CVE-2023-34362 - MOVEit Transfer SQL Injection

This pack handles MOVEit Transfer SQL Injection CVE-2023-34362 vulnerability

This pack is part of the Rapid Breach Response pack.

CVE-2023-34362 - Critical SQL Injection vulnerability in MOVEit Transfer.

Summary

A critical vulnerability has been identified in MOVEit Transfer, a managed file transfer solution. The vulnerability affects versions prior to the latest release and involves improper input validation. Exploiting this vulnerability can lead to remote execution of arbitrary code, potentially resulting in unauthorized access and compromise of sensitive data.

To mitigate the risk associated with this vulnerability, it is crucial for users to update to the latest version of MOVEit Transfer that includes necessary security patches.

The playbook includes the following tasks:

IoCs Collection

Blog IoCs download
Yara Rules download
Sigma rules download

Hunting:

Cortex XDR XQL exploitation patterns hunting
Cortex Xpanse external facing instances hunting
Advanced SIEM exploitation patterns hunting
Indicators hunting

The hunting queries are searching for the following activities:

ASPX file creation by w3wp.exe
IIS compiling binaries via the csc.exe on behalf of the MOVEit
Detects get requests to specific exploitation related files

Mitigations:

Progress official CVE-2023-34362 patch
Progress mitigation measures
Detection Rules
- Yara
- Sigma

References:

MOVEit Transfer Critical Vulnerability (May 2023)

MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response

This pack is part of the Rapid Breach Response pack.

CVE-2023-34362 - Critical SQL Injection vulnerability in MOVEit Transfer.

Summary

To mitigate the risk associated with this vulnerability, it is crucial for users to update to the latest version of MOVEit Transfer that includes necessary security patches.

The playbook includes the following tasks:

IoCs Collection

Blog IoCs download
Yara Rules download
Sigma rules download

Hunting:

Cortex XDR XQL exploitation patterns hunting
Cortex Xpanse external facing instances hunting
Advanced SIEM exploitation patterns hunting
Indicators hunting

The hunting queries are searching for the following activities:

ASPX file creation by w3wp.exe
IIS compiling binaries via the csc.exe on behalf of the MOVEit
Detects get requests to specific exploitation related files

Mitigations:

Progress official CVE-2023-34362 patch
Progress mitigation measures
Detection Rules
- Yara
- Sigma

References:

MOVEit Transfer Critical Vulnerability (May 2023)

MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response

Playbooks

Name

Description

CVE-2023-34362 - MOVEit Transfer SQL Injection

CVE-2023-34362 - Critical SQL Injection vulnerability in MOVEit Transfer.

Summary

To mitigate the risk associated with this vulnerability, it is crucial for users to update to the latest version of MOVEit Transfer that includes necessary security patches.

Affected Products

Affected Version	Fixed Version	Documentation
MOVEit Transfer 2023.0.0 (15.0)	MOVEit Transfer 2023.0.1	MOVEit 2023 Upgrade Documentation
MOVEit Transfer 2022.1.x (14.1)	MOVEit Transfer 2022.1.5	MOVEit 2022 Upgrade Documentation
MOVEit Transfer 2022.0.x (14.0)	MOVEit Transfer 2022.0.4	MOVEit 2022 Upgrade Documentation
MOVEit Transfer 2021.1.x (13.1)	MOVEit Transfer 2021.1.4	MOVEit 2021 Upgrade Documentation
MOVEit Transfer 2021.0.x (13.0)	MOVEit Transfer 2021.0.6	MOVEit 2021 Upgrade Documentation
MOVEit Transfer 2020.1.x (12.1)	Special Patch Available	See KB 000234559
MOVEit Transfer 2020.0.x (12.0) or older	MUST upgrade to a supported version	See MOVEit Transfer Upgrade and Migration Guide

This playbook should be triggered manually or can be configured as a job.

