Ipswitch, a subsidiary of Progress Software Corporation, has been hit by a major cybersecurity vulnerability exploited by unknown hackers to attack its MOVEit Transfer software. The software is a popular application for businesses and customers to transfer data securely. Identified as CVE-2023-34362 – a zero-day vulnerability – Progress Software Corporation has issued a critical security advisory warning its customers to take precautionary measures immediately.

The software developer advises all its customers to restrict access to external traffic to ports 80 and 443 on MOVEit Transfer servers until patches have been installed. While Progress notes that the recommendation is necessary, it also concedes that it will affect the operations of certain applications such as MOVEit Automation tasks, API functions, and the plugin functionality of the Outlook MOVEit Transfer.

Vulnerable to SQL injection that leads to remote code execution, cybersecurity company, Rapid7, has identified the zero-day flaw in the software. With approximately 2,500 exposed servers, primarily in the United States, Rapid7 notes a common feature of all exploited devices is the ‘human2.asp’ webshell, which can execute a series of commands if accessed with the correct password. Scarily, these commands enable the attacker to retrieve vast amounts of data from the server, such as lists of stored files, user details, and Azure Blob Storage account configurations.

Reportedly several admins have reported discovering multiple unexpected files post-breach. What is worrying is that the breach likely began over the long Memorial Day weekend in the United States when system monitoring is often at its minimum.

With a potential for data theft and exposure, cybersecurity experts are warning organizations to shut down their MOVEit Transfers until the issue is resolved and a comprehensive investigation for compromise has been conducted.

Charles Carmakal, CTO of Mandiant, strongly suggests that all organizations using MOVEit Transfer should acquire a forensic examination to ascertain whether their system was compromised and if data was stolen. Furthermore, Progress Software has confirmed that its cloud platform was impacted, potentially broadening the scope of victims. The company has released mitigation steps for on-premise and cloud-based systems, and experts recommend organizations follow them.

Microsoft has attributed the attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations and running the infamous Clop extortion site. The software giant has also published articles with IOCs, detections, and hunting guidance and will continue to monitor the situation with stakeholders.

Security experts have uncovered an advanced, targeted cyberattack that leverages Apple’s mobile devices. The attack, named “Triangulation,” is aimed at planting covert spyware into the iPhones of employees of certain companies, including middle and top management personnel.

The cyberattack employs an invisible iMessage carrying a malicious attachment. Utilizing multiple vulnerabilities within the iOS operating system, the attachment is executed on the device, stealthily installing the spyware. This occurs without the need for user action. Once in place, the spyware discreetly relays sensitive data back to remote servers, including microphone recordings, instant messenger photos, geolocation, and other user activity data.

The proprietary nature of iOS makes the detection and removal of this spyware particularly challenging, requiring the use of external tools. A vital sign of the Triangulation presence is disabling iOS updates on the infected device. Additionally, a device backup should be made and checked using a unique utility for a more definitive infection confirmation. Kaspersky is also in the process of developing a free detection tool.

Unfortunately, due to the specific way the spyware blocks iOS updates, there is currently no effective method to remove the Triangulation without losing user data. The only recourse is to reset the infected iPhones to factory settings and install the latest version of the operating system and the entire user environment anew. This is crucial as the spyware can re-infect through vulnerabilities present in an outdated iOS version.

The attack’s sophisticated nature is such that it remained largely undetected until anomalies within the network originating from Apple devices were picked up by Kaspersky’s Unified Monitoring and Analysis Platform (KUMA), a native Security Information and Event Management (SIEM) solution. Subsequent investigations revealed that several dozen iPhones belonging to senior employees were infected with the spyware.

Kaspersky is still investigating this incident, with more information to be shared in a dedicated post on Securelist. They anticipate further details on the global proliferation of this spyware will emerge in the coming days. Despite being targeted in this attack, Kaspersky stresses they were not the primary objective and assures their business processes and user data remain unaffected.