Still plaguing enterprises: MOVEit SQL Injection Vulnerability (CVE-2023-34362)

CVE-2023-34362 was publicly disclosed on May 31, 2023, by Progress Software. However, the vulnerability had been exploited in the wild for several weeks prior to disclosure. The Cl0p ransomware group was one of the first attackers to exploit CVE-2023-34362, and they used it to steal data from several high-profile organizations.

Progress Software released a patch for the vulnerability on June 16, 2023, but the disclosure of CVE-2023-34362 led to a wave of attacks against MOVEit Transfer servers in the intervening weeks after the public disclosure.

As a critical vulnerability, all MOVEit Transfer users were directed to patch their systems as soon as possible. But it still plagues organizations to this day. In this blog post, we look at the MOVEit SQL injection vulnerability in more detail.

Understanding CVE-2023-34362 & its impact

CVE-2023-34362 is a critical vulnerability because it allows unauthenticated attackers to inject malicious code into MOVEit Transfer servers. This can lead to a number of serious consequences, including:

• Data exfiltration: Attackers can steal sensitive data from MOVEit Transfer servers, such as customer records, financial data, and intellectual property.
• Ransomware infection: Attackers can install ransomware on MOVEit Transfer servers, which can encrypt files and demand a ransom payment to decrypt them.
• Lateral movement: Attackers can use MOVEit Transfer servers as a springboard to attack other systems on the network.

As noted earlier, the vulnerability was being actively exploited in the wild by the Cl0p ransomware group. This means that many organizations have already been compromised by this vulnerability, and others are at risk of being attacked.

Here are some specific examples of the damage that CVE-2023-34362 has caused:

• In May 2023, the Cl0p ransomware group exploited CVE-2023-34362 to steal data from a number of high-profile organizations, including a major telecommunications company and a large financial services firm.
• In June 2023, a healthcare provider was forced to shut down its systems after being attacked by CVE-2023-34362.
• In July 2023, organizations connected to government agencies were compromised by CVE-2023-34362, and sensitive data was stolen.

According to a TechCrunch article, security industry experts think more than 60 million individuals have been affected by the MOVEit vulnerability. This demonstrates the serious consequences that can result from the successful exploitation of CVE-2023-34362.

Why Do SQL Injection Vulnerabilities (and CVE-2023-34362) Persist?

SQL injection vulnerabilities are a persistent issue in web applications for several reasons, despite being one of the most well-known and well-understood vulnerabilities. Some of the most common reasons include:

• Legacy code: Many organizations use legacy code that was written before SQL injection vulnerabilities were widely known. This code may not be properly sanitized, making it vulnerable to attack.
• Developer error: Even experienced developers can make mistakes when writing code. A single error can create a SQL injection vulnerability.
• Lack of awareness: Some developers may not be aware of SQL injection vulnerabilities, or they may not understand how to prevent them.
• Complexity of Web applications: Web applications are becoming increasingly complex, and it can be difficult to identify and fix all potential security vulnerabilities.
• Lack of resources: Some organizations may not have the resources to properly secure their web applications. This may include a lack of qualified security personnel or a lack of budget for security tools and services.

In addition to these general reasons, there are a number of specific factors that contribute to the persistence of SQL injection vulnerabilities. For example, many organizations use open-source software, and open-source projects can be used by attackers. However, the flip side is also true: many organizations use custom-developed software, and custom software can contain more vulnerabilities than commercial software (see developer error and complexity of web applications from above).

There are several reasons why the CVE-2023-34362 MOVEit vulnerability is still so persistent, even though it was patched by Progress Software in June 2023.

• Organizations are slow to patch their systems. According to a report by the Ponemon Institute, it took, on average 97 days to patch a vulnerability. For many organizations, it can take even longer. This means that many are still running vulnerable versions of MOVEit Transfer.
• Attackers are still actively exploiting the vulnerability. The Cl0p ransomware group has been particularly active in exploiting CVE-2023-34362. They have targeted many high-profile organizations, including telecommunications companies, financial services firms, and government agencies.
• The vulnerability can be difficult to detect and remediate. The vulnerability is caused by a complex SQL injection flaw in the MOVEit Transfer web application. This makes it difficult for organizations to detect and fix the vulnerability.

As it pertains to CVE-2023-34362, we think this particular vulnerability is so persistent for a few reasons:

• Legacy systems: Many organizations still use legacy MOVEit Transfer systems that are not supported by Progress Software. These systems are often difficult to patch, and they may not be able to be upgraded to the latest version of MOVEit Transfer.
• Customizations: Many organizations have customized their MOVEit Transfer systems to meet their specific needs. These customizations can make it more difficult to patch the system and fix the vulnerability.
• Lack of visibility: Many organizations lack visibility into their MOVEit Transfer systems. This makes it difficult to identify systems that are vulnerable to attack.
• Lack of resources: Some organizations may not have the resources to properly secure their MOVEit Transfer systems. This may include a lack of qualified security personnel or a lack of budget for security tools and services.

What to do about MOVEit vulnerability, CVE-2023-34362?

So what can you do about this critical MOVEit vulnerability? Here are 3 tips that you can take in the short term and long term:

1. Keep Your Software Up to Date: One of the most effective ways to mitigate the risks posed by CVE-2023-34362 is to keep your MOVEit Transfer servers up to date. Progress Software has released a patch for CVE-2023-34362, so all users should apply this patch as soon as possible to protect their systems. Regular software updates and security patches are essential to maintaining a strong security posture and protecting against known vulnerabilities. For Syxsense Enterprise customers, pre-built remediations are available in the Syxsense platform for immediate deployment.
2. Implement a Robust Monitoring and Response System: A well-designed monitoring system can help detect unusual activity that could signal an exploitation of CVE-2023-34362. This includes monitoring for sudden increases in data transfers, which might indicate data exfiltration, or unexpected changes to the system or data, which could signal a ransomware infection. If an attack is detected, a swift and decisive response can minimize damage. This includes isolating affected systems to prevent lateral movement, removing any injected malicious code, and restoring systems to a secure state.
3. Educate and Train Your Team: Since CVE-2023-34362 is a SQL Injection vulnerability, it is crucial to ensure your development and IT teams are aware of how SQL Injection attacks work and how they can be prevented. Regular training and awareness sessions can help inculcate a culture of security within the organization. Developers should be trained in secure coding practices, including the proper sanitization of user input and the use of parameterized queries to prevent SQL Injection attacks. Your IT and InfoSec teams should be trained in recognizing and responding to signs of a security breach, including potential exploitations of CVE-2023-34362.

Don’t delay: leverage an automated endpoint and vulnerability platform

Last but not least, we highly recommend IT and Security teams work together to close this attack vector. Each week, we continue to see stories of organizations that have been hacked through this MOVEit vulnerability.

For those organizations that are not using an automated vulnerability and endpoint management platform, consider looking at a unified platform that can:

• Scan all devices on your network for a particular software application, like MOVEit
• Scan those devices for vulnerabilities
• Automatically push remediations to those devices with vulnerabilities
• Run a report to confirm those remediations have been effectively applied

An automated approach can significantly reduce your cyber exposure and enhance your organization’s security posture.

Vulnerabilities like CVE-2023-34362 can pose significant risks, but they also present an opportunity for organizations to reassess their security strategies and adopt more robust and automated solutions for endpoint and vulnerability management. Find out more about Syxsense: schedule a demo today.