CVE-2023-34362
published 2023-06-02CVE-2023-34362: In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection…
PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-06-23
Exploited in the wild
EPSS
99.93%
100.0th percentile
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| paloalto | cortex_data | — | — |
| paloalto | cortex_xdr | — | — |
| paloalto | cortex_xpanse | — | — |
| paloalto | cortex_xsoar | — | — |
| paloalto | globalprotect | — | — |
| paloalto | pan-os | — | — |
| paloalto | prisma_access | — | — |
| paloalto | prisma_cloud | — | — |
| paloalto | prisma_sd | — | — |
| progress | moveit_cloud | < 14.0.5.45 | 14.0.5.45 |
| progress | moveit_cloud | >= 14.1.0.0 < 14.1.6.97 | 14.1.6.97 |
| progress | moveit_cloud | >= 15.0.0.0 < 15.0.2.39 | 15.0.2.39 |
| progress | moveit_transfer | < 2021.0.7 | 2021.0.7 |
| progress | moveit_transfer | >= 2021.1.0 < 2021.1.5 | 2021.1.5 |
| progress | moveit_transfer | >= 2022.0.0 < 2022.0.5 | 2022.0.5 |
| progress | moveit_transfer | >= 2022.1.0 < 2022.1.6 | 2022.1.6 |
| progress | moveit_transfer | >= 2023.0.0 < 2023.0.2 | 2023.0.2 |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
SID 61876-61879, 61936 (Snort 2); SID 61936, 300582, 300583 (Snort 3)
- →LemurLoot webshell (human2.aspx) is deployed in the MOVEit Transfer wwwroot directory; hunt for new or modified ASPX files written by the IIS worker process (w3wp.exe) under \MOVEitTransfer\wwwroot\ ↗
- →Each LemurLoot payload is dynamically compiled at runtime, resulting in a unique hash per victim; do not rely solely on hash-based detection — use behavioral and log-based hunting instead. ↗
- →The exploit chain begins with SQL injection to obtain a sysadmin API token, followed by calling a deserialization function that does not properly validate input to achieve RCE; monitor MOVEit Transfer application and IIS logs for anomalous SQL activity and unexpected API token generation. ↗
- →Check Point IPS blade signature name for this CVE can be used as a detection reference: 'MOVEit Transfer SQL Injection (CVE-2023-34362)' ↗
- ·Exploitation affects both internet-facing and on-premises MOVEit Transfer instances; all versions prior to 2021.0.6, 2021.1.4, 2022.0.4, 2022.1.5, and 2023.0.1 are vulnerable, including older unsupported versions. ↗
- ·Threat actors may have begun experimenting with the exploit as early as 2021, well before the May 2023 mass exploitation wave; historical log review should extend back further than the immediate incident window. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2023-0003 Informational Bulletin: Impact of MOVEit Vulnerabilities (CVE-2023-34362, CVE-2023-35036, CVE-2023-35708)
vendor_paloalto·2023-06-16·CVSS 9.8
CVE-2023-34362 [CRITICAL] PAN-SA-2023-0003 Informational Bulletin: Impact of MOVEit Vulnerabilities (CVE-2023-34362, CVE-2023-35036, CVE-2023-35708)
PAN-SA-2023-0003 Informational Bulletin: Impact of MOVEit Vulnerabilities (CVE-2023-34362, CVE-2023-35036, CVE-2023-35708)
The Palo Alto Networks Product Security Assurance team has evaluated the recently disclosed critical Structured Query Language injection (SQLi) vulnerabilities (CVE-2023-34362, CVE-2023-35036, CVE-2023-35708) in the MOVEit Transfer product. Palo Alto Networks does not use MOVEit Transfer and is not impacted by these vulnerabilities. Protecting our customers is our highest priority. Palo Alto Networks and its Unit 42 threat research team are continuing to closely monitor all developments. You can find regular updates, as well as Palo Alto Networks product protections and interim guidance here: https://unit42.paloaltonetworks.com/threat-brief-moveit-cve-2023-34362/
CVE
CISA
Progress MOVEit Transfer SQL Injection Vulnerability
cisa·2023-06-02·CVSS 9.8
CVE-2023-34362 [CRITICAL] CWE-89 Progress MOVEit Transfer SQL Injection Vulnerability
Vulnerability: Progress MOVEit Transfer SQL Injection Vulnerability
Affected: Progress MOVEit Transfer
Progress MOVEit Transfer contains a SQL injection vulnerability that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.
Required Action: Apply updates per vendor instructions.
Notes: This CVE has a CISA AA located here: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a. Please see the AA for associated IOCs. Additional information is available at: https://communi
GHSA
GHSA-hq22-q5g8-577g: In Progress MOVEit Transfer before 2021
ghsa_unreviewed·2023-06-02
CVE-2023-34362 [CRITICAL] CWE-89 GHSA-hq22-q5g8-577g: In Progress MOVEit Transfer before 2021
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS.
VulnCheck
Progress MOVEit Transfer SQL Injection Vulnerability
vulncheck·2023·CVSS 9.8
CVE-2023-34362 [CRITICAL] CWE-89 Progress MOVEit Transfer SQL Injection Vulnerability
Progress MOVEit Transfer SQL Injection Vulnerability
Progress MOVEit Transfer contains a SQL injection vulnerability that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.
Affected: Progress MOVEit Transfer
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://cisa.gov/news-events/alerts/2023/06/01/progress-software-releases-security-advisory-moveit-transfer; https://twitter.com/cglyer/status/166553916246273
Suricata
ET WEB_SPECIFIC_APPS MOVEit File Transfer - Trigger SQL Injection via guestaccess.aspx - CVE-2023-34362 Stage 2
suricata·2023-06-12·CVSS 9.8
CVE-2023-34362 [CRITICAL] ET WEB_SPECIFIC_APPS MOVEit File Transfer - Trigger SQL Injection via guestaccess.aspx - CVE-2023-34362 Stage 2
ET WEB_SPECIFIC_APPS MOVEit File Transfer - Trigger SQL Injection via guestaccess.aspx - CVE-2023-34362 Stage 2
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS MOVEit File Transfer - Trigger SQL Injection via guestaccess.aspx - CVE-2023-34362 Stage 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/guestaccess.aspx"; fast_pattern; http.request_body; content:"transaction"; nocase; content:"secmsgpost"; within:20; content:"CsrfToken"; nocase; reference:url,www.horizon3.ai/moveit-transfer-cve-2023-34362-deep-dive-and-indicators-of-compromise/; reference:url,attackerkb.com/topics/mXmV0YpC3W/cve-2023-34362/rapid7-analysis; reference:cve,2023-34362; classtype:attempted-admin; sid:2046192; rev:1; metadata:attack_target Web_Server
Suricata
ET WEB_SPECIFIC_APPS MOVEit File Transfer - Successful Folder Request - CVE-2023-34362 Stage 4
suricata·2023-06-12·CVSS 9.8
CVE-2023-34362 [CRITICAL] ET WEB_SPECIFIC_APPS MOVEit File Transfer - Successful Folder Request - CVE-2023-34362 Stage 4
ET WEB_SPECIFIC_APPS MOVEit File Transfer - Successful Folder Request - CVE-2023-34362 Stage 4
Rule: alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET WEB_SPECIFIC_APPS MOVEit File Transfer - Successful Folder Request - CVE-2023-34362 Stage 4"; flow:established,to_client; flowbits:isset,ET.CVE-2023-34362.FolderList; http.stat_code; content:"200"; nocase; http.response_body; content:"|22|items|22|"; content:"|22|lastContentChangeTime|22|"; fast_pattern; content:"|22|permission|22|"; reference:url,www.horizon3.ai/moveit-transfer-cve-2023-34362-deep-dive-and-indicators-of-compromise/; reference:url,attackerkb.com/topics/mXmV0YpC3W/cve-2023-34362/rapid7-analysis; reference:cve,2023-34362; classtype:web-application-activity; sid:2046196; rev:2; metadata:attack_target Web_Server, cre
Suricata
ET WEB_SPECIFIC_APPS MOVEit File Transfer - Set Session Variables - SQLi Payload Creation - CVE-2023-34362 Stage 5a
suricata·2023-06-12·CVSS 9.8
CVE-2023-34362 [CRITICAL] ET WEB_SPECIFIC_APPS MOVEit File Transfer - Set Session Variables - SQLi Payload Creation - CVE-2023-34362 Stage 5a
ET WEB_SPECIFIC_APPS MOVEit File Transfer - Set Session Variables - SQLi Payload Creation - CVE-2023-34362 Stage 5a
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS MOVEit File Transfer - Set Session Variables - SQLi Payload Creation - CVE-2023-34362 Stage 5a"; flow:established,to_server; http.uri; content:"/moveitisapi/moveitisapi.dll?action=m2"; fast_pattern; http.request_header; header_lowercase; content:"x-silock-transaction|3a 20|folder_add_by_path"; http.request_header; header_lowercase; content:"x-silock-transaction|3a 20|session_setvars"; http.request_header; header_lowercase; content:"x-silock-sessvar"; content:"mypkgselfprovisionedrecips|3a 20|"; within:33; nocase; content:"UPDATE|20|"; nocase; distance:0; content:"fileuploadinfo"; nocase; dis
Suricata
ET WEB_SPECIFIC_APPS MOVEit File Transfer - Payload Trigger Request - CVE-2023-34362 Stage 5b
suricata·2023-06-12·CVSS 9.8
CVE-2023-34362 [CRITICAL] ET WEB_SPECIFIC_APPS MOVEit File Transfer - Payload Trigger Request - CVE-2023-34362 Stage 5b
ET WEB_SPECIFIC_APPS MOVEit File Transfer - Payload Trigger Request - CVE-2023-34362 Stage 5b
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS MOVEit File Transfer - Payload Trigger Request - CVE-2023-34362 Stage 5b"; flow:established,to_server; http.method; content:"PUT"; http.uri; content:"/api/v1/folders/"; content:"/files"; distance:0; content:"uploadType=resumable"; fast_pattern; content:"fileID="; nocase; isdataat:1,relative; http.request_header; header_lowercase; content:"authorization|3a 20|Bearer"; startswith; reference:url,www.horizon3.ai/moveit-transfer-cve-2023-34362-deep-dive-and-indicators-of-compromise/; reference:url,attackerkb.com/topics/mXmV0YpC3W/cve-2023-34362/rapid7-analysis; reference:cve,2023-34362; classtype:web-application-activ
Suricata
ET WEB_SPECIFIC_APPS MOVEit File Transfer - CSRF Token Request on guestaccess.aspx - CVE-2023-34362 Stage 1b
suricata·2023-06-12·CVSS 9.8
CVE-2023-34362 [CRITICAL] ET WEB_SPECIFIC_APPS MOVEit File Transfer - CSRF Token Request on guestaccess.aspx - CVE-2023-34362 Stage 1b
ET WEB_SPECIFIC_APPS MOVEit File Transfer - CSRF Token Request on guestaccess.aspx - CVE-2023-34362 Stage 1b
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS MOVEit File Transfer - CSRF Token Request on guestaccess.aspx - CVE-2023-34362 Stage 1b"; flow:established,to_server; flowbits:set,ET.CVE-2023-34362.CSRF_TOKEN; http.method; content:"POST"; http.uri; content:"/guestaccess.aspx"; fast_pattern; http.request_body; content:"Arg06"; reference:url,www.horizon3.ai/moveit-transfer-cve-2023-34362-deep-dive-and-indicators-of-compromise/; reference:url,attackerkb.com/topics/mXmV0YpC3W/cve-2023-34362/rapid7-analysis; reference:cve,2023-34362; classtype:attempted-admin; sid:2046190; rev:1; metadata:attack_target Web_Server, created_at 2023_06_12, cve CVE_2023_3
Suricata
ET WEB_SPECIFIC_APPS MOVEit File Transfer - Folder Request - CVE-2023-34362 Stage 4
