A zero-day vulnerability affecting Progress Software’s MOVEit Transfer product has been exploited to hack organizations and steal their data.
Progress Software warned on May 31 that its MOVEit Transfer managed file transfer (MFT) software is affected by a critical SQL injection vulnerability that can be exploited by an unauthenticated attacker to access MOVEit Transfer databases.
“Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements,” the vendor said.
A CVE identifier is in the process of being assigned to the vulnerability.
Progress’ advisory is confusing as it states that the company is working on patches, but it also lists updated versions that should fix the security hole. Patches should be included in versions 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5) and 2023.0.1 (15.0.1). The cloud version of the product appears to be impacted as well.
The company’s advisory does not clearly state that the vulnerability has been exploited in the wild, but it does tell customers that patching is extremely important and it does provide indicators of compromise (IoCs) associated with the observed attacks.
TrustedSec reported that mass exploitation started on May 28, with the attackers likely taking advantage of Memorial Day to increase their chances of being able to steal data without being detected. There is also some indication of limited exploitation prior to the holiday weekend.
GreyNoise reported seeing scanning activity that could be related to this vulnerability as early as March 3.
In the attacks observed in recent days, threat actors seem to have exploited the zero-day to deploy a webshell/backdoor in a file named ‘human2.aspx’ in the ‘wwwroot’ folder of the MOVEit software. This backdoor allows them to obtain a list of files and users associated with the MFT product, download files within MOVEit, and add a backdoor admin user.
Google-owned Mandiant has been investigating intrusions related to the zero-day attack and the company told SecurityWeek that it has seen “mass exploitation and broad data theft” in the past few days.
Major organizations appear to be impacted. It’s unclear exactly how many are affected, but a Shodan search shows roughly 2,500 internet-exposed instances of MOVEit Transfer, and the vendor says its products are used by hundreds of thousands of enterprises, including 1,700 software firms.
Researcher Kevin Beaumont pointed out that one of the exposed MOVEit instances appears to belong to the US Department of Homeland Security (DHS). The DHS’s Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued an alert to warn organizations about the zero-day. A vast majority of the internet-exposed instances are indeed located in the United States.
The attackers appear to be using the exploit to steal potentially valuable data, which, as Beaumont noted, indicates that a ransomware or extortion group is behind the attacks.
If confirmed, this would be the second popular MFT product targeted by cybercriminals in recent months. A vulnerability affecting Fortra’s GoAnywhere software has been used by a ransomware group to steal data from many organizations.