Hello and welcome to the Monday, June 5th, 2023 edition of the Science and at Storm Thunder's Stormcast.

My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

I want to start out with a vulnerability that I already covered on Friday but has been really a big issue this weekend, so I do want to cover it again.

It's a vulnerability in Move It Transfer.

Move It Transfer is software that's used to transfer files, often used in larger organizations.

It does support a number of different protocols. HDP, HDPS is affected here.

The root cause is a SQL injection vulnerability, but a SQL injection vulnerability that does

allow arbitrary code execution. Typically, an ad hacker will use it to upload a web shell. Once they have

a web shell, of course, then this sky is the limit, and they'll do whatever they need to do,

to for example, exfiltrate additional files, or maybe upload and run additional code.

Initially, the vulnerability was made public by progress,

the company behind Moved Transfer on May 31st.

There are patches available, at least for the more recent versions of Moved Transfer.

However, the exploit has also been pretty much released as soon as the patch was released

so now you have bots basically scanning the internet and exploiting exposed instances if you do have an

exposed instant of move it, assume it has been compromised,

even if you have applied the patch as early as Friday, just because by that time already

we saw a ton of the exploits going around and looking for exposed systems.

The CVE ID of the vulnerability is 2023-34-362.

And if for whatever reason you're not able to patch,

well, then you pretty much are left with disabling HTTP,

which I don't think is really that much of a real solution for this particular problem.

...