suricata·2023-06-12·CVSS 9.8
CVE-2023-34362 [CRITICAL] ET WEB_SPECIFIC_APPS MOVEit File Transfer - Folder Request - CVE-2023-34362 Stage 4
ET WEB_SPECIFIC_APPS MOVEit File Transfer - Folder Request - CVE-2023-34362 Stage 4
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS MOVEit File Transfer - Folder Request - CVE-2023-34362 Stage 4"; flow:established,to_server; flowbits:set,ET.CVE-2023-34362.FolderList; http.method; content:"GET"; http.uri; content:"/api/v1/folders"; fast_pattern; http.request_header; header_lowercase; content:"authorization|3a 20|Bearer"; startswith; reference:url,www.horizon3.ai/moveit-transfer-cve-2023-34362-deep-dive-and-indicators-of-compromise/; reference:url,attackerkb.com/topics/mXmV0YpC3W/cve-2023-34362/rapid7-analysis; reference:cve,2023-34362; classtype:web-application-activity; sid:2046195; rev:2; metadata:attack_target Web_Server, created_at 2023_06_12, cve C
Suricata
ET WEB_SPECIFIC_APPS MOVEit File Transfer - API Token Request - CVE-2023-34362 Stage 3
suricata·2023-06-12·CVSS 9.8
CVE-2023-34362 [CRITICAL] ET WEB_SPECIFIC_APPS MOVEit File Transfer - API Token Request - CVE-2023-34362 Stage 3
ET WEB_SPECIFIC_APPS MOVEit File Transfer - API Token Request - CVE-2023-34362 Stage 3
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS MOVEit File Transfer - API Token Request - CVE-2023-34362 Stage 3"; flow:established,to_server; flowbits:set,ET.CVE-2023-34362.APIToken; http.method; content:"POST"; http.uri; content:"/api/v1/auth/token"; fast_pattern; http.request_body; content:"grant_type"; nocase; reference:url,www.horizon3.ai/moveit-transfer-cve-2023-34362-deep-dive-and-indicators-of-compromise/; reference:url,attackerkb.com/topics/mXmV0YpC3W/cve-2023-34362/rapid7-analysis; reference:cve,2023-34362; classtype:web-application-activity; sid:2046193; rev:1; metadata:attack_target Web_Server, created_at 2023_06_12, cve CVE_2023_34362, deployment Perime
Suricata
ET WEB_SPECIFIC_APPS MOVEit File Transfer - Successful API Token Request - CVE-2023-34362 Stage 3
suricata·2023-06-12·CVSS 9.8
CVE-2023-34362 [CRITICAL] ET WEB_SPECIFIC_APPS MOVEit File Transfer - Successful API Token Request - CVE-2023-34362 Stage 3
ET WEB_SPECIFIC_APPS MOVEit File Transfer - Successful API Token Request - CVE-2023-34362 Stage 3
Rule: alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET WEB_SPECIFIC_APPS MOVEit File Transfer - Successful API Token Request - CVE-2023-34362 Stage 3"; flow:established,to_client; flowbits:isset,ET.CVE-2023-34362.APIToken; http.stat_code; content:"200"; nocase; http.response_body; content:"|22|access_token|22|"; fast_pattern; reference:url,www.horizon3.ai/moveit-transfer-cve-2023-34362-deep-dive-and-indicators-of-compromise/; reference:url,attackerkb.com/topics/mXmV0YpC3W/cve-2023-34362/rapid7-analysis; reference:cve,2023-34362; classtype:web-application-activity; sid:2046194; rev:2; metadata:attack_target Web_Server, created_at 2023_06_12, cve CVE_2023_34362, deployment Perimeter
Suricata
ET WEB_SPECIFIC_APPS MOVEit File Transfer - Set Session Variables - SQLi Payload Creation - CVE-2023-34362 Stage 1b
suricata·2023-06-12·CVSS 9.8
CVE-2023-34362 [CRITICAL] ET WEB_SPECIFIC_APPS MOVEit File Transfer - Set Session Variables - SQLi Payload Creation - CVE-2023-34362 Stage 1b
ET WEB_SPECIFIC_APPS MOVEit File Transfer - Set Session Variables - SQLi Payload Creation - CVE-2023-34362 Stage 1b
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS MOVEit File Transfer - Set Session Variables - SQLi Payload Creation - CVE-2023-34362 Stage 1b"; flow:established,to_server; http.uri; content:"/moveitisapi/moveitisapi.dll?action=m2"; fast_pattern; http.request_header; header_lowercase; content:"x-silock-transaction|3a 20|folder_add_by_path"; http.request_header; header_lowercase; content:"x-silock-transaction|3a 20|session_setvars"; http.request_header; header_lowercase; content:"x-silock-sessvar"; content:"mypkgselfprovisionedrecips|3a 20|"; within:33; nocase; http.header_names; to_lowercase; content:"|0d 0a|x-silock-sessvar"; reference:u
Suricata
ET WEB_SPECIFIC_APPS MOVEit File Transfer - Successful CSRF Token Request on guestaccess.aspx - CVE-2023-34362 Stage 1b
suricata·2023-06-12·CVSS 9.8
CVE-2023-34362 [CRITICAL] ET WEB_SPECIFIC_APPS MOVEit File Transfer - Successful CSRF Token Request on guestaccess.aspx - CVE-2023-34362 Stage 1b
ET WEB_SPECIFIC_APPS MOVEit File Transfer - Successful CSRF Token Request on guestaccess.aspx - CVE-2023-34362 Stage 1b
Rule: alert http [$HOME_NET,$HTTP_SERVERS] any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS MOVEit File Transfer - Successful CSRF Token Request on guestaccess.aspx - CVE-2023-34362 Stage 1b"; flow:established,to_client; flowbits:isset,ET.CVE-2023-34362.CSRF_TOKEN; http.response_body; content:"csrftoken|22 20|value=|22|"; fast_pattern; reference:url,www.horizon3.ai/moveit-transfer-cve-2023-34362-deep-dive-and-indicators-of-compromise/; reference:url,attackerkb.com/topics/mXmV0YpC3W/cve-2023-34362/rapid7-analysis; reference:cve,2023-34362; classtype:successful-admin; sid:2046191; rev:1; metadata:attack_target Web_Server, created_at 2023_06_12, cve CVE_2023_34362, deploymen
Suricata
ET WEB_SPECIFIC_APPS MOVEit File Transfer - Set Session Variables - Guest Account Creation - CVE-2023-34362 Stage 1a
suricata·2023-06-12·CVSS 9.8
CVE-2023-34362 [CRITICAL] ET WEB_SPECIFIC_APPS MOVEit File Transfer - Set Session Variables - Guest Account Creation - CVE-2023-34362 Stage 1a
ET WEB_SPECIFIC_APPS MOVEit File Transfer - Set Session Variables - Guest Account Creation - CVE-2023-34362 Stage 1a
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS MOVEit File Transfer - Set Session Variables - Guest Account Creation - CVE-2023-34362 Stage 1a"; flow:established,to_server; http.uri; content:"/moveitisapi/moveitisapi.dll?action=m2"; fast_pattern; http.request_header; header_lowercase; content:"x-silock-transaction|3a 20|folder_add_by_path"; http.request_header; header_lowercase; content:"x-silock-transaction|3a 20|session_setvars"; http.request_header; header_lowercase; content:"x-silock-sessvar"; startswith; content:"myusername|3a 20|guest"; within:25; nocase; http.header_names; to_lowercase; content:"|0d 0a|x-silock-sessvar"; referenc
Suricata
ET WEB_SPECIFIC_APPS MOVEit File Transfer - HTTP POST to /guestaccess.aspx (CVE-2023-34362)
suricata·2023-06-02·CVSS 9.8
CVE-2023-34362 [CRITICAL] ET WEB_SPECIFIC_APPS MOVEit File Transfer - HTTP POST to /guestaccess.aspx (CVE-2023-34362)
ET WEB_SPECIFIC_APPS MOVEit File Transfer - HTTP POST to /guestaccess.aspx (CVE-2023-34362)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS MOVEit File Transfer - HTTP POST to /guestaccess.aspx (CVE-2023-34362)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/guestaccess.aspx"; startswith; fast_pattern; reference:url,www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response; reference:url,community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023; reference:cve,2023-34362; classtype:web-application-activity; sid:2046054; rev:1; metadata:attack_target Web_Server, created_at 2023_06_02, cve CVE_2023_34362, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Low,
Suricata
ET WEB_SPECIFIC_APPS MOVEit File Transfer - HTTP POST to /moveitaspi.dll (CVE-2023-34362)
suricata·2023-06-02·CVSS 9.8
CVE-2023-34362 [CRITICAL] ET WEB_SPECIFIC_APPS MOVEit File Transfer - HTTP POST to /moveitaspi.dll (CVE-2023-34362)
ET WEB_SPECIFIC_APPS MOVEit File Transfer - HTTP POST to /moveitaspi.dll (CVE-2023-34362)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS MOVEit File Transfer - HTTP POST to /moveitaspi.dll (CVE-2023-34362)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/moveitisapi/moveitisapi.dll"; fast_pattern; content:"action="; reference:url,www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response; reference:url,community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023; reference:cve,2023-34362; classtype:web-application-activity; sid:2046053; rev:1; metadata:attack_target Web_Server, created_at 2023_06_02, cve CVE_2023_34362, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, co
Suricata
ET WEB_SPECIFIC_APPS MOVEit File Transfer - HTTP POST to /api/v1/folders (CVE-2023-34362)
suricata·2023-06-02·CVSS 9.8
CVE-2023-34362 [CRITICAL] ET WEB_SPECIFIC_APPS MOVEit File Transfer - HTTP POST to /api/v1/folders (CVE-2023-34362)
ET WEB_SPECIFIC_APPS MOVEit File Transfer - HTTP POST to /api/v1/folders (CVE-2023-34362)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS MOVEit File Transfer - HTTP POST to /api/v1/folders (CVE-2023-34362)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/v1/folders/"; startswith; fast_pattern; content:"/files"; distance:0; content:"UploadType=resumable"; distance:0; reference:url,www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response; reference:url,community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023; reference:cve,2023-34362; classtype:web-application-activity; sid:2046055; rev:1; metadata:attack_target Web_Server, created_at 2023_06_02, cve CVE_2023_34362, deployment Perim
Metasploit
MOVEit SQL Injection vulnerability
metasploit
MOVEit SQL Injection vulnerability
MOVEit SQL Injection vulnerability
This module exploits an SQL injection vulnerability in the MOVEit Transfer web application that allows an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker can leverage an information leak be able to upload a .NET deserialization payload.
Nuclei
MOVEit Transfer - Remote Code Execution
nuclei·CVSS 9.8
CVE-2023-34362 [CRITICAL] MOVEit Transfer - Remote Code Execution
MOVEit Transfer - Remote Code Execution
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned ver
Wiz
RCE meaning: Remote code execution attacks explained | Wiz
blogs_wiz·2026-02-18
RCE meaning: Remote code execution attacks explained | Wiz
## What is a remote code execution (RCE) attack?
A remote code execution (RCE) attack is a cyberattack where an attacker runs malicious code on a target system from a remote location. This means someone who has no physical access to your servers can still execute commands as if they were sitting at the keyboard.
RCE ranks among the most severe vulnerability classes because attackers often need no authentication or user interaction to exploit it. Once they gain code execution, they can steal sensitive data, install persistent backdoors, escalate privileges, or pivot to other systems on your network.
