Third MOVEit bug fixed a day after PoC exploit made public

Progress Software connected Friday issued a hole for a 3rd captious bug successful its MOVEit record transportation suite, a vulnerability that had conscionable been disclosed nan time earlier.

Details of nan latest vulnerability, tracked arsenic CVE-2023-35708, were made nationalist Thursday; proof-of-concept (PoC) utilization for nan flaw, now fixed today, besides emerged connected Thursday.

A interrogator who goes by nan grip MCKSys Argentina confirmed to The Register that a June 16 MOVEit spot for CVE-2023-35708 mitigated nan researcher's PoC exploit code, which was shared successful screenshot form.

It's worthy repeating that accusation connected really to maltreatment nan SQL injection flaw was made nationalist a time earlier nan package vendor had fixed nan issue, truthful it's imaginable miscreants utilized that info to onslaught MOVEit installations earlier an update could beryllium developed and applied.

"OK, don't show anybody, but this onslaught useful connected existent type of Progress MOVEit Transfer: 2023.0.2 (15.0.2.49),"  arsenic MCKSys Argentina tweeted connected Thursday, including a screenshot of an utilization for nan bug. "So I conjecture that I conscionable dropped a 0 time here. Always retrieve to cheque against nan existent version!"

Three strikes?

Progress disclosed nan first MOVEit flaw connected May 31, and issued a spot nan adjacent time for CVE-2023-34362. A second bug, CVE-2023-35036, came to ray past Friday, June 9, and was besides patched nan adjacent day.

That brings america to this 3rd hole, CVE-2023-35708, which is different SQL injection vulnerability that could let an unauthenticated attacker to break into organizations' MOVEit Transfer database and bargain its content. It affects versions released earlier 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), 2023.0.3 (15.0.3).

• US authorities deed by Russia's Clop successful MOVEit wide attack
• US authorities extends package information deadline because vendors aren't ready
• Hold it – much vulnerabilities recovered successful MOVEit record transportation software
• Clop ransomware unit sets June extortion deadline for MOVEit victims

All MOVEit Transfer customers request to use nan spot for CVE-2023-35708, according to Progress. And depending connected whether customers applied nan earlier fixes for nan May 31 and June 9 vulnerabilities, location are different remediations.

Those who didn't use nan May spot first request to travel Progress' earlier instructions, which see patches for nan May 31 and June 9 bugs. 

After applying nan erstwhile fixes, customers should past spot nan June 15 CVE. Those who can't use nan latest update should "immediately disable each HTTP and HTTPs postulation to your MOVEit Transfer environment."

Shell information leaked

Meanwhile, nan database of bodies and companies deed by Clop – which has exploited MOVEit's information shortcomings to bargain information from organizations – keeps growing. On Friday, lipid and state elephantine Shell reportedly became nan first statement to person its stolen information published connected nan Clop leak site, according to infosec guru Dominic Alvieri. Clop demands a ransom costs from victims aliases it threatens to leak immoderate information swiped from them.

The Clop MOVEit Reveal Event will proceed aft this caller statement.Shell has nan grant of being nan first institution to person each their exfiltrated files published.@Shell pic.twitter.com/Bi4HkdFKLn

The Oregon Department of Transportation successful nan US said nan extortionists accessed individual info belonging to astir 3.5 cardinal residents of nan state.

"While overmuch of this accusation is disposable broadly, immoderate of it is delicate individual information," nan dept's notice stated. "Individuals who person an progressive Oregon ID aliases driver's licence should presume accusation related to that ID is portion of this breach."

Similarly, Louisiana's Office of Motor Vehicles warned that each residents pinch a state-issued ID, drivers license, aliases car registration apt had their name, addresses, societal information number, birthdate, height, oculus color, licence number, vehicles registration, and handicap placard info exposed.

"There is nary denotation astatine this clip that cyber attackers who breached MOVEit person sold, used, shared aliases released nan OMV information obtained from nan MOVEit attack," nan Louisiana agency said. "The cyber attackers person not contacted authorities government. But each Louisianans should return contiguous steps to safeguard their identity."

Clop has said it will delete — and not people — immoderate stolen authorities data, which presumably includes section governments and nan info swiped from nan US Energy Department and different national agencies. 

On Thursday, Jen Easterly, who leads nan US Cybersecurity and Infrastructure Security Agency, confirmed that nan Feds are "not alert of Clop actors threatening to extort, aliases merchandise immoderate information stolen from authorities agencies." 

Still, we don't propose putting excessively overmuch religion successful criminals' promises. ®