Progress Software recently released a new set of patches for its MOVEit products. These patches address vulnerabilities that were discovered after researchers found a zero-day exploit. The exploit, known as CVE-2023-34362, is an SQL injection issue that allowed hackers to steal data from organisations using MOVEit Transfer and Cloud-managed file transfer (MFT) software. The vulnerability was actively exploited since late May, and evidence suggests that cybercriminals had been testing it since 2021.
The attacks were attributed to a cybercrime group known for the Cl0p ransomware operation. The hackers claimed to have targeted hundreds of organisations, giving them until June 14 to contact them and prevent the stolen data from being leaked.
In response to these findings, Progress Software released patches for the newly discovered vulnerabilities, which were identified by cybersecurity firm Huntress. The vendor informed customers that the new flaws, designated as CVE-2023-35036, could potentially be exploited by malicious actors. However, there is currently no evidence of these vulnerabilities being exploited in the wild. Both MOVEit Transfer and MOVEit Cloud products are affected by these new vulnerabilities.
Huntress described these findings as "further attack vectors" that were discovered during their analysis. The newly identified vulnerabilities are also SQL injection bugs that could be exploited by an unauthorised attacker to gain access to MOVEit databases.
At least 100 organisations have reportedly been affected by the MOVEit zero-day exploit, but the actual number of victims could be much higher, considering the presence of around 3,000 internet-exposed systems.
Among the first victims to disclose the attacks was UK-based payroll and HR company Zellis, which affected several major companies, including British Airways, Aer Lingus, the BBC, and Boots pharmacy chain.
US Government organisations have also been targeted, with the Illinois Department of Innovation & Technology and the Minnesota Department of Education being the latest victims to come forward. Both organisations discovered the attacks on May 31 and immediately secured their servers. The full extent of the incidents is still being investigated, but many individuals are believed to be impacted.
The Minnesota Department of Education confirmed that 24 files were accessed by hackers, containing the information of approximately 95,000 students in foster care, including names, dates of birth, and county of placement. Additional information on other students was also exposed. The hackers responsible for the Cl0p ransomware operation claim on their website that they will not extort money from government organisations, including cities and law enforcement agencies.
In early June, Microsoft experienced disruptions in its Outlook email and OneDrive file-sharing apps, as well as its cloud computing platform. A group called Anonymous Sudan claimed responsibility for flooding the sites with junk traffic in distributed denial-of-service (DDoS) attacks. Microsoft has confirmed that DDoS attacks were the cause of the disruptions, but has provided limited details about the extent of the impact or the number of affected customers.
The attacks targeted Microsoft's services with the aim of causing disruption and gaining publicity. The attackers likely used rented cloud infrastructure and virtual private networks to launch the attacks from botnets, which are networks of compromised computers around the world. Microsoft has stated that no customer data was accessed or compromised during the attacks.
While DDoS attacks are primarily a nuisance and don't involve penetrating systems, they can still disrupt the services of major software providers like Microsoft, affecting millions of users and global commerce. The exact impact of the attacks on Microsoft's services remains unclear, as the company has not provided specific information on customer impact.
The attackers, referred to by Microsoft as Storm-1359, have not been definitively identified. However, there are indications that they may be affiliated with pro-Russian hacking groups. These groups have previously conducted DDoS attacks on websites associated with Ukraine's allies. The group Anonymous Sudan is believed to work closely with these pro-Kremlin groups to spread propaganda and disinformation.
The incident highlights the ongoing challenge of defending against DDoS attacks. Microsoft's difficulties in mitigating the attack suggest a vulnerability or single point of failure in their system. Distributing services across multiple platforms, such as content distribution networks, is considered a more effective defence against such attacks.
The techniques used by the attackers are not new and have been observed since 2009, according to security researchers. The disruptions to Microsoft 365 services were widely reported, with thousands of outages and problem reports during the peak of the incident.
Overall, DDoS attacks pose a significant risk and remain a challenge to address effectively. Microsoft's experience serves as a reminder of the need for robust defence measures to mitigate the impact of such attacks.
Google announced a new update for Chrome 114 that fixes five security vulnerabilities. These vulnerabilities were discovered by external researchers and include four critical and high-severity bugs. The most important issue is called CVE-2023-3214, which is a critical flaw in Autofill payments. It was reported by Rong Jian of VRI. Use-after-free vulnerabilities are memory corruption bugs that can be exploited to execute remote code, cause denial-of-service, or corrupt data. In Chrome, if these vulnerabilities are successfully exploited, it could lead to a sandbox escape, compromising the system. The update also addresses two other high-severity use-after-free vulnerabilities (CVE-2023-3215 and CVE-2023-3217) affecting WebRTC and WebXR respectively. Another reported flaw in the V8 JavaScript engine, called the type confusion issue, has also been fixed. Google has paid a bug bounty of $3,000 for the WebRTC vulnerability, but the amounts for the Autofill payments and V8 bugs are yet to be determined. The WebXR flaw was reported by Sergei Glazunov, and according to Google's policy, no bug bounty will be given for that issue. Google has not mentioned any known attacks exploiting these vulnerabilities. The new Chrome update, version 14.0.5735.133, is being rolled out for macOS, Linux, and Windows, following an emergency update to address a zero-day vulnerability just a week prior.
*Subscribe to our newsletter
.svg)
.png)
.png)
.png)