The consequences extend beyond the initial compromise. A single RCE vulnerability in an internet-facing application can give attackers a foothold to move laterally through your environment, e
Wiz
RCE meaning: Remote code execution attacks explained | Wiz
blogs_wiz·2026-02-18
RCE meaning: Remote code execution attacks explained | Wiz
## What is a remote code execution (RCE) attack?
A remote code execution (RCE) attack is a cyberattack where an attacker runs malicious code on a target system from a remote location. This means someone who has no physical access to your servers can still execute commands as if they were sitting at the keyboard.
RCE ranks among the most severe vulnerability classes because attackers often need no authentication or user interaction to exploit it. Once they gain code execution, they can steal sensitive data, install persistent backdoors, escalate privileges, or pivot to other systems on your network.
The consequences extend beyond the initial compromise. A single RCE vulnerability in an internet-facing application can give attackers a foothold to move laterally through your environment, e
Wiz
Vulnerability Threat Intelligence: Turning Data into Defense | Wiz
blogs_wiz·2025-10-23
Vulnerability Threat Intelligence: Turning Data into Defense | Wiz
## What is vulnerability threat intelligence?
Vulnerability threat intelligence is the practice of combining vulnerability assessment data with real-world threat information to understand which security weaknesses actually matter. This means you're not just looking at a list of vulnerabilities—you're seeing which ones attackers are actively exploiting right now.
TL;DR: Vulnerability threat intelligence combines CVE data with real-world exploitation evidence (CISA KEV, EPSS scores), network exposure, and asset criticality to prioritize which vulnerabilities to fix first—focusing remediation on threats that could actually harm your business.
This approach is also called threat-informed vulnerability management, vulnerability intelligence, or KEV-driven prioritization. Regardless of the te
Wiz
Vulnerability Threat Intelligence: Turning Data into Defense | Wiz
blogs_wiz·2025-10-23
Vulnerability Threat Intelligence: Turning Data into Defense | Wiz
## What is vulnerability threat intelligence?
Vulnerability threat intelligence is the practice of combining vulnerability assessment data with real-world threat information to understand which security weaknesses actually matter. This means you're not just looking at a list of vulnerabilities—you're seeing which ones attackers are actively exploiting right now.
TL;DR: Vulnerability threat intelligence combines CVE data with real-world exploitation evidence (CISA KEV, EPSS scores), network exposure, and asset criticality to prioritize which vulnerabilities to fix first—focusing remediation on threats that could actually harm your business.
This approach is also called threat-informed vulnerability management, vulnerability intelligence, or KEV-driven prioritization. Regardless of the te
Huntress
Ten Years of Resilience, Innovation & Community-Driven Defense
blogs_huntress·2025-08-25·CVSS 8.8
[HIGH] Ten Years of Resilience, Innovation & Community-Driven Defense
The world of cybersecurity has been a wild ride over the last decade. As attackers stepped up their game year over year, the security community responded and adapted with resilience and ingenuity to each new wave of threats.
Attackers tested our limits time and time again with bolder, more cutting-edge cyberattacks: ransomware, supply chain compromises, zero-day vulnerabilities, and more. But every single breach, compromise, and exploited vulnerability taught us something new, pushed us harder to innovate and stay steps ahead, brought our security community closer together, and rallied us to wreck hackers.
As we celebrate our 10th anniversary at Huntress this month, we’re pausing to look back at the events that have shaped the entire cybersecurity community. Understanding where we've bee
Greynoiseio
Surge in MOVEit Transfer Scanning Could Signal Emerging Threat Activity
blogs_greynoiseio·2025-06-25
Surge in MOVEit Transfer Scanning Could Signal Emerging Threat Activity
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Qualys
Qualys Achieves 100% Detection in 2024 MITRE ATT&CK Evaluation | Qualys
blogs_qualys·2024-12-11
Qualys Achieves 100% Detection in 2024 MITRE ATT&CK Evaluation | Qualys
#### Table of Contents
- From Risk Leader to EDR Powerhouse: How Qualys Evolved
- Qualys Performance: Leading the Industry
- Low False Positives: Essential for Effective EDR
- Why MITRE ATT&CK Evaluation Matters
- Qualys Endpoint Detection & Response: A Top Solution
- More Than Detection: A Comprehensive Risk Management Approach
- Advanced Ransomware Mitigation: Protecting Against Worst-Case Scenarios
- Conclusion
## From Risk Leader to EDR Powerhouse: How Qualys Evolved
In today’s rapidly evolving threat landscape, ransomware continues to dominate as one of the most significant cybersecurity challenges. To help organizations evaluate their defenses against these sophisticated threats, the MITRE ATT&CK Evaluations provide a transparent, real-world assessment of security solutions.
The
Qualys
Qualys Achieves 100% Detection in the 2024 MITRE ATT&CK Evaluations for Enterprise
blogs_qualys·2024-12-11
Qualys Achieves 100% Detection in the 2024 MITRE ATT&CK Evaluations for Enterprise
## Table of Contents
From Risk Leader to EDR Powerhouse: How Qualys Evolved
Qualys Performance: Leading the Industry
Low False Positives: Essential for Effective EDR
Why MITRE ATT&CK Evaluation Matters
Qualys Endpoint Detection & Response: A Top Solution
More Than Detection: A Comprehensive Risk Management Approach
Advanced Ransomware Mitigation: Protecting Against Worst-Case Scenarios
Conclusion
## From Risk Leader to EDR Powerhouse: How Qualys Evolved
In today’s rapidly evolving threat landscape, ransomware continues to dominate as one of the most significant cybersecurity challenges. To help organizations evaluate their defenses against these sophisticated threats, the MITRE ATT&CK Evaluations provide a transparent, real-world assessment of security solutions.
The 2024 evalua
Sentinelone
The State of Cloud Ransomware in 2024
blogs_sentinelone·2024-11-14
The State of Cloud Ransomware in 2024
## Overview
Ransom attacks in the cloud are a perennially popular topic of discussion in the cloud security realm. Cloud services inherently provide an advantage over endpoint and web server-based services due to the minimal nature of a cloud service’s attack surface. With the exception of Compute services, which run a virtual operating system in the cloud, cloud services do not provide an entire operating system, which means that the ransomware binaries prevalent on Windows and Linux are unable to attack them effectively.
We have identified several tools designed to target web servers with ransomware or to leverage cloud services to upload files before encrypting local files on an endpoint. There are also far fewer references to scripts designed to perform ransom attacks directly on clo
Sentinelone
The State of Cloud Ransomware in 2024
blogs_sentinelone·2024-11-14
The State of Cloud Ransomware in 2024
## Overview
Ransom attacks in the cloud are a perennially popular topic of discussion in the cloud security realm. Cloud services inherently provide an advantage over endpoint and web server-based services due to the minimal nature of a cloud service’s attack surface. With the exception of Compute services, which run a virtual operating system in the cloud, cloud services do not provide an entire operating system, which means that the ransomware binaries prevalent on Windows and Linux are unable to attack them effectively.
We have identified several tools designed to target web servers with ransomware or to leverage cloud services to upload files before encrypting local files on an endpoint. There are also far fewer references to scripts designed to perform ransom attacks directly on clo
Bleepingcomputer
FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023
blogs_bleepingcomputer·2024-11-12·CVSS 10.0
[CRITICAL] FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023
## FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023
## Sergiu Gatlan
The FBI, the NSA, and Five Eyes cybersecurity authorities have released a list of the top 15 routinely exploited vulnerabilities throughout last year, most of them first abused as zero-days.
A joint advisory published on Tuesday calls for organizations worldwide to immediately patch these security flaws and deploy patch management systems to minimize their networks' exposure to potential attacks.
"In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets," the cybersecurity agencies warned .
"In 2023, the majority of the most frequently exploited vulnerabilities
Tenable
From Bugs to Breaches: 25 Significant CVEs As MITRE CVE Turns 25
blogs_tenable·2024-10-22
From Bugs to Breaches: 25 Significant CVEs As MITRE CVE Turns 25
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Fortinet
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA | FortiGuard Labs
blogs_fortinet·2024-10-11·CVSS 7.2
[HIGH] Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
Background
Vulnerabilities Overview and Disclosure
Vulnerabilities Details
Other Findings
Conclusion
Fortinet Protections
MITRE Mapping
IOCs
Network Based Indicators
Host Based Indicators
By Faisal Abdul Malik Qureshi, John Simmons, Jared Betts, Luca Pugliese, Trent Healy, Ken Evans and Robert Reyes | October 11, 2024
Affected Platforms: Ivanti Cloud Services Appliance version 4.6 and prior
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
Today FortiGuard Labs is releasing this blog post about a case where an advanced adversary was observed exploiting three vulnerabilities affecting the Ivanti Cloud Services Appli
Tenable
CVE-2024-5806: Progress MOVEit Transfer Authentication Bypass Vulnerability
blogs_tenable·2024-06-25·CVSS 9.1
[CRITICAL] CVE-2024-5806: Progress MOVEit Transfer Authentication Bypass Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2024-4358, CVE-2024-1800: Exploit Code Available for Critical Exploit Chain in Progress Telerik Report Server
blogs_tenable·2024-06-04·CVSS 9.9
[CRITICAL] CVE-2024-4358, CVE-2024-1800: Exploit Code Available for Critical Exploit Chain in Progress Telerik Report Server
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Trendmicro
2H 2023: Mehr aktive RaaS-Gruppen und mehr Opfer
blogs_trendmicro·2024-04-16·CVSS 9.8
[CRITICAL] 2H 2023: Mehr aktive RaaS-Gruppen und mehr Opfer
Ransomware
## 2H 2023: Mehr aktive RaaS-Gruppen und mehr Opfer
Unser aktueller Bericht zur Lage und den Trends der Ransomware-Landschaft in der zweiten Hälfte 2023 verdeutlicht, dass die Gruppen LockBit, BlackCat und Clop für die meisten Angriffe mit der höchsten Anzahl an Opferunternehmen verantwortlich waren.
By: Shingo Matsugaya Apr 16, 2024 Read time: ( words)
Save to Folio
Unser detaillierter Bericht basiert auf Daten aus den Leak-Sites von RaaS- und Erpressergruppen, der Open-Source-Intelligence (OSINT)-Forschung von Trend und den Telemetriedaten von Trend Research, die vom 1. Juli bis 31. Dezember 2023 gesammelt wurden. Global lässt sich ein Anstieg der aktiven RaaS-Gruppen parallel zu den wachsenden Opferzahlen feststellen. Bereits seit 2022 gehörten LockBit und BlackCat durch
Unit42
It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise
blogs_unit42·2024-04-08
It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise
Threat Research Center
Threat Research
Malware
## It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise
Beliz Kaleli
Fang Liu
Peng Peng
Alex Starov
Joey Allen
Stefan Springer
Published: April 8, 2024
Malware
Threat Research
Ivanti
Mirai
Network scanning
## Executive Summary
Our telemetry indicates a growing number of threat actors are turning to malware-initiated scanning attacks. This article reviews how attackers use infected hosts for malware-based scans of their targets instead of the more traditional approach using direct scans.
Threat actors have been using scanning methods to pinpoint vulnerabilities in networks or systems for a very long time. Some scanning attacks originate from benign networks likely driven by malware on infected machines. B
Unit42
It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise
blogs_unit42·2024-04-08
It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise
## Executive Summary
Our telemetry indicates a growing number of threat actors are turning to malware-initiated scanning attacks. This article reviews how attackers use infected hosts for malware-based scans of their targets instead of the more traditional approach using direct scans.
