Regulator, insurers and customers all coming for Progress after MOVEit breach
Also, CISA cataloging new ransomware data points, 17k WP sites hijacked by malware in Sept., and more critical vulns
Infosec in brief The fallout from the exploitation of bugs in Progress Software's MOVEit file transfer software continues, with the US Securities and Exchange Commission (SEC) now investigating the matter, and lots of affected parties seeking compensation.
Progress admitted to the ill winds of corporate responsibility blowing its way in a quarterly SEC 10-Q filing. Per the disclosure, it received a subpoena from the SEC on October 2, in which the Commission asked for "various documents and information relating to the MOVEit Vulnerability."
"At this stage, the SEC investigation is a fact-finding inquiry, the investigation does not mean that Progress or anyone else has violated federal securities laws," the application vendor explained, adding that it intends to fully cooperate.
Progress also admitted it's facing a slew of other litigation – both in the US and in other countries – over the breach, far in excess of the dozen or so cases it was reportedly facing as of July.
"We are party to 58 class action lawsuits filed by individuals who claim to have been impacted by the exfiltration of data from the environments of our MOVEit Transfer customers," Progress stated in the filing. Those cases were consolidated into a single lawsuit in Massachusetts earlier this month.
Again, that's not all.
Progress has also received "formal letters" from 23 MOVEit customers who claim the vulnerability has cost them money, and some "have indicated that they intend to seek indemnification." In addition, Progress is also facing a subrogation claim from an insurer, which means it's "seeking recovery for all expenses incurred in connection with the MOVEit Vulnerability."
"We have also been cooperating with several inquiries from domestic and foreign data privacy regulators, inquiries from several state attorneys general," and it's also being investigated by an unnamed federal law enforcement agency.
A recently discovered exploit in another Progress file transferring app, WS_FTP, merited barely a mention in the SEC filing. Progress wrote only that it had patched issues and acknowledged active exploitation.
Critical vulnerabilities of the week
We start this week's list of the latest critical vulnerabilities and known exploits with Fortinet, which released several security updates – including a pair of critical ones in FortiSIEM, FortiManager and FortiAnalyzer.
A bunch of FortiSIEM versions are vulnerable to multiple CVSS 9.7-level path traversal vulnerabilities that can lead to privilege escalation, while FortiManager and FortiAnalyzer (multiple versions) are vulnerable to privilege escalation via specially-crafted HTTP requests (CVSS 8.6). Patches are available for both issues.
As for industrial control systems, despite CISA releasing a 19-item notification list, only a few of the issues were serious:
- CVSS 9.8 – Multiple CVEs: Siemens SCALANCE W1750D WAPs contain a series of vulnerabilities that can allow an attacker to disclose info, deny service and remotely execute code.
- CVSS 9.8 – CVE-2023-36380: Siemens CP-8031 and CP-8050 master modules store a hard-coded ID in their SSH authorized_keys config file, giving anyone with the private key login access to affected devices, which are those with debug support activated.
- CVSS 9.8 – Multiple CVEs: Weintek's common gateway interface used for several of its CMT3000-series devices contains vulnerabilities allowing attackers to hijack control flow and bypass authentication.
- CVSS 9.1 – CVE-2023-4562: Multiple models of Mitsubishi Electric's MELSEC-F PLCs are improperly authenticating, leaving them open to tampering by remote attackers.
- CVSS 8.0 – CVE-2023-43625: All versions of Siemens's Simcenter Amesim software prior to V2021.1 are vulnerable to code injection that could let an attacker perform DLL injection and execute arbitrary code.
As for newly discovered known exploited vulnerabiilties, there's only a couple to report that we didn't cover elsewhere this week. They may not be as severe as the others, but they're still being exploited in the wild, so take care:
- CVSS 7.8 – CVE-2023-21608: If users open malicious PDFs in Acrobat Reader versions 22.003.20282 or 20.005.30418 and earlier, they could find themselves affected by a use after free vulnerability allowing an attacker to execute arbitrary code.
- CVSS 6.6 – CVE-2023-20109: Cisco GET VPN is vulnerable to an OOB write attack that can allow an attacker to execute code and crash affected devices.
CISA adds new ransomware risk cataloging resources
The US Cybersecurity and Infrastructure Security Agency is expanding its pool of resources for those fighting to prevent ransomware infections, with two new initiatives as part of the agency's Ransomware Vulnerability Warning Pilot program.
The first takes the form of a new column in the Agency's Known Exploited Vulnerabilities catalog that indicates whether an actively exploited weakness is known to be used in ransomware campaigns.
The change is already live and present on all vulnerabilities added to the catalog. The aforementioned Progress software exploits, along with Log4j and other well-known vulnerabilities, all indicate that they've been used by ransomware actors.
The second, and arguably more important one for those trying to harden an environment, is the new list of Misconfigurations and Weaknesses Known to be Used in Ransomware Campaigns. The catalog isn't CVE-based, and still quite short, listing vulnerable services like RDP, VNC, SMB and the like, and what ports are commonly used to exploit misconfigurations.
17k+ WordPress sites hacked to add malware injector last month
Cyber security firm and GoDaddy subsidiary Sucuri said in a recent report that more than 17,000 WordPress websites have been hit by a cross-site scripting vulnerability in a Composer plugin used by WordPress premium theme maker tagDiv.
Cross-site scripting attacks aren't a new issue for WordPress implementations that use various themes with plugins of questionable origin or software supply chain, and this latest issue seems like more of the same.
In this case, tagDiv's Composer plugin is used in its Newspaper and Newsmag premium themes, which Sucuri said is used by over 135,000 paying customers. Newsmag is in use on another 18,579 sites, but neither figure accounts for pirated copies of the theme, Sucuri noted.
Injectors like Balada hijack legitimate services and can be used to run malicious code on websites to phish users, hijack credentials and steal PII, among other actions. Sucuri includes infection mitigation steps in its report, starting critically with scanning WordPress sites to check for any malicious code – a tool for which Sucuri just happens to have handy. ®