event)
Possible MOVEit Transfer Exploitation Attempt [MOVEit Transfer 0Day] (via process_creation)
Suspicious App_Web Dynamic Library Creation Attempt [MOVEit Transfer 0Day] (via file_event)
Possible MOVEit Transfer Exploitation Attempt [MOVEit Transfer 0Day] (via webserver)
Also, to simplify the content search, cybersecurity professionals can apply a “MOVEit” tag and explore all relevant detection either in SOC Prime’s Sigma Rules Search Engine or inside the Threat Detection Marketplace itself.
All the detection algorithms for CVE-2023-34362 are compatible with 25+ SIEM, EDR, XDR, and BDP formats and aligned with MITRE ATT&CK framework v12, addressing the Initial Access and Defense Evasion Tactics with Exploit Public-Facing Application (T1190) and Masquerading (T1036) as the corresponding techniques.
By clicking the Explore Detections button, organizations can gain instant access to even more detection algorithms aimed to help identify the malicious behavior linked to the exploitation of trending vulnerabilities.
MOVEit Transfer Critical Vulnerability Analysis
On the last day of May 2023, Progress Software published a security notice to shed light on the newly revealed MOVEit Transfer vulnerability tracked as CVE-2023-34362, which allows adversaries to gain unauthorized access to compromised systems and leads to data theft attacks.
To instantly warn cyber defenders of the growing risks related to the MOVEit Transfer vulnerability exploitation attempts, Progress Software has provided the details of this SQL injection flaw. According to the vendor’s advisory, all software versions might be affected by the vulnerability, which requires immediate responsiveness from cyber defenders.
To timely identify the infection in the corporate environment in the case of successful vulnerability exploitation, CISA prompts organizations to follow the mitigation recommendations issued by Progress Software, which involve disabling all HTTP/ HTTPs traffic to the potentially compromised environment, removing unauthorized files and resetting user credentials, instantly applying the patches, constantly monitoring the infrastructure for potential threats, and following the industry best practices to boost cyber hygiene.
GreyNoise has revealed the scanning activity for the MOVEit Transfer login page, which dates back to early March 2023. By analyzing the identified activity, cybersecurity researchers found out that five IPs could be marked as malicious, which points to the earlier adversary activity potentially linked to the vulnerability exploitation attempts.
Based on the exploit-focused Reddit thread, attackers leverage a backdoor dubbed human2.aspx, which enables them to get the entire list of folders, files, and users within the affected MOVEit environment, download any file from the targeted system, and enable attackers to perform credential bypass activities to steal sensitive data and spread the infection further.
To instantly hunt for relevant IOCs, explore Uncoder AI that enables security engineers to automatically convert file, host, or network indicators of compromise into custom IOC queries ready to run in the selected SIEM or EDR environment. And that’s not all – the tool acts as an ultimate solution for any detection engineer and threat hunter to streamline daily ad-hoc operations, like threat research, rule coding backed by autocompletion, validation, content translation, and more from a single place.