Skip links

Hold it – another vulnerability found in MOVEit file transfer software

Infosec in brief Security firms helping Progress Software dissect the fallout from a ransomware attack against its MOVEit file transfer suite have discovered an additional exploitable bug.

Progress said the discovery was made by cybersecurity firm Huntress, which it had engaged to conduct a detailed code review of its systems. The newly discovered hole is distinct from the flaw reported and abused earlier, and as such another patch for MOVEit Transfer and MOVEit Cloud have been issued to fix this latest discovered bug.

Progress gave no description of the newfound vulnerability and said a CVE number or numbers are pending.

The original attack – which targeted high-profile companies like British Airways, the BBC and Boots – exploits a SQL injection vulnerability in the MOVEit document transfer app to gain access to environments and exfiltrate data.

Clop, the Russian ransomware gang behind the MOVEit supply chain ransomware attack, likely knew about the bug as far back as 2021, claims risk analysis firm Kroll.

According to Kroll’s forensic review of Microsoft Internet Information Services logs from clients affected by Clop’s MOVEit attack, “observed activity consistent with MOVEit Transfer exploitation” was picked up in multiple client environments in April 2022, and in some as early as July ’21.

The 2021 attack was slow, taking place over a longer period of time (12 days as opposed to two hours in 2022), which Kroll believes suggests the exploit had only recently been discovered and was being tinkered with manually before an automated exploit was developed.

Clop has given MOVEit victims until June 14 to pay its ransom or it will leak stolen data online.

According to Progress, it hasn’t seen any indication that the new vulnerabilities have been exploited, but then again Progress didn’t know Clop may have compromised its code way back in 2021 either.

Critical vulnerabilities: VMware’s off-key Aria

This week’s highlight of critical vulnerabilities kicks off with VMware’s Aria Operations for Networks network monitoring tool, which contains a trio of sequentially filed CVE-numbered vulnerabilities that can be used to execute remote code and perform command injection attacks to steal information. Patches are available for the issues so install ASAP.

In other vulnerability news:

  • Cisco patched a pair of bugs in its Expressway Series and TelePresence VCS software that could be independently used to elevate permissions from admin with read-only access to admin with read-write access.
  • Mozilla released security advisories for Firefox 114 and Firefox ESR 102.12, both of which correct high-severity vulnerabilities that could let an attacker run arbitrary code thanks to a memory corruption bug, and one that could be used to override a certificate error.
  • CISA only had one critical ICS issue to share in Sensormatic Electronics’ Illustra Pro Gen 4 security cameras, which contain a debug mode that could be used to compromise device credentials.
  • CISA noted a single new active exploit taking advantage of type confusion in Google Chrome’s V8 JavaScript engine. An attacker could use it to exploit heap corruption via a specially crafted HTML page.

AN0M: The FBI’s gift that keeps on giving

The FBI’s decision to seed a compromised secure messaging app into the criminal underworld five years ago is still paying dividends. US officials this week offered a $5 million reward for the apprehension of one of the duped criminals who sold access to the compromised comms system.

Swedish national Maximilian Rivkin is wanted in connection with conspiracy to participate in or attempting to participate in transnational organized crime. Rivkin was identified as an “administrator and influencer” on the encrypted messaging app AN0M, which unbeknownst to him was actually developed for the FBI to catch people like him and his customers.

The reward is being offered jointly with the Swedish Police Authority, who have charged Rivkin with narcotics smuggling and trafficking. Rivkin’s communications on AN0M intercepted by police also implicate him in money laundering, kidnapping, murder conspiracies “and other violent acts,” US officials said.

AN0M was developed for the FBI by a confidential source for just $180,000 and over the course of a three-year sting operation netted US authorities 32 tons of drugs, hundreds of firearms, dozens of automobiles and nearly $150 million. Australian authorities had similar success using AN0M, executing over 500 warrants and making 200-plus arrests that resulted in the seizure of more than AU$45 million and 3.7 tons of drugs.

Rivkin was identified as one of 17 administrators of AN0M by the Justice Department in 2021, and was charged by a California grand jury that same year with international conspiracy to participate in a racketeering enterprise.

Over the course of the sting, more than 12,000 AN0M-loaded phones were sold for $2,000 each to criminal syndicates operating around the world. Some 800 arrests have been made around the world in connection with the AN0M sting, though Rivkin remains at large.

If, as is alleged by his rap sheet, he’s responsible for selling compromised phones to international crime syndicates resulting in their downfall, it might be safer to surrender. ®