MOVEit Transfer is a popular secure file transfer solution developed by Progress, a subsidiary of Ipswitch. At the moment, there are more than 2,500 MOVEit Transfer servers that are accessible from the internet, according to Shodan.
On May 31, 2023, Progress released a security advisory affecting versions 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), 2023.0.1 (15.0.1).
The vulnerability is categorized as a SQL injection allowing an unauthenticated user access to MOVEit databases, potentially resulting in arbitrary code execution and data exfiltration.
The attack chain begins with a SQL injection that retrieves administrative credentials, allowing unrestricted file upload that attackers can use to install a backdoor on the server.
On Friday, June 1, 2023, the CVE was added to the CISA Known Exploited Vulnerabilities list (KEV), indicating that this is a critical vulnerability and is currently being exploited in the wild.
A proof of concept (PoC) has not been released. However, after further investigation, the Imperva Threat Research team created effective and dedicated mitigation rules for this vulnerability to strengthen the existing built-in mitigation against SQL injection attacks that have already detected the attack. CVE-2023-34362 is mitigated by both Imperva Cloud WAF, WAF Gateway and RASP.
Over the past few days, Imperva Threat Research observed thousands of exploitation attempts, all successfully thwarted by Imperva Cloud WAF and Imperva WAF Gateway (customer-managed WAF). Most exploitation attempts were carried out by automated hacking tools written in various scripting languages, such as Python via the requests module and Bash via the CURL tool. The main industries targeted by this CVE are financial services and healthcare.
The Imperva Threat Research Team observed exploitation attempts coming from these IPs:
51[.]158[.]122[.]21
51[.]15[.]218[.]116
196[.]112[.]216[.]184
67[.]220[.]86[.]236
51[.]15[.]199[.]148
158[.]247[.]208[.]44
50[.]19[.]142[.]233
It’s also important to note that these IPs had a high-risk score based on the Imperva IP Reputation mechanism. This suggests that the IPs were actively participating in malicious activity in recent days.
As always, Imperva Threat Research is closely monitoring the situation and will provide updates as new information emerges.
Try Imperva for Free
Protect your business for 30 days on Imperva.