Threat actors have been using scanning methods to pinpoint vulnerabilities in networks or systems for a very long time. Some scanning attacks originate from benign networks likely driven by malware on infected machines. By launching scanning attacks from compromised hosts, attackers can accomplish the following:
- Covering their traces
- Bypassing geofencing
- Expanding botnets
- Leveraging the resources of these compromised devices to generate a higher volume of scanning requests compared to what they cou
Unit42
Ransomware Retrospective 2024: Unit 42 Leak Site Analysis
blogs_unit42·2024-02-05
Ransomware Retrospective 2024: Unit 42 Leak Site Analysis
## Executive Summary
The ransomware landscape experienced significant transformations and challenges in 2023. The year saw a 49% increase in victims reported by ransomware leak sites, with a total of 3,998 posts from various ransomware groups.
What drove this surge of activity? 2023 saw high-profile vulnerabilities like SQL injection for MOVEit and GoAnywhere MFT services. Zero-day exploits for these vulnerabilities drove spikes in ransomware infections by groups like CL0P, LockBit and ALPHV (BlackCat) before defenders could update the vulnerable software.
Leak site data reveals at least 25 new ransomware groups emerged in 2023, indicating the continued attraction of ransomware as a profitable criminal activity. Despite the appearance of new groups such as Darkrace, CryptNet and U-Bomb,
Unit42
Ransomware Retrospective 2024: Unit 42 Leak Site Analysis
blogs_unit42·2024-02-05
Ransomware Retrospective 2024: Unit 42 Leak Site Analysis
Threat Research Center
Threat Research
Ransomware
## Ransomware Retrospective 2024: Unit 42 Leak Site Analysis
Doel Santos
Published: February 5, 2024
Cybercrime
Ransomware
Threat Research
Trend Reports
ALPHV
Ambitious Scorpius
Blackcat
Buzzing Scorpius
Hive
Ignoble Scorpius
Leak site
Ragnar Locker
Ransomed
Ransomed.Vc
Royal Ransomware
Salty Scorpius
Trigona
Vice Society
## Executive Summary
The ransomware landscape experienced significant transformations and challenges in 2023. The year saw a 49% increase in victims reported by ransomware leak sites, with a total of 3,998 posts from various ransomware groups.
What drove this surge of activity? 2023 saw high-profile vulnerabilities like SQL injection for MOVEit and GoAnywhere MFT services. Zero-day exploits fo
Tenable
CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Vulnerability
blogs_tenable·2024-01-23·CVSS 9.8
[CRITICAL] CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Wiz
Crying out Cloud – Our Favorite Stories of 2023 | Wiz Blog
blogs_wiz·2024-01-16·CVSS 7.8
[HIGH] Crying out Cloud – Our Favorite Stories of 2023 | Wiz Blog
2023 certainly had its share of tumultuous events that shaped the perceptions of cloud customers everywhere — there were supply chain attacks, critical 0day vulnerabilities and advancements in both AI and AI security that all left their mark on how we approach cloud security. As the year came to a close, the Crying out Cloud team (Eden, Merav and Amitai) sat down to discuss what we felt were our most interesting podcast episodes and newsletter editions of 2023.
# High Profile Vulnerabilities
## Merav’s picks
### Chrome vulnerabilities that weren’t actually Chrome vulnerabilities
(from our newsletter)
Several critical vulnerabilities in Google Chrome were published in 2023. In a few cases, items that fell into the Chrome category were hiding much more interesting vulnerabilities. CVE-2
Wiz
Crying out Cloud – Our Favorite Stories of 2023 | Wiz Blog
blogs_wiz·2024-01-16·CVSS 7.8
[HIGH] Crying out Cloud – Our Favorite Stories of 2023 | Wiz Blog
2023 certainly had its share of tumultuous events that shaped the perceptions of cloud customers everywhere — there were supply chain attacks, critical 0day vulnerabilities and advancements in both AI and AI security that all left their mark on how we approach cloud security. As the year came to a close, the Crying out Cloud team ( Eden , Merav and Amitai ) sat down to discuss what we felt were our most interesting podcast episodes and newsletter editions of 2023.
## High Profile Vulnerabilities
## Merav’s picks
## Chrome vulnerabilities that weren’t actually Chrome vulnerabilities
(from our newsletter )
Several critical vulnerabilities in Google Chrome were published in 2023. In a few cases, items that fell into the Chrome category were hiding much more interesting vulnerabilities .
Sentinelone
MOVEit Transfer Vulnerability used to Drop File-Stealing SQL Shell
blogs_sentinelone·2024-01-07
MOVEit Transfer Vulnerability used to Drop File-Stealing SQL Shell
By Alex Delamotte and James Haughom
.aspx
In this post, we provide technical details of the attack chain along with hunting queries and a PowerShell script that can be used to scan for potential exploitation of the MOVEit Transfer vulnerability.
## Overview
Through the last week of May and early June 2023, SentinelOne observed active exploitation of Windows servers running a vulnerable version of Progress Software’s MOVEit Transfer file server application. The attack delivers a minimal webshell that the attacker can use to exfiltrate the contents of files, including files hosted in Microsoft Azure when the targeted MOVEit instance is configured to use Azure’s blob storage service. As of June 5, the Cl0p ransomware group claimed responsibility for these campaigns.
While exploitation is
Sentinelone
MOVEit Transfer Vulnerability used to Drop File-Stealing SQL Shell
blogs_sentinelone·2024-01-07·CVSS 9.8
CVE-2023-34362 [CRITICAL] MOVEit Transfer Vulnerability used to Drop File-Stealing SQL Shell
By Alex Delamotte and James Haughom
SentinelOne has observed in-the-wild (ITW) exploitation of CVE-2023-34362, a vulnerability in the MOVEit file transfer server application. The attack delivers a Microsoft IIS `.aspx` payload that enables limited interaction between the affected web server and connected Azure blob storage. On June 5, the Cl0p ransomware group claimed responsibility for these attacks, though SentinelOne notes the targeting of a file transfer application vulnerability resembles other exploitation conducted by financially motivated actors throughout early 2023.
In this post, we provide technical details of the attack chain along with hunting queries and a PowerShell script that can be used to scan for potential exploitation of the MOVEit Transfer vulnerability.
## Overvie
Qualys
2023 Threat Landscape Year in Review: If Everything Is Critical, Nothing Is
blogs_qualys·2023-12-19
2023 Threat Landscape Year in Review: If Everything Is Critical, Nothing Is
## Table of Contents
2023 Statistics
2023 Vulnerability Threat Landscape
Top Vulnerability Types
Key Insights
Top MITRE ATT&CK Tactics & Techniques
Most Active Threats
Conclusion
As 2023 nears its end, it’s time to pause and reflect. It’s time to assess what worked and what didn’t, what caught our attention and caused disruption, and what went unnoticed. More importantly, we need to know what lessons we learned from 2023 so that we can do a better job of managing risk in the coming year. In line with this, the Qualys Threat Research Unit has prepared a comprehensive blog series to review the threat landscape in 2023.
Key Takeaways:
Less than one percent of vulnerabilities contributed to the highest risk and were routinely exploited in the wild.
97 high-risk vulnerabilities, like
Qualys
Top Cyber Threats of 2023: An In-Depth Review (Part One) | Qualys
blogs_qualys·2023-12-19
Top Cyber Threats of 2023: An In-Depth Review (Part One) | Qualys
#### Table of Contents
- 2023 Statistics
- 2023 Vulnerability Threat Landscape
- Top Vulnerability Types
- Key Insights
- Top MITRE ATT&CK Tactics & Techniques
- Most Active Threats
- Conclusion
As 2023 nears its end, it’s time to pause and reflect. It’s time to assess what worked and what didn’t, what caught our attention and caused disruption, and what went unnoticed. More importantly, we need to know what lessons we learned from 2023 so that we can do a better job of managing risk in the coming year. In line with this, the Qualys Threat Research Unit has prepared a comprehensive blog series to review the threat landscape in 2023.
Key Takeaways:
- Less than one percent of vulnerabilities contributed to the highest risk and were routinely exploited in the wild.
- 97 high-risk vulnerab
Bleepingcomputer
Delta Dental of California data breach exposed info of 7 million people
blogs_bleepingcomputer·2023-12-15·CVSS 9.8
[CRITICAL] Delta Dental of California data breach exposed info of 7 million people
## Delta Dental of California data breach exposed info of 7 million people
## Bill Toulas
Delta Dental of California and its affiliates are warning almost seven million patients that they suffered a data breach after personal data was exposed in a MOVEit Transfer software breach.
Delta Dental of California is a dental insurance provider that covers 45 million people across 15 states and is part of the Delta Dental Plans Association.
According to a Delta Dental of California data breach notification , the company suffered unauthorized access by threat actors through the MOVEit file transfer software application.
The software was vulnerable to a zero-day SQL injection flaw leading to remote code execution, tracked as CVE-2023-34362 , which the Clop ransomware gang leveraged to breach th
Zscaler
CVE-2023-47246 | ThreatLabz
blogs_zscaler·2023-11-15·CVSS 9.8
[CRITICAL] CVE-2023-47246 | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Unit42
Threat Brief - MOVEit Transfer SQL Injection Vulnerabilities: CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708 (Updated Oct 4)
blogs_unit42·2023-10-04·CVSS 9.8
CVE-2023-34362 [CRITICAL] Threat Brief - MOVEit Transfer SQL Injection Vulnerabilities: CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708 (Updated Oct 4)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief - MOVEit Transfer SQL Injection Vulnerabilities: CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708 (Updated Oct 4)
Unit 42
Published: October 4, 2023
High Profile Threats
Threat Research
Vulnerabilities
CVE-2023-34362
CVE-2023-35036
CVE-2023-35708
CVE-2023-36934
MOVEit
Update October 4: We have added additional information using data gathered from Advanced Threat Prevention.
Update July 7: We cover the most recently disclosed vulnerabilities in MOVEit Transfer, as well as the July 2023 service pack.
## Executive Summary
On May 31, Progress Software posted a notification alerting customers of a critical Structured Query Language injection (SQLi) vulnerability (CVE-2023-34362) in their MOVEit Tra
Unit42
Threat Brief - MOVEit Transfer SQL Injection Vulnerabilities: CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708 (Updated Oct 4)
blogs_unit42·2023-10-04·CVSS 9.8
CVE-2023-34362 [CRITICAL] Threat Brief - MOVEit Transfer SQL Injection Vulnerabilities: CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708 (Updated Oct 4)
Update October 4: We have added additional information using data gathered from Advanced Threat Prevention.
Update July 7: We cover the most recently disclosed vulnerabilities in MOVEit Transfer, as well as the July 2023 service pack.
## Executive Summary
On May 31, Progress Software posted a notification alerting customers of a critical Structured Query Language injection (SQLi) vulnerability (CVE-2023-34362) in their MOVEit Transfer product. MOVEit Transfer is a managed file transfer (MFT) application intended to provide secure collaboration and automated file transfers of sensitive data.
Update: On June 9 and June 15, Progress Software alerted customers of additional SQL Injection vulnerabilities (also rated critical by Progress and got assigned CVE-2023-35036 and CVE-2023-35708, re
Bleepingcomputer
Sony confirms data breach impacting thousands in the U.S.
blogs_bleepingcomputer·2023-10-04·CVSS 9.8
CVE-2023-34362 [CRITICAL] Sony confirms data breach impacting thousands in the U.S.
## Sony confirms data breach impacting thousands in the U.S.
## Bill Toulas
Sony Interactive Entertainment (Sony) has notified current and former employees and their family members about a cybersecurity breach that exposed personal information.
The company sent the data breach notification to about 6,800 individuals, confirming that the intrusion occurred after an unauthorized party exploited a zero-day vulnerability in the MOVEit Transfer platform.
