Cleo File Transfer Alert | December 2024
Cleo customers could be at risk due to a critical security flaw. Here's what you need to know.
A critical security flaw (CVE-2023-27997) has been discovered in Fortigate SSL VPNs. The vulnerability allows for an unauthenticated attacker to execute arbitrary code or commands. Corvus has observed similar vulnerabilities lead to ransomware incidents. Security patches have been released and should be applied as soon as possible.
Attackers can execute arbitrary code or commands against unpatched devices, gaining a foothold into the network. From there the attacker would be able to conduct further exploitation and potentially move around the network. Impacted organizations should apply a security patch immediately.
Please contact Fortinet customer support for assistance.
_________________________________
As of July 5th, 2023, several new vulnerabilities were announced. Organizations using MOVEit should immediately follow current remediation steps.
On July 5th, 2023 several new vulnerabilities were discovered in MOVEit file transfer software. Progress, the software developer, is recommending users update to the latest fixed version immediately. This is in addition to prior patches that have been applied. Given mass-exploitation currently taking place against MOVEit software, we strongly urge you to take immediate action.
This new vulnerability is in addition to the zero-day vulnerability announced on May 31, 2023 (CVE-2023-34362) that has been under attack by the ransomware group, CLOP. If you followed our prior guidance to update and look for indicators of compromise (thank you), but please note you must now address this new vulnerability.
Attackers can exploit these vulnerabilities to gain unauthorized access to vulnerable systems. There are reports of mass-exploitation including data theft attacks against a large number of vulnerable targets, and at least one threat actor group has begun posting victim data on their leak site. Corvus has observed ransomware groups exploit similar vulnerabilities in file transfer software to steal and encrypt sensitive data. It is crucial that remediation steps are followed.
We encourage your organization to take the following steps recommended by the manufacturer, Progress Software, to mitigate against potential attack:
Check your instance for Indicators of Compromise
Fixed Version (Full Installer): MOVEit Transfer 2023.0.4 (15.0.4)
Documentation: MOVEit 2023 Upgrade Documentation
Release Notes: MOVEit Transfer 2023.0.4 Release Notes
Fixed Version (Full Installer): MOVEit Transfer 2022.1.8 (14.1.8)
Documentation: MOVEit 2022 Upgrade Documentation
Release Notes: MOVEit Transfer 2022.1.8 Release Notes
Fixed Version (Full Installer): MOVEit Transfer 2022.0.7 (14.0.7)
Documentation: MOVEit 2022 Upgrade Documentation
Release Notes: MOVEit Transfer 2022.0.7 Release Notes
Fixed Version (Full Installer): MOVEit Transfer 2021.1.7 (13.1.7)
Documentation: MOVEit 2021 Upgrade Documentation
Release Notes: MOVEit Transfer 2021.1.7 Release Notes
Fixed Version (Full Installer): MOVEit Transfer 2021.0.9 (13.0.9)
Documentation: MOVEit 2021 Upgrade Documentation
Release Notes: MOVEit Transfer 2021.0.9 Release Notes
Fixed Version (Full Installer): Special Service Pack Available
Documentation: See KB 000236387 MOVEit Transfer 2020.1 Service Pack (July 2023)
Release Notes: MOVEit Transfer 2020.1.7 Release Notes
Fixed Version (Full Installer): Must Upgrade to a Supported Version
Documentation: See MOVEit Transfer Upgrade and Migration Guide
Release Notes: N/A
See file attachment cve-2023-34362-iocs.xlsx located at the bottom of the article here.
If you do notice any of the indicators noted above, please immediately contact your security and IT teams and open a ticket with Progress Technical Support at: https://community.progress.com/s/supportlink-landing.
If you are a Corvus policyholder, please immediately notify us of a potential claim using the email or hotline on your policy. Additional indicators and investigative context can be found in the articles below:
https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft
https://www.crowdstrike.com/blog/identifying-data-exfiltration-in-moveit-transfer-investigations/
This alert is provided for informational use only. Organizations will be solely responsible for remediation. Please consult with your IT department for more information or remediation guidance.