An SQL injection vulnerability in the MOVEit Transfer web application is being actively exploited in the wild. Tracked as CVE-2023-34362, the bug is a SQL injection vulnerability that could enable an unauthenticated actor to access the user’s MOVEit Transfer database and – depending on whether or not they are using MySQL, Microsoft SQL Server or Azure SQL as their database engine – infer information about the contents of the database, and execute SQL statements that alter or delete elements of it.
If you are a MOVEit Transfer customer, it is important to take immediate remediation action:
Step 1: Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment.
Step 2: Review, Delete and Reset
1. Delete Unauthorised Files and User Accounts
2. Reset Credentials
Step 3: Apply the security update to a fixed version. All supported MOVEit Transfer versions are available, and a special patch is available for MOVEit Transfer 2020.1.x.
Step 4: Verification – confirm the files have been deleted successfully and follow 2FA steps again.
Step 5: Enable all HTTP and HTTPs traffic to your MOVEit Transfer environment.
Step 6: Continuous Monitoring
For more details around these actions and patch check:
For MOVEit Security Best Practice check: https://community.progress.com/s/article/MOVEit-Security-Best-Practices-Guide
Mandiant said it had also observed at least one actor associated with Clop seeking partners to work on SQL injection vulnerabilities, but that it did not have enough evidence to determine a link between activity associated with the MOVEit vulnerability and the ransomware gang. Its analysts said they expected more victims to begin receiving ransom demands in the coming weeks.
Organisations are reminded of their responsibility to report to the relevant authorities such as the Information Commissioners Office (ICO) if they have been subject to a data breach. UK organisations should report incidents via GOV.UK For any individuals affected by a data breach the NCSC has published guidance for individuals on protecting against the impacts of data breaches.
The NCSC strongly encourages organisations to take immediate action by following vendor best practice advice and applying the recommended security updates.