The zero-day is CVE-2023-34362 , a critical-severity SQL injection flaw that leads to remote code execution, leveraged by the Clop ransomware in large-scale attacks that compromised numerous organizations across the world.
Clop ransomware gang added Sony Group to its list of victims in late June. However, the firm did not provide a public
Qualys
Top 10 Exploited Vulnerabilities in 2023: Insights from the Qualys Survey | Qualys
blogs_qualys·2023-09-26·CVSS 7.8
[HIGH] Top 10 Exploited Vulnerabilities in 2023: Insights from the Qualys Survey | Qualys
#### Table of Contents
- 7 Key Insights by the Qualys Threat Research Unit
- A Closer Look at the Top 10 Exploited Vulnerabilities of 2023
- Optimizing Risk Management with Qualys VMDR TruRiskDashboard
- Next Steps: Reduce Your Risk to the Top 10 Vulnerabilities with Qualys VMDR
- Additional Contributors:
The Qualys Threat Research Unit (TRU) has thoroughly analyzed vulnerabilities reported in 2023. Our comprehensive study assesses factors including weaponization status, existence in the CISA KEV, instances or usage of malware and ransomware, trending vulnerabilities, various scoring metrics, and recency of threats. Insights for the Top 10 vulnerabilities during 2023 are also based on evidence of exploitation, patch adoption rates, and the longevity of vulnerabilities.
## 7 Key Insights
Bleepingcomputer
SickKids impacted by BORN Ontario data breach that hit 3.4 million
blogs_bleepingcomputer·2023-09-26·CVSS 9.8
[CRITICAL] SickKids impacted by BORN Ontario data breach that hit 3.4 million
## SickKids impacted by BORN Ontario data breach that hit 3.4 million
## Ax Sharma
The Hospital for Sick Children, more commonly known as SickKids, is among healthcare providers that were impacted by the recent breach at BORN Ontario.
The top Canadian pediatric hospital disclosed that as a part of its operations, it shares personal health information with BORN Ontario "related to pregnancy, birth and newborn care."
The BORN Ontario data breach that impacted 3.4 million people was caused by the exploitation of well-known zero-day vulnerability ( CVE-2023-34362 ) in Progress MOVEIt Transfer software.
## SickKids also hit by BORN Ontario breach
On Monday, September 25th, SickKids disclosed that it is "among the many Ontario healthcare providers" that share sensitive health information w
Qualys
Qualys Survey of Top 10 Exploited Vulnerabilities in 2023
blogs_qualys·2023-09-26·CVSS 7.8
[HIGH] Qualys Survey of Top 10 Exploited Vulnerabilities in 2023
## Table of Contents
7 Key Insights by the Qualys Threat Research Unit
A Closer Look at the Top 10 Exploited Vulnerabilities of 2023
Optimizing Risk Management with Qualys VMDR TruRiskDashboard
Next Steps: Reduce Your Risk to the Top 10 Vulnerabilities with Qualys VMDR
Additional Contributors:
The Qualys Threat Research Unit (TRU) has thoroughly analyzed vulnerabilities reported in 2023. Our comprehensive study assesses factors including weaponization status, existence in the CISA KEV, instances or usage of malware and ransomware, trending vulnerabilities, various scoring metrics, and recency of threats. Insights for the Top 10 vulnerabilities during 2023 are also based on evidence of exploitation, patch adoption rates, and the longevity of vulnerabilities.
## 7 Key Insights by the
Trendmicro
Linux-Systeme häufig unter Beschuss
blogs_trendmicro·2023-09-07·CVSS 9.8
[CRITICAL] Linux-Systeme häufig unter Beschuss
Cyberbedrohungen
## Linux-Systeme häufig unter Beschuss
Linux-Report: Alte Sicherheitslücken und neue Technologie stellen Hauptursache für Malware-Infektionen in den Systemen dar. Ransomware-Angriffe häufen sich, aber auch Kryptowährungs-Miner, Webshell-Angriffe und Rootkits.
By: Pawan Kinger Sep 07, 2023 Read time: ( words)
Save to Folio
Linux erfreut sich immer größerer Beliebtheit in der IT-Welt. Vor allem auf Web-Servern und in Rahmen von Embedded-Systemen greifen Unternehmen in der Regel zum Open-Source-Betriebssystem. So laufen etwa 81 Prozent aller Webseiten über Linux und 90 Prozent aller Public-Cloud-Workloads werden mit der Open-Source-Alternative betrieben. Apache, Nginx und viele Dienste auf Amazon Web Services (AWS) sind nur ein kleiner Auszug von populären Linux-basierte
Securelist
IT threat evolution in Q2 2023. Non-mobile statistics
blogs_securelist·2023-08-30
IT threat evolution in Q2 2023. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Geography of financial malware attacks
Ransomware programs
Quarterly trends and highlights
MOVEit Transfer vulnerabilities exploited
Attacks on municipal organizations, educational and healthcare establishments
Most prolific groups
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used by criminals during cyberattacks
Quarterly highlights
Vulnerability statistics
Attacks on macOS
Geography of threats for macOS
IoT attacks
IoT threat statistics
Attacks on IoT
Securelist
PC malware statistics, Q2 2022
blogs_securelist·2023-08-30
PC malware statistics, Q2 2022
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Most prolific groups
- Miners
- Vulnerable applications used by criminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks on IoT honeypots
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution in Q2 2023
- IT threat evolution in Q2 2023. Non-mobile statistics
- IT threat evolution in Q2 2023. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q2 2023:
- Kaspersky solutions blocked 801,934,281 attacks from online resources across the globe.
- A total of 209,716,810 unique links were d
Talos
Incident Response trends Q2 2023: Data theft extortion rises, while healthcare is still most-targeted vertical
blogs_talos·2023-07-26
Incident Response trends Q2 2023: Data theft extortion rises, while healthcare is still most-targeted vertical
Cisco Talos Incident Response (Talos IR) responded to a growing number of data theft extortion incidents that did not involve encrypting files or deploying ransomware, a 25 percent increase since last quarter and the most-observed threat in the second quarter of 2023.
In this type of attack, threat actors steal victim data and threaten to leak or sell it unless the victim pays varying sums of money, eliminating the need to deploy ransomware or encrypt data. This differs from the double-extortion ransomware method, whereby adversaries exfiltrate and encrypt files and demand payment for victims to receive a decryption key.
Cisco Talos Incident Response Quarterly Report (Q2 2023)
One-page overview of the top threats observed in the field last quarter.
071823 IR Q223 TAR.pdf
172 KB
downloa
Talos
Incident Response trends Q2 2023: Data theft extortion rises, while healthcare is still most-targeted vertical
blogs_talos·2023-07-26
Incident Response trends Q2 2023: Data theft extortion rises, while healthcare is still most-targeted vertical
## Incident Response trends Q2 2023: Data theft extortion rises, while healthcare is still most-targeted vertical
Cisco Talos Incident Response (Talos IR) responded to a growing number of data theft extortion incidents that did not involve encrypting files or deploying ransomware, a 25 percent increase since last quarter and the most-observed threat in the second quarter of 2023.
In this type of attack, threat actors steal victim data and threaten to leak or sell it unless the victim pays varying sums of money, eliminating the need to deploy ransomware or encrypt data. This differs from the double-extortion ransomware method, whereby adversaries exfiltrate and encrypt files and demand payment for victims to receive a decryption key.
Ransomware was the second most-observed threat this qu
Fortinet
Ransomware Roundup - Cl0p | FortiGuard Labs
blogs_fortinet·2023-07-21·CVSS 9.8
[CRITICAL] Ransomware Roundup - Cl0p | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Ransomware Roundup - Cl0p
By Shunichi Imano and James Slaughter | July 21, 2023
On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.
This edition of the Ransomware Roundup covers the Cl0p ransomware.
Affected platforms: Microsoft Windows, Linux
Impacted parties: Microsoft Windows, Linux Users
Impact: Encrypts and exfiltrates victims’ files and demands ransom for file decryption and not to leak stolen files
Severity level: High
Recently, the Cl0p ransomware group received
Zscaler
TOITOIN Trojan: A New Multi-Stage Attack Targeting LATAM
blogs_zscaler·2023-07-07
TOITOIN Trojan: A New Multi-Stage Attack Targeting LATAM
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Huntress
Move It on Over: Reflecting on the MOVEit Exploitation | Huntress
blogs_huntress·2023-07-07·CVSS 9.8
CVE-2023-34362 [CRITICAL] Move It on Over: Reflecting on the MOVEit Exploitation | Huntress
In late May 2023, customers running the popular MOVEit file transfer software faced multiple, unexplained intrusions. As previously documented by Huntress , MOVEit customers found themselves the victim of an actively exploited zero-day vulnerability , since tracked as CVE-2023-34362 . Following the initial discovery, the criminal entity typically referred to as cl0p took credit for the widespread exploitation of MOVEit instances.
After initial reports of the MOVEit vulnerability and active exploitation, security practitioners and network owners observed a steady release of victims, via the cl0p leak site. Superficially, this would appear to indicate that the vulnerability is under continued, active exploitation even after a patch for CVE-2023-34362 was released. However, closer analysis i
Wiz
Crying Out Cloud - June's Newsletter | Wiz
blogs_wiz·2023-07-03·CVSS 9.8
[CRITICAL] Crying Out Cloud - June's Newsletter | Wiz
The past month has brought a series of vulnerabilities and security incidents that have left users affected. Amidst the noise, we've taken it upon ourselves to curate the most significant developments for you.
Here are our top picks of cloud security highlights!
## ✨ Highlights
## Three MOVEit Transfer vulnerabilities
Since May 31, 2023, Progress has been publishing details of vulnerabilities in MOVEit Transfer. Some of these vulnerabilities are known to have been exploited in-the-wild by the Cl0p ransomware group. Users are urgently advised to patch to the latest fixed version. MOVEit Transfer is a Windows-Server-based managed file transfer (MFT) service developed by Ipswitch, a subsidiary of Progress.
An SQL injection vulnerability (CVE-2023-34362) was found in the MOVEit Transfer w
Fortinet
New Fast-Developing ThirdEye Infostealer Pries Open System Information | FortiGuard Labs
blogs_fortinet·2023-06-27
New Fast-Developing ThirdEye Infostealer Pries Open System Information | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
New Fast-Developing ThirdEye Infostealer Pries Open System Information
By Fred Gutierrez, James Slaughter, and Shunichi Imano | June 27, 2023
Affected platforms: Windows
Impacted parties: Windows Users
Impact: The information collected can be used for future attacks
Severity level: Medium
FortiGuard Labs recently came across files that look suspicious, even during a cursory review. Our subsequent investigation confirmed that the files are malicious and revealed there is more to them than meets the eye: they are a previously unseen infostealer we have named “ThirdEye”. While this malware is not considered sophisticated, it’s designed to steal various information from compromised machines that can be used as stepping-stones for future attacks.
This blog po
Sentinelone
CVE-2023-34362: Unmasking MOVEit Transfer Vulnerability
blogs_sentinelone·2023-06-26·CVSS 9.8
CVE-2023-34362 [CRITICAL] CVE-2023-34362: Unmasking MOVEit Transfer Vulnerability
On May 31, 2023, Progress Software Corporation announced a critical vulnerability in their MOVEit Transfer software application. The vulnerability, assigned the CVE identifier CVE-2023-34362, is a SQL injection vulnerability that could allow an unauthenticated attacker to gain access to the MOVEit Transfer database.
The vulnerability exists in the MOVEit Transfer web application. It was found in all versions of MOVEit Transfer prior to 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1).