Please create a new incident and choose the CVE-2023-34362 - MOVEit SQL Injection playbook and Rapid Breach Response incident type.

The playbook includes the following tasks:

IoCs Collection

Blog IoCs download
Yara Rules download
Sigma rules download

Hunting:

Cortex XDR XQL exploitation patterns hunting
Cortex Xpanse external facing instances hunting
Advanced SIEM exploitation patterns hunting
Indicators hunting

The hunting queries are searching for the following activities:

ASPX file creation by w3wp.exe
IIS compiling binaries via the csc.exe on behalf of the MOVEit
Detects get requests to specific exploitation related files

Mitigations:

Progress official CVE-2023-34362 patch
Progress mitigation measures
Detection Rules
- Yara
- Sigma

References:

CVE-2023-34362: MOVEit Transfer SQL Injection Vulnerability Threat Brief

MOVEit Transfer Critical Vulnerability (May 2023)

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Playbooks

Name

Description

CVE-2023-34362 - MOVEit Transfer SQL Injection

CVE-2023-34362 - Critical SQL Injection vulnerability in MOVEit Transfer.

Summary

To mitigate the risk associated with this vulnerability, it is crucial for users to update to the latest version of MOVEit Transfer that includes necessary security patches.

Affected Products

Affected Version	Fixed Version	Documentation
MOVEit Transfer 2023.0.0 (15.0)	MOVEit Transfer 2023.0.1	MOVEit 2023 Upgrade Documentation
MOVEit Transfer 2022.1.x (14.1)	MOVEit Transfer 2022.1.5	MOVEit 2022 Upgrade Documentation
MOVEit Transfer 2022.0.x (14.0)	MOVEit Transfer 2022.0.4	MOVEit 2022 Upgrade Documentation
MOVEit Transfer 2021.1.x (13.1)	MOVEit Transfer 2021.1.4	MOVEit 2021 Upgrade Documentation
MOVEit Transfer 2021.0.x (13.0)	MOVEit Transfer 2021.0.6	MOVEit 2021 Upgrade Documentation
MOVEit Transfer 2020.1.x (12.1)	Special Patch Available	See KB 000234559
MOVEit Transfer 2020.0.x (12.0) or older	MUST upgrade to a supported version	See MOVEit Transfer Upgrade and Migration Guide

This playbook should be triggered manually or can be configured as a job.

Please create a new alert and choose the CVE-2023-34362 - MOVEit SQL Injection playbook and Rapid Breach Response alert type.

The playbook includes the following tasks:

IoCs Collection

Blog IoCs download
Yara Rules download
Sigma rules download

Hunting:

Cortex XDR XQL exploitation patterns hunting
Cortex Xpanse external facing instances hunting
Advanced SIEM exploitation patterns hunting
Indicators hunting

The hunting queries are searching for the following activities:

ASPX file creation by w3wp.exe
IIS compiling binaries via the csc.exe on behalf of the MOVEit
Detects get requests to specific exploitation related files

Mitigations:

Progress official CVE-2023-34362 patch
Progress mitigation measures
Detection Rules
- Yara
- Sigma

References:

CVE-2023-34362: MOVEit Transfer SQL Injection Vulnerability Threat Brief

MOVEit Transfer Critical Vulnerability (May 2023)

Required Content Packs (3)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Rapid Breach Response	By: Cortex XSOAR

Optional Content Packs (7)

Pack Name	Pack By
Azure Log Analytics	By: Cortex XSOAR
Cortex Xpanse by Palo Alto Networks	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Splunk	By: Cortex XSOAR
Elasticsearch	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR

All level dependencies (13)

Pack Name	Pack By
Rasterize	By: Cortex XSOAR
Rapid Breach Response	By: Cortex XSOAR
Base	By: Cortex XSOAR
Cryptocurrency	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Ransomware	By: Cortex XSOAR
Asset	By: Cortex XSOAR
Identity	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR