Get in Touch
New PoC released for MOVEit SQLi injection vulnerability
Target Industry
Indiscriminate, opportunistic attacks.
Overview
A new Proof of Concept (PoC) has been disclosed on an SQLi injection vulnerability found within the file transfer service that can allow attackers to manipulate SQLi databases without first requiring access. Although it is unclear where the PoC was initially posted, a researcher was seen posting a screenshot showing the application being successfully exploited. At the time of writing a security patch for the vulnerability has not yet been released, however MOVEit are urging customers to block both HTTP and HTTPS associated ports relating to MOVEit traffic as a temporary precaution until a solution is released.
This type of attack manipulates public-facing input fields by entering unexpected values in a format that results in the server recognising the input as commands to be executed. In this case the issue found within the web-facing user interface login page fields is that they don’t correctly sanitise data before it is processed by the server.
The disclosed vulnerability is one of several SQL injection vulnerabilities found within the application. Prior to the new discovery, the ransomware group Clop were observed successfully stealing sensitive customer data after using the zero-day vulnerability CVE-2023-35036. It’s believed Clop has been doing this since 2021. Threat intelligence bulletins from Quorum Cyber have covered similar prior vulnerabilities that have since been discovered and patched, one of which was also exploited by the Clop group.
Impact
If the SQLi injection vulnerability was allowed to execute it would allow attackers to compromise accounts, manipulate or destroy data, or exfiltrate large amounts of data held within the SQLi databases.
Vulnerability Detection
A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against known threats. EDRs can alert system users of potential breaches and prevent further progress, prior to a malware or vulnerability being able to implement significant damage.
Affected Products
MOVEit.
Containment, Mitigations & Remediations
As mentioned previously, it is recommended that an EDR solution is implemented which will allow for the prevention or mitigation of potential attacks from a wide range of threats in real time.
All devices should implement the most recent vendor updates available as these will contain updates to their security features to help prevent exploitation from known threats.
As per the recommendations provided by the vendor, any HTTP or HTTPS MOVEit traffic should be blocked on ports 80 and 443 as a temporary precaution.
Indicators of Compromise
No specific Indicators of Compromise (IoCs) are available currently.
Threat Landscape
MOVEit is used by a wide range of large-scale organisations for transferring various sensitive information. Due to this, it is a prime target as it can be used as a platform to deploy malware for further exploitation or lateral movement once an attacker has gained initial access.
As many applications do, it uses an SQLi database for storing information such as account credentials and details. This has always been a prime target for attackers as they can provide malformed inputs to exfiltrate large amounts of sensitive data without initial access with ease.
Threat Group
Although no evidence is available to suggest that the ransomware group Clop has utilised this new vulnerability, they have previously been seen using similar exploits for purposes of data exfiltration for monetary purposes.
The Russian speaking group were first seen in February 2019 and six of their suspected members were arrested on June 2021 thanks to a global effort, but operations from the group have continued. Initially focussing on the deployment of ransomware, the group has since shifted towards focussing on the exfiltration of data based on more recent attacks.
Mitre Methodologies
Initial Access
T0819 – Exploit Public-Facing Application
Further Information
MOVEit Transfer customers warned of new flaw as PoC info surfaces
Further MOVEit critical vulnerabilities discovered
MOVEit Transfer zero-day vulnerability exploited by threat actors
