S3 Ep138: I like to MOVEit, MOVEit

2023-06-08 18:56

MOVEit zero-day exploit used by data breach gangs: The how, the why, and what to do.

Amongst the things that they could do would be: finding out the structure of your internal databases, so they know what stored where; perhaps downloading and messing with your data; and, optionally for the crooks, injecting what's known as a webshell.

Looking for things like newly created user accounts, unexpected data downloads, and all sorts of other changes that you might not expect and now need to reverse.

Simply explained, it's where you provide data to a program and you say, "Here's a chunk of data I want you to treat it as if it were, let's say, a date."

At some future moment in the execution of the server, you can trick the server into saying, "Hey, remember that data that I sent you that I told you was a date? And you've verified that the number of days was not greater than 31, and that the month was not greater than 12, and that the year was between, say, 1920 and 2099, all of those error checks you've done? Well, actually, forget that! Now, what I want you to do is to take that data that I supplied, that was a legal date, but *I want you to treat it as if it were a memory address*. And I want you to start executing the program that runs there, because you've already accepted the data and you've already decided you trust it."

DOUG. OK, so those three things are bad, and that's the end of the bad things, right?

News URL

https://nakedsecurity.sophos.com/2023/06/08/s3-ep138-i-like-to-moveit-moveit/

#moveit #S3