We want to inform our users about a critical flaw that has been exploited in Progress Software's MOVEit Transfer managed file transfer application. This flaw poses a significant risk to vulnerable systems and has been actively targeted by cybercriminals.
The flaw, currently without a CVE identifier, involves a severe SQL injection vulnerability. Exploiting this vulnerability could result in escalated privileges and unauthorized access to the environment.
According to Progress Software, "An SQL injection vulnerability has been discovered in the MOVEit Transfer web application. This vulnerability allows an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to gather information about the database structure and contents. They can also execute SQL statements that can modify or delete database elements."
To address this issue, Progress Software has released patches for the affected versions of MOVEit Transfer. The following versions are covered by the patches: 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1).
Recently, Bleeping Computer reported the existence of this vulnerability. Both Huntress and Rapid7 have indicated that as of May 31, 2023, around 2,500 instances of MOVEit Transfer were exposed to the public internet, with a majority of them located in the United States.
Successful exploitation of the vulnerability results in the deployment of a web shell named "human2.aspx" in the "wwwroot" directory. This web shell allows attackers to exfiltrate various data stored by the local MOVEit service. Additionally, analysis of the attack chain reveals that the web shell creates new admin user account sessions named "Health Check Service" to evade detection.
GreyNoise, a threat intelligence firm, has observed scanning activity targeting the login page of MOVEit Transfer since March 3, 2023. They have detected five different IP addresses attempting to locate MOVEit installations.
Satnam Narang, senior staff research engineer at Tenable, commented on the situation, stating, "While we don't have specific details about the group behind these zero-day attacks targeting MOVEit, it highlights a concerning trend of threat actors focusing on file transfer solutions."
In response to this development, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert, urging users and organizations to take mitigation steps to secure their systems against potential malicious activities.
Users are advised to isolate their servers by blocking inbound and outbound traffic. Furthermore, it is essential to thoroughly inspect the environments for any potential indicators of compromise (IoCs). If any are found, they should be promptly removed before applying the provided patches.
Security researcher Kevin Beaumont warns that if the attackers turn out to be a ransomware group, this will mark the second enterprise MFT zero-day attack within a year, following the recent incident involving GoAnywhere and the cl0p group.
We would like to inform users of a critical flaw in the Jetpack plugin for WordPress, which has been automatically addressed through an update. This plugin is installed on over five million sites, making it crucial to take immediate action.
During an internal security audit, WordPress discovered a vulnerability present in the Jetpack plugin since its release in November 2012, starting from version 2.0. The vulnerability resides in an API within the plugin.
The advisory from Jetpack states, "This vulnerability could be used by authors on a site to manipulate any files in the WordPress installation." To address this issue, 102 new versions of Jetpack have been released to provide the necessary remediation.
While there is no evidence to suggest that this vulnerability has been exploited in the wild, it is common for threat actors to target popular WordPress plugins with the intention of taking over sites for malicious purposes.
This is not the first time that severe security weaknesses in Jetpack have prompted WordPress to enforce the installation of patches. In November 2019, Jetpack released version 7.9.1 to fix a defect in how the plugin handled embed code, a vulnerability that had persisted since July 2017 (version 5.1).
In a related development, security firm Patchstack disclosed a security flaw in the premium Gravity Forms plugin. This flaw, identified as CVE-2023-28782, allows an unauthenticated user to inject arbitrary PHP code. The affected versions range from 2.7.3 and below, with the issue being resolved in version 2.7.4, made available on April 11, 2023.
It is crucial for all users who have installed Jetpack and Gravity Forms plugins to update them immediately to the latest versions provided by WordPress. Regularly applying security updates is essential to protect your WordPress sites from potential vulnerabilities and mitigate the risk of unauthorized access or malicious activities.
We want to bring your attention to a previously unknown advanced persistent threat (APT) that specifically targets iOS devices. This threat is part of a highly sophisticated and long-running mobile campaign known as Operation Triangulation, which originated in 2019.
According to Kaspersky, a Russian cybersecurity company, the targets of this attack are infected through zero-click exploits delivered via the iMessage platform. The malware involved in this campaign gains root privileges, providing complete control over the compromised device and its user data.
Traces of compromise were discovered by Kaspersky when offline backups of the targeted devices were analyzed. The attack chain begins with the iOS device receiving a message via iMessage, which includes an attachment containing the exploit. Remarkably, this exploit is classified as a zero-click exploit, meaning that the vulnerability is triggered simply by the receipt of the message, without requiring any user interaction.
The exploit is designed to retrieve additional payloads for privilege escalation and deliver a final stage malware from a remote server. Kaspersky describes this malware as a "fully-featured APT platform." Once implanted, this malware operates with root privileges and has the ability to harvest sensitive information. It can also execute code downloaded as plugin modules from the remote server.
Kaspersky researchers revealed that the spyware quietly transmits private information, such as microphone recordings, instant messenger photos, geolocation data, and other activities of the infected device's owner, to remote servers.
In the final phase of the attack, both the initial message and the exploit attachment are deleted to eliminate any traces of the infection. The malicious toolset does not support persistence, which may be due to operating system limitations. However, evidence suggests that re-infection may occur after device reboots.
The full extent of the campaign remains uncertain, but Kaspersky confirms that the attacks are ongoing. Successful infections have been observed on devices running iOS 15.7, which was released on September 12, 2022.
At present, it is unknown whether the attacks exploit a zero-day vulnerability in iOS. The most recent version of iOS is 16.5, although Apple also released an update, 15.7.6, last month.
Coinciding with Kaspersky's report, Russia's Federal Security Service (FSB) accused U.S. intelligence agencies of hacking "several thousand" Apple devices owned by domestic subscribers and foreign diplomats. The FSB claimed that this was part of a reconnaissance operation, highlighting "close cooperation" between Apple and the National Security Agency (NSA). Apple has strongly denied these allegations.Kaspersky researcher Ivan Kwiatkowski has acknowledged the related nature of the two sets of activities, citing overlaps in the released indicators of compromise (IoCs) by RU-CERT.
Kaspersky describes Operation Triangulation as an
"extremely complex, professional targeted cyber attack"
that specifically targeted several dozen iPhones belonging to senior employees. The true extent of the espionage campaign is yet to be fully determined.
Please note that this article has been updated to incorporate additional information about the attacks and the entities involved.
*Subscribe to our newsletter
.svg)
.png)
.png)
.png)