CISA Warning: MOVEit Has Yet Another Zero-Day SQL Injection RCE Bug [updated]

Mark Quashie, a/k/a The Mad StuntmanHundreds of government agencies and companies believed breached.

Now there’s a third SQLi flaw in MOVEit—and it has a published exploit. Progress Software MOVEd quickly to issue an emergency patch, but at this point it seems like the firm’s playing a hapless game of Whac-A-Mole. There’s clearly a systemic lack of input sanitation here.

To misquote 007 creator Ian Fleming: Once is happenstance, twice is coincidence, three times is sheer incompetence. In today’s SB Blogwatch, we’re shaken—not stirred—by enemy action.

AWS Builder Community Hub

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Mark Quashie (pictured) and Erick Morillo (RIP). [Article updated to add Ericka Chickowski’s reax, to clarify that the “hundreds” of organizations aren’t only in the U.S. and to note the exploit is a public PoC.]

Alt. Angle: Russia-Russia-Russia Cl1p Cl0p

What’s the craic? Sean Lyngaas reports—“US government agencies hit in global cyberattack”:

Sprawling hacking campaign
CISA … “is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications,” Eric Goldstein, the agency’s executive assistant director for cybersecurity, said. … Aside from US government agencies, “several hundred” companies and organizations in the US could be affected [said] a senior CISA official.

Clop, the ransomware gang allegedly responsible … last week claimed credit for some of the hacks, which have also affected employees of the BBC, British Airways, oil giant Shell, and state governments in Minnesota and Illinois, among others. [It] is one of numerous gangs in Eastern Europe and Russia that are almost exclusively focused on wringing their victims for as much money as possible.

The news adds to a growing tally of victims of a sprawling hacking campaign. … Progress Software, the US firm that makes the software exploited by the hackers, said it had discovered [yet another] vulnerability [and has] “taken MOVEit Cloud offline as we urgently work to patch the issue.”

Want more? Ericka Chickowski has more—“MOVEit Attacks Strike”:

Yet another wake-up call
A global attack campaign fueled by a vulnerability in MOVEit Transfer, a popular file transfer application, has now struck the U.S. Department of Energy, several other U.S. agencies and a spate of state government organizations and educational institutions. The reach of these attacks has expanded rapidly.

The impact on federal agencies from this attack campaign is yet another wake-up call that they need to embrace FedRAMP requirements. … Additionally, it’s a reminder to all organizations that securing the software supply chain isn’t just a matter of shoring up internal secure coding initiatives.

Got any details of this latest vulnerability? Sergiu Gatlan obliges—“MOVEit Transfer customers warned of new flaw”:

Testing exploits … since 2021
Progress didn’t share … details on this … new SQL injection (SQLi) vulnerability [but] at least one security researcher has shared information [about a] proof-of-concept exploit code. … The vulnerability had already been disclosed to Progress with the help of Huntress.

The disclosure likely also prompted the company’s warning [which] follows another advisory published [last week] that disclosed critical SQL injection vulnerabilities collectively tracked as CVE-2023-35036 and discovered following a security audit initiated on May 31, when Progress issued patches for a flaw (CVE-2023-34362) exploited as a zero-day.

Clop [said they] breached the MOVEit servers of “hundreds of companies.” … Kroll also found evidence that Clop has been testing exploits for the … MOVEit zero-day since 2021.

Uh, two years ago? Scott Downie, Devon Ackerman, Laurie Iacono and Dan Cox clarify this nuance—“Since 2021”:

July 2021
Threat actors … were likely experimenting with ways to exploit this particular vulnerability as far back as 2021. [We] found evidence of similar activity occurring … in some cases as early as July 2021.

Yikes. What will MOVEit’s maker say for itself? Progress pulls no punches—“Critical Vulnerability — CVE-2023-35708”:

Customers must apply the patch
Progress has discovered … a SQL injection vulnerability … in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment. … It is extremely important that you take immediate action … to help protect your MOVEit Transfer environment.

All MOVEit Transfer Customers must apply the patch for CVE-2023-35708. … Please read the README.txt before attempting the DLL Drop-in Install. Do not leave old versions of these DLL files on the system. They must be completely removed, not just renamed.

This is huge, right? jurynulifcation returns a Guilty verdict:

I think this is likely to be on par with or even eclipse SolarWinds. … It has so far compromised multiple DMVs, some US federal energy entities, British Airways, some Canadian provincial governments, and more.

Wait. Pause. SQL injection? In 2023? Meet Mike 137”:

Once again (yawn). … For the umpteen millionth time—why do these elementary cock-ups still get perpetrated?

There are many simple ways to implement SQL securely. It’s a pity that mainstream devs ignore them. (Or maybe just never heard of them?)

What should happen? DarmokandJalad favors the nuclear option:

Progress is traded under PRGS. This company should be put out of business. I can’t believe their stock is only down 6% on the news.

Or, blame the customers? vishal vashisht visualizes victory: [You’re fired—Ed.]

In any organisation now, every piece of software needs to be vetted by a technology group. … The idea that your Dev teams or your marketing teams or your HR teams can pick up some software they’ve seen on the internet or that their mates are using and then shout and cry until the IT Teams are forced into letting them have it without proper investigation is just ****ing crazy.

I would happily support any insurance firm insisting on an audit of every piece of software in an organisation. If they are hacked via a 3rd party vendor and that software was brought in by the “WAH! WAH! WAH! I NEED IT! WAH!!! MY FRIENDS ARE USING IT!!!!” method of corporate software acquisition, then refuse to pay any insurance to that firm.

If enough firms are hit for several $million because of this, then the idea of Technical Groups, Software libraries, investigations, etc. might increase.

Where does the moniker Cl0p come from? thriftwy clarifies and classifies:

“Клоп” is a Russian word for bedbugs and heteropteras in general.

Meanwhile, for those of us saddled with an earworm, but can’t quite place it, oumuamua got your backs:

Real 2 Real is the original artist and very popular in the clubs back in the day:

And Finally:

Get off my lawn

TW: WTC twin towers. Content is very 1994—so a tiny bit NSFW.

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Rob Klein Photography (cc:by-sa; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 492 posts and counting.See all posts by richi