A third MOVEit vulnerability fixed, Cl0p lists victim organizations (CVE-2023-35708)
Progress Software has asked customers to update their MOVEit Transfer installations again, to fix a third SQL injection vulnerability (CVE-2023-35708) discovered in the web application in less that a month.
Previously, the Cl0p cyber extortion gang exploited CVE-2023-34362 to grab enterprise data, and Huntress researchers discovered CVE-2023-35036 after partnering with Progress to perform a code review of the web app.
About CVE-2023-35708
CVE-2023-35708 is a vulnerability that could lead to escalated privileges and unauthorized access.
“An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content,” the company said on Thursday.
The vulnerability has been fixed in MOVEit Transfer versions 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3).
Public disclosure of the flaw happened before Progress came up with a fix.
“We have not seen any evidence that the vulnerability reported on June 15 [i.e., CVE-2023-35708] has been exploited,” the company said on Sunday.
“Taking MOVEit Cloud offline for maintenance was a defensive measure to protect our customers and not done in response to any malicious activity. Because the new vulnerability we reported on June 15 had been publicly posted online, it was important that we take immediate action out of an abundance of caution to quickly patch the vulnerability and disable MOVEit Cloud.”
Cl0p reveals victims
In the meantime, Cl0p has started disclosing the names of organizations whose data they grabbed by exploiting CVE-2023-34362.
The list includes multinational oil and gas company Shell, several banks, media companies, universities, two entities of the US Department of Energy (Oak Ridge Associated Universities and a contractor at Oak Ridge National Laboratory), the Oregon Department of Transportation, and many more.
“CLOP did state that government data will be deleted and not retained or shared. This is almost certainly in an effort to not ‘poke the bear’ and fall below a line that invites action from competent authorities, although it’s unlikely that their word alone will cut much mustard,” noted Tim West, Head of Threat Intelligence at WithSecure.
Through its Rewards for Justice program, the US State Department has offered a considerable monetary reward for individuals who “have info linking CL0P Ransomware Gang or any other malicious cyber actors targeting U.S. critical infrastructure to a foreign government.”