An attacker who successfully exploits this vulnerability could gain access to the MOVEit Transfer database. This could allow the attacker to steal sensitive data, such as usernames, passwords, and credit card numbers. The attacker could also use this access t
Sentinelone
CVE-2023-34362: Unmasking MOVEit Transfer Vulnerability
blogs_sentinelone·2023-06-26·CVSS 9.8
CVE-2023-34362 [CRITICAL] CVE-2023-34362: Unmasking MOVEit Transfer Vulnerability
On May 31, 2023, Progress Software Corporation announced a critical vulnerability in their MOVEit Transfer software application. The vulnerability, assigned the CVE identifier CVE-2023-34362, is a SQL injection vulnerability that could allow an unauthenticated attacker to gain access to the MOVEit Transfer database.
The vulnerability exists in the MOVEit Transfer web application. It was found in all versions of MOVEit Transfer prior to 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1) .
An attacker who successfully exploits this vulnerability could gain access to the MOVEit Transfer database. This could allow the attacker to steal sensitive data, such as usernames, passwords, and credit card numbers. The attacker could also use this access
Tenable
Cybersecurity Snapshot: As Feds Hunt CL0P Gang, Check Out Tips on Ransomware Response, Secure Cloud Management and Cloud App Data Privacy
blogs_tenable·2023-06-23
Cybersecurity Snapshot: As Feds Hunt CL0P Gang, Check Out Tips on Ransomware Response, Secure Cloud Management and Cloud App Data Privacy
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Talos
Cybersecurity hotlines at colleges could go a long way toward filling the skills gap
blogs_talos·2023-06-22
Cybersecurity hotlines at colleges could go a long way toward filling the skills gap
Welcome to this week’s edition of the Threat Source newsletter.
I recently stumbled upon news that the University of Texas at Austin is launching a new cybersecurity clinic run by faculty and students studying security and IT at the university. This clinic offers pro-bono cybersecurity services — like incident response, general advice and ransomware defense — to community organizations, non-profits and small businesses that normally couldn’t afford to pay a private company for these same services.
That news led me to another discovery: Clinics like these are actually more common than you’d think.
Though UT Austin’s clinic is one of the newest ones to exist in the U.S., similar programs at the University of California Berkeley and the University of Indiana have been around for four-plus
Talos
Cybersecurity hotlines at colleges could go a long way toward filling the skills gap
blogs_talos·2023-06-22
Cybersecurity hotlines at colleges could go a long way toward filling the skills gap
## Cybersecurity hotlines at colleges could go a long way toward filling the skills gap
Welcome to this week’s edition of the Threat Source newsletter.
I recently stumbled upon news that the University of Texas at Austin is launching a new cybersecurity clinic run by faculty and students studying security and IT at the university. This clinic offers pro-bono cybersecurity services — like incident response, general advice and ransomware defense — to community organizations, non-profits and small businesses that normally couldn’t afford to pay a private company for these same services.
That news led me to another discovery: Clinics like these are actually more common than you’d think.
Though UT Austin’s clinic is one of the newest ones to exist in the U.S., similar programs at the Univer
Talos
Active exploitation of the MOVEit Transfer vulnerability — CVE-2023-34362 — by Clop ransomware group
blogs_talos·2023-06-16·CVSS 9.8
CVE-2023-34362 [CRITICAL] Active exploitation of the MOVEit Transfer vulnerability — CVE-2023-34362 — by Clop ransomware group
- Cisco Talos is monitoring recent reports of exploitation attempts against CVE-2023-34362, a SQL injection zero-day vulnerability in the MOVEit Transfer managed file transfer (MFT) solution that has been actively targeted since late May 2023.
- Successful exploitation could lead to remote code execution (RCE), allowing unauthenticated adversaries to execute arbitrary code to support malicious activity, such as disabling anti-virus solutions (AV) or deploying malware payloads.
- The Clop ransomware group has claimed responsibility for exploiting the vulnerability to deploy a previously unseen web shell, LemurLoot, to exfiltrate victims’ data and extort payments, and Microsoft has attributed these attacks to the same group, according to public reporting.
- Two more vulnerabilities have sinc
Tenable
FAQ for MOVEit Transfer Vulnerabilities and CL0P Ransomware Gang
blogs_tenable·2023-06-16
FAQ for MOVEit Transfer Vulnerabilities and CL0P Ransomware Gang
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Talos
Active exploitation of the MOVEit Transfer vulnerability — CVE-2023-34362 — by Clop ransomware group
blogs_talos·2023-06-16·CVSS 9.8
CVE-2023-34362 [CRITICAL] Active exploitation of the MOVEit Transfer vulnerability — CVE-2023-34362 — by Clop ransomware group
## Active exploitation of the MOVEit Transfer vulnerability — CVE-2023-34362 — by Clop ransomware group
Cisco Talos is monitoring recent reports of exploitation attempts against CVE-2023-34362 , a SQL injection zero-day vulnerability in the MOVEit Transfer managed file transfer (MFT) solution that has been actively targeted since late May 2023.
Successful exploitation could lead to remote code execution (RCE), allowing unauthenticated adversaries to execute arbitrary code to support malicious activity, such as disabling anti-virus solutions (AV) or deploying malware payloads .
The Clop ransomware group has claimed responsibility for exploiting the vulnerability to deploy a previously unseen web shell, LemurLoot, to exfiltrate victims’ data and extort payments, and Microsoft has attribut
Talos
URLs have always been a great hiding place for threat actors
blogs_talos·2023-06-15
URLs have always been a great hiding place for threat actors
Welcome to this week’s edition of the Threat Source newsletter.
Talos’ recent blog post on the dangers posed by the newly released “.zip” top-level domain (TLD) recently outlined how threat actors could create real URLs that look like file names and trick users into clicking on their links. .Zip and other TLDs that share characters with filename extensions also opens the door to accidental information leaks.
But these are far from the first TLDs to be problematic for users, especially those who are less educated about the verbiage that makes the internet work as intended.
The same day .zip was released as a TLD for anyone to register, the Internet Corporation for Assigned Names and Numbers (ICANN) also made .mov available as a TLD. The tricks here are obvious — think of someone who woul
Talos
URLs have always been a great hiding place for threat actors
blogs_talos·2023-06-15
URLs have always been a great hiding place for threat actors
## URLs have always been a great hiding place for threat actors
Welcome to this week’s edition of the Threat Source newsletter.
Talos’ recent blog post on the dangers posed by the newly released “.zip” top-level domain (TLD) recently outlined how threat actors could create real URLs that look like file names and trick users into clicking on their links. .Zip and other TLDs that share characters with filename extensions also opens the door to accidental information leaks.
But these are far from the first TLDs to be problematic for users, especially those who are less educated about the verbiage that makes the internet work as intended.
The same day .zip was released as a TLD for anyone to register, the Internet Corporation for Assigned Names and Numbers (ICANN) also made .mov available
Sentinelone
Anatomy of a Cloud Incident | SentinelOne’s Vigilance vs. IceFire Ransomware
blogs_sentinelone·2023-06-14
Anatomy of a Cloud Incident | SentinelOne’s Vigilance vs. IceFire Ransomware
Cloud computing has fundamentally transformed how modern businesses interact with their data. Having enabled enterprises of all sizes and industries with both freedom and flexibility for the past two decades, cloud technology and services are now a key competitive advantage for many.
In the Cloud Computing Statistics Report by G2, numbers show the steady ascend for cloud-first operations. By 2025, 85% of organizations will be cloud-based and hold over 60% of all corporate data in at least one public or private cloud. These mass waves of cloud adoption have also introduced higher financial stakes. In 2022 alone, cloud technologies represented approximately 25% of the $919 billion spent by enterprises globally.
Given these high financial stakes, data processed and stored on cloud infrastru
Checkpoint
12th June – Threat Intelligence Report
blogs_checkpoint·2023-06-12·CVSS 9.8
CVE-2023-34362 [CRITICAL] 12th June – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 12th June – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 12th June, please download our Threat_Intelligence Bulletin
TOP ATTACKS AND BREACHES
Cl0p ransomware gang claimed responsibility for a major exploitation of a managed file transfer tool – The gang leveraged zero-day SQL injection vulnerability (CVE-2023-34362) that potentially exposed the data of hundreds of companies. One of the victims was the payroll services provider Zellis, what caused to exposure of employe
Dfir Report
A Truly Graceful Wipe Out
blogs_dfir_report·2023-06-12
A Truly Graceful Wipe Out
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion Read More
- dragonforce Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs Read More
Services Overview
Threat Hunting
-
Integration
CTI Program Advisory
Incident Response Playbook
About us
Contact Us
Collaboration
Careers
Analysts
Access DFIR Labs
Get in Touch
Public Reports
Products Overview
Threat intel Overview
Threat Feed
Private DFIR Reports
All Intel
Active Defense
DFIR Labs
Case Artifacts
Detection Pack
AI Training Ground
Service Overview
Threat Hunting
Integration
CTI Program Advisory
Incident Response Playbook
Company Overview
About us
Contact Us
Careers
Analyst
SQL Brute Force Leads to BlueSky Ransomware
From OneNote to RansomNote: An Ice Col
Zscaler
Coverage Advisory for MOVEit | ThreatLabz
blogs_zscaler·2023-06-09·CVSS 9.8
[CRITICAL] Coverage Advisory for MOVEit | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Talos
Now’s not the time to take our foot off the gas when it comes to fighting disinformation online
blogs_talos·2023-06-08
Now’s not the time to take our foot off the gas when it comes to fighting disinformation online
## Now’s not the time to take our foot off the gas when it comes to fighting disinformation online
Welcome to this week’s edition of the Threat Source newsletter.
In the wake of the 2016 and 2020 presidential elections, it seemed like big tech companies were taking the fight against disinformation seriously. Social media outlets set up new fact-checking procedures and got more aggressive about banning or blocking pages and profiles that spread disinformation around elections.
Now I’m worried we’re already moving backward with another presidential election just around the corner (somehow).
In November, Twitter laid off a huge swath of its staff that heavily affected the teams tasked with keeping misinformation and fake news off the platform. Google reportedly laid off several experts on
Fortinet
MOVEit Transfer Critical Vulnerability (CVE-2023-34362) Exploited as a 0-day | FortiGuard Labs
blogs_fortinet·2023-06-08·CVSS 9.8
CVE-2023-34362 [CRITICAL] MOVEit Transfer Critical Vulnerability (CVE-2023-34362) Exploited as a 0-day | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
MOVEit Transfer Critical Vulnerability (CVE-2023-34362) Exploited as a 0-day
By James Slaughter, Fred Gutierrez, and Shunichi Imano | June 08, 2023
Affected Platforms: All unpatched MOVEit Transfer versions running a SQL database
Impacted Users: Any organization that uses a vulnerable version of MOVEit Transfer
Impact: Remote attackers can install a backdoor and exfiltrate data
Severity Level: High
FortiGuard Labs is aware of a critical zero-day SQL injection vulnerability in the MOVEit Secure Managed File Transfer software (CVE-2023-34362) allegedly exploited by the Cl0p ransomware threat actor. High-profile government, finance, media, aviation, and healthcare organizations have reportedly been affected, with data exfiltrated and stolen.
Due to its seve
Talos
Now’s not the time to take our foot off the gas when it comes to fighting disinformation online
blogs_talos·2023-06-08
Now’s not the time to take our foot off the gas when it comes to fighting disinformation online
Welcome to this week’s edition of the Threat Source newsletter.
In the wake of the 2016 and 2020 presidential elections, it seemed like big tech companies were taking the fight against disinformation seriously. Social media outlets set up new fact-checking procedures and got more aggressive about banning or blocking pages and profiles that spread disinformation around elections.
Now I’m worried we’re already moving backward with another presidential election just around the corner (somehow).
