In this article:
If your organization or your vendors use the MOVEit application, see this guidance for addressing a related critical vulnerability.
Understand the vulnerability and its risks
CVE-2023-34362, also called the "MOVEit vulnerability", is a zero-day vulnerability in Progress Software’s MOVEit file transfer application, which thousands of organizations use worldwide. Threat actors have exploited this vulnerability to steal data from a number of organizations, including high-profile entities like British Airways and the British Broadcasting Corporation (BBC).
The Zellis breach
In one particular exploit, threat actors breached payroll services provider Zellis and stole customer data. They used SQL injection to manipulate server databases and execute arbitrary code.
When the Zellis breach was publicly announced, SecurityScorecard's threat intelligence team conducted an extensive investigation, uncovering 2,500 exposed MOVEit services across 790 organizations, with several hundred displaying the specific vulnerability exploited in the breach. Using Attack Surface Intelligence, the team was able to identify vulnerable IP addresses related to MOVEit servers within minutes.
Find out if you are affected and take action
On June 7, 2023, we released an informational issue type for this vulnerability. Although it does not currently impact your score, we recommend you take immediate action to address it.
In your Scorecard, go to the Issues tab. In the issue types table, scan the informational issues for Potential Vulnerable IP Addresses Identified for CVE-2023-34362.
To address the issue:
- Immediately close ports 80 through 443, plus any additional ports facing the public internet on which the services may be running.
- While Progress Software has released updates to address the vulnerability, make sure to remove all vulnerable instances of MOVEit from the public Internet.
- Place MOVEit servers behind technologies that provide access only to designated individuals.
- Use access gateways secured by multifactor authentication, such as Zero Trust, or simple allowlists and blocklists.
- If your organization uses MOVEit , ensure that the database runs as a specific user that can only interact with MOVEit and not as a superuser with broader access.
Address affected vendors
See which vendors are affected
To determine if any of your vendors are affected with the MOVEit vulnerability:
- In any of your Portfolios, select the Filter icon.
- In the Filters panel that appears on the right, type or paste the issue type name: Potential Vulnerable IP Addresses Identified for CVE-2023-34362. Then select the issue type when it appears.
- See the affected organizations in your Portfolio table.
See which vendor IP addresses may be using the MOVEit service
Gather affected IPs and additional relevant details that you can pass on to the vendor, helping them to investigate and mitigate the vulnerability.
- Select Attack Surface Intelligence from the Modules menu in the top navigation bar.
- Run a query to find IP addresses in vendor domains that run the MOVEit service:
(and http_favicon_hash:'Unknown favicon MD5: 9DFFE2772E6553E2BB480DDE2FE0C4A6' (or attributed_domain:'example.com'))
Tip: Replace example.com in the query with the name of a domain in your Portfolio. To query on multiple domains, repeat the attributed_domain facet with each desired value. For example:
(and http_favicon_hash:'Unknown favicon MD5: 9DFFE2772E6553E2BB480DDE2FE0C4A6' (or attributed_domain:'example1.com' attributed_domain:'example2.com'))
- View and drill into the query results for more details.
Send your vendors our MOVEit questionnaire
The MOVEit questionnaire helps you learn what actions vendors are taking to address the MOVEit vulnerability.
- Select Assessments from the Core Tools menu.
Select Atlas from Modules menu if your SecurityScorecard license includes Atlas.
In either tool, initiate the sending of a questionnaire and then select the MOVEit Questions template.
- Send the questionnaire.
Get help from our incident response team
If you think you or any of your vendors have been attacked because of an exploit of the MOVEit vulnerability, call the SecurityScorecard Incident Response team at +1 800-682-1707 and select option 0.