In November, Twitter laid off a huge swath of its staff that heavily affected the teams tasked with keeping misinformation and fake news off the platform. Google reportedly laid off several experts on the matter at YouTube, leaving only one person solely in charge of the platform’s misinformation po
Qualys
Progress MOVEit Transfer Vulnerability Being Actively Exploited | Qualys
blogs_qualys·2023-06-07·CVSS 9.8
CVE-2023-34362 [CRITICAL] Progress MOVEit Transfer Vulnerability Being Actively Exploited | Qualys
#### Table of Contents
- Vulnerability Analysis
- Active Exploitation
- Detecting the Vulnerability
- Remediating the Vulnerability
- Leverage Qualys Custom Assessment and Remediation (CAR) To Mitigate Risk
- Detecting Exploitation
- Discover Vulnerable Instances Using Qualys Web Application Scanning (WAS)
- Detection via File Integrity Monitoring
On June 2nd, CVE-2023-34362 was published against the Progress MOVEit Transfer product and was quickly added to CISA’s Known Exploited Vulnerabilities Catalog. MOVEit Transfer is a managed file transfer solution available as an on-premise solution that enables file transfer between business partners and customers. The vulnerability effects all versions before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0
Qualys
Progress MOVEit Transfer Vulnerability Being Actively Exploited
blogs_qualys·2023-06-07·CVSS 9.8
CVE-2023-34362 [CRITICAL] Progress MOVEit Transfer Vulnerability Being Actively Exploited
## Table of Contents
Vulnerability Analysis
Active Exploitation
Detecting the Vulnerability
Remediating the Vulnerability
Leverage Qualys Custom Assessment and Remediation (CAR) To Mitigate Risk
Detecting Exploitation
Discover Vulnerable Instances Using Qualys Web Application Scanning (WAS)
Detection via File Integrity Monitoring
On June 2 nd , CVE-2023-34362 was published against the Progress MOVEit Transfer product and was quickly added to CISA’s Known Exploited Vulnerabilities Catalog . MOVEit Transfer is a managed file transfer solution available as an on-premise solution that enables file transfer between business partners and customers. The vulnerability effects all versions before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0
Wiz
Crying Out Cloud - May Newsletter | Wiz
blogs_wiz·2023-06-06·CVSS 7.5
[HIGH] Crying Out Cloud - May Newsletter | Wiz
Over the last month, we've seen a couple of vulnerabilities pop up and some users have felt the impact of security incidents. We know you're busy too, so we've sifted through the noise to bring you the real game-changers, no fluff attached.
Without further ado, here are our handpicked cloud security highlights!
## ✨ Highlights
## RCE 0-day vulnerability in MOVEit Transfer exploited in the wild
On May 31, 2023, Progress published details of an RCE 0day vulnerability being exploited in-the-wild in MOVEit Transfer (CVE-2023-34362), a Windows-Server-based managed file transfer (MFT) service. Users are urgently advised to patch to the fixed version. While our own data shows MOVEit Transfer can be found in less than 1% of cloud environments, based on other reports, most publicly exposed inst
Checkpoint
5th June – Threat Intelligence Report
blogs_checkpoint·2023-06-05
CVE-2023-34362 5th June – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 5th June – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 5th June, please download our Threat_Intelligence Bulletin
TOP ATTACKS AND BREACHES
One of the United States’ largest dental insurers, MCNA, has notified regulators that information of 8.9 million of the company’s customers has been leaked as a result of a ransomware attack. Notorious ransomware gang LockBit has claimed the attack, and has allegedly posted the data in its shame blog.
Check Point Harmony Endpoint
Wiz
CVE-2023-34362 RCE vulnerability in MOVEit Transfer exploited in the wild: everything you need to know | Wiz Blog
blogs_wiz·2023-06-04·CVSS 9.8
CVE-2023-34362 [CRITICAL] CVE-2023-34362 RCE vulnerability in MOVEit Transfer exploited in the wild: everything you need to know | Wiz Blog
On May 31, 2023, Progress published details of a critical remote code execution (RCE) 0-day vulnerability in MOVEit Transfer being exploited in-the-wild (CVE-2023-34362).
CVE-2023-34362 was assigned to this vulnerability on June 2, 2023, and according to the vendor exploitation has been observed since May 2023, though there have been reports of possible exploitation going back to March 2023 or even mid-2021. Users are urgently advised to patch to the fixed version, and stay up-to-date on the latest information about this ongoing issue.
### June 10 update:
On June 9, 2023, Progress published details of a second critical SQL injection vulnerability in MOVEit Transfer (CVE-2023-35036). An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result i
Wiz
CVE-2023-34362 RCE vulnerability in MOVEit Transfer exploited in the wild: everything you need to know | Wiz Blog
blogs_wiz·2023-06-04·CVSS 9.8
CVE-2023-34362 [CRITICAL] CVE-2023-34362 RCE vulnerability in MOVEit Transfer exploited in the wild: everything you need to know | Wiz Blog
On May 31, 2023, Progress published details of a critical remote code execution (RCE) 0-day vulnerability in MOVEit Transfer being exploited in-the-wild (CVE-2023-34362).
CVE-2023-34362 was assigned to this vulnerability on June 2, 2023, and according to the vendor exploitation has been observed since May 2023, though there have been reports of possible exploitation going back to March 2023 or even mid-2021. Users are urgently advised to patch to the fixed version, and stay up-to-date on the latest information about this ongoing issue.
## June 10 update:
On June 9, 2023, Progress published details of a second critical SQL injection vulnerability in MOVEit Transfer (CVE-2023-35036). An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in
Tenable
CVE-2023-34362: MOVEIt Transfer Critical Zero-Day Vulnerability Exploited in the Wild
blogs_tenable·2023-06-02·CVSS 9.8
[CRITICAL] CVE-2023-34362: MOVEIt Transfer Critical Zero-Day Vulnerability Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Huntress
MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response
blogs_huntress·2023-06-01·CVSS 9.8
[CRITICAL] MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response
UPDATED: 1 June 2023 @ 1733 ET - Added shareable Huntress YARA rule for assistance in detection effort
UPDATED: 1 June 2023 @ 2023 ET - Added Kostas community Sigma rule to assist in detection efforts
UPDATED: 1 June 2023 @ 2029 ET - Added screenshots for the DLL that creates the human2.aspx file
UPDATED: 2 June 2023 @ 1210 ET - Added CVE identification
UPDATED: 2 June 2023 @ 1750 ET - Added registry locations for enriched investigation and analysis
UPDATED: 5 June 2023 @ 1323 ET - Added video demonstration of proof-of-concept exploitation
UPDATED 5 June 2023 @ 2116 ET - Added video demonstration of RCE and ransomware
LAST UPDATED 12 June 2023 @ 1101 ET - Added latest CVE and other proof-of-concept details
On June 1, 2023, Huntress was made aware of active exploitation attempts aga
Recorded Future
Smarter Cybersecurity with IPv6: How Drip Architecture Defeats Spray-and-Pray Attacks
blogs_recorded_future
Smarter Cybersecurity with IPv6: How Drip Architecture Defeats Spray-and-Pray Attacks
# IPv6 Drip Drowns Spray-and-Pray
## AI Hackathons and the Future of Security Architecture
Last week, a few Futurists met up to work out the practical realities of AI-enabled Red Teaming (among other topics). In addition to two days of phenomenal vibe coding in Cursor, the final presentations were light on hyperbole and heavy on capabilities and remarkable outcomes, created in a day or less. Two years ago, when LLMs made their mainstream debut, I was dubious, but the hackathon confirmed recent observations (last three months) that AI is accelerating security workflows (like everything else) at warp speed. Change, soon driven primarily through various agentic flavors, is happening at a pace that is difficult to comprehend.
The flight home was spent considering how to get ahead of the adv
Greynoiseio
Battling Ransomware One Tag At A Time
blogs_greynoiseio
Battling Ransomware One Tag At A Time
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Crowdstrike
Data Exfiltration for MOVEit Transfer Exploit
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Data Exfiltration for MOVEit Transfer Exploit
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Huntress
MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response | Huntress
blogs_huntress·CVSS 9.8
[CRITICAL] MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response | Huntress
UPDATED: 1 June 2023 @ 1733 ET - Added shareable Huntress YARA rule for assistance in detection effort
UPDATED: 1 June 2023 @ 2023 ET - Added Kostas community Sigma rule to assist in detection efforts
UPDATED: 1 June 2023 @ 2029 ET - Added screenshots for the DLL that creates the human2.aspx file
UPDATED: 2 June 2023 @ 1210 ET - Added CVE identification
UPDATED: 2 June 2023 @ 1750 ET - Added registry locations for enriched investigation and analysis
UPDATED: 5 June 2023 @ 1323 ET - Added video demonstration of proof-of-concept exploitation
UPDATED 5 June 2023 @ 2116 ET - Added video demonstration of RCE and ransomware
LAST UPDATED 12 June 2023 @ 1101 ET - Added latest CVE and other proof-of-concept details
On June 1, 2023, Huntress was made aware of active exploitation attempts aga
Greynoiseio
GreyNoise Round Up: Product Updates
blogs_greynoiseio
GreyNoise Round Up: Product Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Recorded Future
How to Mitigate Supply Chain Attacks
blogs_recorded_future
How to Mitigate Supply Chain Attacks
## Supply Chain Attacks: Moving From Third-Party Risk Checklists To Intelligence-Led Monitoring
Supply chain attacks are now one of the most pressing challenges in cybersecurity . By exploiting trusted vendors, contractors, and third-party services, adversaries can bypass even the strongest internal defenses. Recent incidents like SolarWinds and the MOVEit breach have shown that just a single weak link can cause tremendous damage and impact thousands of organizations at once.
Traditionally, third-party risk management has been done with static checklists, questionnaires, and periodic audits. These methods will tell you what a vendor’s security looked like at the moment you asked the questions or ran the audit, but attackers don’t wait for your next scheduled check-in. Every day spent wai
Recorded Future
How to Mitigate Supply Chain Attacks
blogs_recorded_future
How to Mitigate Supply Chain Attacks
# Supply Chain Attacks: Moving From Third-Party Risk Checklists To Intelligence-Led Monitoring
Supply chain attacks are now one of the most pressing challenges in cybersecurity. By exploiting trusted vendors, contractors, and third-party services, adversaries can bypass even the strongest internal defenses. Recent incidents like SolarWinds and the MOVEit breach have shown that just a single weak link can cause tremendous damage and impact thousands of organizations at once.
Traditionally, third-party risk management has been done with static checklists, questionnaires, and periodic audits. These methods will tell you what a vendor’s security looked like at the moment you asked the questions or ran the audit, but attackers don’t wait for your next scheduled check-in. Every day spent waiti
Greynoiseio
The First Day Of Tagsmas (2023): Progress MOVEit Transfer SQL Injection Vulnerability (CVE-2023-34362)
blogs_greynoiseio·CVSS 9.8
[CRITICAL] The First Day Of Tagsmas (2023): Progress MOVEit Transfer SQL Injection Vulnerability (CVE-2023-34362)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
Decoding Mass Exploitation in 2023: A GreyNoise Perspective| GreyNoise Blog
blogs_greynoiseio
Decoding Mass Exploitation in 2023: A GreyNoise Perspective| GreyNoise Blog
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
NoiseLetter
blogs_greynoiseio
NoiseLetter
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Recorded Future
Smarter Cybersecurity with IPv6: How Drip Architecture Defeats Spray-and-Pray Attacks
blogs_recorded_future
Smarter Cybersecurity with IPv6: How Drip Architecture Defeats Spray-and-Pray Attacks
## IPv6 Drip Drowns Spray-and-Pray
## AI Hackathons and the Future of Security Architecture
Last week, a few Futurists met up to work out the practical realities of AI-enabled Red Teaming (among other topics). In addition to two days of phenomenal vibe coding in Cursor , the final presentations were light on hyperbole and heavy on capabilities and remarkable outcomes, created in a day or less. Two years ago, when LLMs made their mainstream debut, I was dubious, but the hackathon confirmed recent observations (last three months) that AI is accelerating security workflows (like everything else) at warp speed. Change, soon driven primarily through various agentic flavors, is happening at a pace that is difficult to comprehend.
The flight home was spent considering how to get ahead of the a
Greynoiseio
Progress’ MOVEit Transfer Critical Vulnerability
blogs_greynoiseio·CVSS 9.8
[CRITICAL] Progress’ MOVEit Transfer Critical Vulnerability
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Zscaler
CISO Monthly Roundup, June 2023: ThreatLabz annual State of Ransomware report, understanding RedEnergy Stealer-as-a-Ransomware, investigating Bandit Stealer, exposing Mystic Stealer, and MOVEit vulner
blogs_zscaler
CISO Monthly Roundup, June 2023: ThreatLabz annual State of Ransomware report, understanding RedEnergy Stealer-as-a-Ransomware, investigating Bandit Stealer, exposing Mystic Stealer, and MOVEit vulner
EDITOR'S PICK
## CISO Monthly Roundup, June 2023: ThreatLabz annual State of Ransomware report, understanding RedEnergy Stealer-as-a-Ransomware, investigating Bandit Stealer, exposing Mystic Stealer, and MOVEit vulnerability guidance
Deepen Desai
Contributor
Zscaler
## Jul 7, 2023
The June CISO Monthly Roundup covers the latest ThreatLabz Ransomware Report findings, understanding RedEnergy, investigating Bandit and Mystic stealers, and more.
The CISO Monthly Roundup provides the latest threat research from Deepen Desai and the ThreatLabz team, along with insights on other cyber-related subjects. Over the past month, ThreatLabz released the 2023 State of Ransomware report, analyzed RedEnergy Stealer-as-a-Ransomware, investigated Bandit Stealer, examined Mystic Stealer, and offered MO
Huntress
Ten Years of Resilience, Innovation & Community-Driven Defense | Huntress
blogs_huntress·CVSS 8.8
[HIGH] Ten Years of Resilience, Innovation & Community-Driven Defense | Huntress
The world of cybersecurity has been a wild ride over the last decade. As attackers stepped up their game year over year, the security community responded and adapted with resilience and ingenuity to each new wave of threats.
Attackers tested our limits time and time again with bolder, more cutting-edge cyberattacks: ransomware, supply chain compromises, zero-day vulnerabilities, and more. But every single breach, compromise, and exploited vulnerability taught us something new, pushed us harder to innovate and stay steps ahead, brought our security community closer together, and rallied us to wreck hackers.
As we celebrate our 10th anniversary at Huntress this month, we’re pausing to look back at the events that have shaped the entire cybersecurity community. Understanding where we've bee
Crowdstrike
Discovering the MOVEit Transfer Vulnerability
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Discovering the MOVEit Transfer Vulnerability
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Huntress
Move It on Over: Reflecting on the MOVEit Exploitation | Huntress
blogs_huntress·CVSS 9.8
CVE-2023-34362 [CRITICAL] Move It on Over: Reflecting on the MOVEit Exploitation | Huntress
In late May 2023, customers running the popular MOVEit file transfer software faced multiple, unexplained intrusions. As previously documented by Huntress, MOVEit customers found themselves the victim of an actively exploited zero-day vulnerability, since tracked as CVE-2023-34362. Following the initial discovery, the criminal entity typically referred to as cl0p took credit for the widespread exploitation of MOVEit instances.
After initial reports of the MOVEit vulnerability and active exploitation, security practitioners and network owners observed a steady release of victims, via the cl0p leak site. Superficially, this would appear to indicate that the vulnerability is under continued, active exploitation even after a patch for CVE-2023-34362 was released. However, closer analysis indi
arXiv
Leveraging Large Language Models for Trustworthiness Assessment of Web Applications
arxiv_fulltext·2026-03
Leveraging Large Language Models for Trustworthiness Assessment of Web Applications
Leveraging Large Language Models for Trustworthiness Assessment of Web Applications
1st Oleksandr Yarotskyi
University of Coimbra
CISUC/LASI, DEI
Coimbra, Portugal
[email protected]
2nd José D'Abruzzo Pereira
University of Coimbra
CISUC/LASI, DEI
Coimbra, Portugal
[email protected]
3rd João R. Campos
University of Coimbra
CISUC/LASI, DEI
Coimbra, Portugal
[email protected]
comment
orange
## Abstract
The widespread use of web applications has increased their importance in all sectors, simultaneously exposing them to a growing array of sophisticated cyber threats.
The protection of security and reliability of such applications calls for new approaches that can overcome traditional security measures that often suffer from the pitfalls of high false positive rates, l
arXiv
Real-VulLLM: An LLM Based Assessment Framework in the Wild
arxiv_fulltext·2025-10-05
Real-VulLLM: An LLM Based Assessment Framework in the Wild
Real-VulLLM: An LLM Based Assessment Framework in the Wild
Rijha Safdar, Danyail Mateen, Syed Taha Ali and Wajahat Hussain
R. Safdar, S.T. Ali and W. Hussain are with School of Electrical Engineering and Computer Science, National University of Sciences and Technology, Islamabad, Pakistan, 44000. e-mail: [email protected] ,e-mail: [email protected], email:[email protected]
D. Mateen is with the Department
Computer Science, Fast University, Islamabad,
Pakistan, 44000
## Abstract
Artificial Intelligence (AI) and more specifically Large Language Models (LLMs) have demonstrated exceptional progress in multiple areas including software engineering, however, their capability for vulnerability detection in the wild scenario and its corresponding reasoning remains
arXiv
Benchmarking LLM-Assisted Blue Teaming via Standardized Threat Hunting
arxiv_fulltext·2025-10-01
Benchmarking LLM-Assisted Blue Teaming via Standardized Threat Hunting
## Abstract
As cyber threats continue to grow in scale and sophistication, blue team defenders increasingly require advanced tools to proactively detect and mitigate risks. Large Language Models (LLMs) offer promising capabilities for enhancing threat analysis. However, their effectiveness in real-world blue team threat-hunting scenarios remains insufficiently explored. This paper presents , a benchmark designed to guide LLMs in blue teaming practice. constructs a standardized workflow in two stages. First, it models realistic threat-hunting workflows by capturing the dependencies among analytical tasks from threat attribution to incident response. Next, each task is addressed through a set of operational modules tailored to its specific analytical requirements.
This transforms threat hun
NCSC
A method to assess 'forgivable' vs 'unforgivable' vulnerabilities
ncsc·2025-01-28
A method to assess 'forgivable' vs 'unforgivable' vulnerabilities
Report Download & print article PDF Download & print article PDF
## A method to assess 'forgivable' vs 'unforgivable' vulnerabilities
Research from the NCSC designed to eradicate vulnerability classes and make the top-level mitigations easier to implement. Fahmi Ruddin Hidayat via Getty ImagesOn this page
- Scope
- Background
- Research methodology
- Assessing ‘ease of implementation'
- Analysis of top-level mitigations
- Worked example: applying methodology to a recent vulnerability
- Conclusions
- References
## Executive Summary
All systems contain vulnerabilities. In fact, the number of Common Vulnerabilities and Exposures (CVEs) in commodity technology continues to rise. While there are a number of factors that are driving the increasing numbers, the NCSC expect this trend to conti
arXiv
Investigating the Temporal Dynamics of Cyber Threat Intelligence
arxiv_fulltext·2024-12-26
Investigating the Temporal Dynamics of Cyber Threat Intelligence
Investigating the Temporal Dynamics of Cyber Threat Intelligence
Angel Kodituwakku, Clark Xu,
Daniel Rogers, and David K. Ahn
Centripetal Networks
Reston, VA, USA
[email protected]
Errin W. Fulp
Department of Computer Science
Wake Forest University
Winston-Salem, NC, USA
[email protected]
## Abstract
Indicators of Compromise (IoCs) play a crucial role in the rapid detection and mitigation of cyber threats. However, the existing body of literature lacks in-depth analytical studies on the temporal aspects of IoC publication, especially when considering up-to-date datasets related to Common Vulnerabilities and Exposures (CVEs). This paper addresses this gap by conducting an analysis of the timeliness and comprehensiveness of Cyber Threat Intelligence (CTI) pertaining to several
arXiv
Efficacy of EPSS in High Severity CVEs found in KEV
arxiv_fulltext·2024-11-04
Efficacy of EPSS in High Severity CVEs found in KEV
empty
empty
24pt
10pt plus 1.0pt minus 2.0pt
## Abstract
The Exploit Prediction Scoring System (EPSS) is designed to assess the probability of a vulnerability being exploited in the next 30 days relative to other vulnerabilities. The latest version, based on a research paper published in arXiv , assists defenders in deciding which vulnerabilities to prioritize for remediation. This study evaluates EPSS's ability to predict exploitation before vulnerabilities are actively compromised, focusing on high severity CVEs that are known to have been exploited and included in the CISA KEV catalog. By analyzing EPSS score history, the availability and simplicity of exploits, the system's purpose, its value as a target for Threat Actors (TAs), this paper examines EPSS's potential and identifies ar
arXiv
A RAG-Based Question-Answering Solution for Cyber-Attack Investigation and Attribution
arxiv_fulltext·2024-08-12
A RAG-Based Question-Answering Solution for Cyber-Attack Investigation and Attribution
A RAG-Based Question-Answering Solution for Cyber-Attack Investigation and Attribution
QA Solution for Cyber-Attack Investigation and Attribution
Sampath RajapakshaThese authors contributed equally to this work. Thus, the alphabetical order is applied.0000-0001-7772-3774
Ruby Rani^ 0000-0003-1257-8478
Erisa Karafili0000-0002-8250-4389
Rajapaksha, Rani, and Karafili
University of Southampton
University Road, Southampton SO17 1BJ, UK
\srwg1m24, r.rani, e.karafili\@soton.ac.uk
## Abstract
In the constantly evolving field of cybersecurity, it is imperative for analysts to stay abreast of the latest attack trends and pertinent information that aids in the investigation and attribution of cyber-attacks. In this work, we introduce the first question-answering (QA) model and its applicati
arXiv
Microservice Vulnerability Analysis: A Literature Review with Empirical Insights
arxiv_fulltext·2024-07-31
Microservice Vulnerability Analysis: A Literature Review with Empirical Insights
Microservice Vulnerability Analysis: A Literature Review with Empirical Insights
Raveen Kanishka Jayalath*
University of Adelaide, Australia
[email protected]
Hussain Ahmad* *Authors contributed equally to this work. Corresponding author.
University of Adelaide, Australia
[email protected]
Diksha Goel
CSIRO's Data61, Australia
[email protected]
3cmMuhammad Shuja Syed
3cmSLB, USA
[email protected]
Faheem Ullah
University of Adelaide, Australia
[email protected]
plain
## Abstract
Microservice architectures are revolutionizing both small businesses and large corporations, igniting a new era of innovation with their exceptional advantages in maintainability, reusability, and scalability. However, these benefits come w
http://packetstormsecurity.com/files/172883/MOVEit-Transfer-SQL-Injection-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/173110/MOVEit-SQL-Injection.htmlhttps://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023http://packetstormsecurity.com/files/172883/MOVEit-Transfer-SQL-Injection-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/173110/MOVEit-SQL-Injection.htmlhttps://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-34362
2023-06-02
Published
2023-06-02
Added to CISA KEV
Exploited in the wild