Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations

A zero-day vulnerability in Progress Software’s MOVEit Transfer product has been exploited to hack organizations and steal their data.

zero-day flaw

A zero-day vulnerability affecting Progress Software’s MOVEit Transfer product has been exploited to hack organizations and steal their data.

Progress Software warned on May 31 that its MOVEit Transfer managed file transfer (MFT) software is affected by a critical SQL injection vulnerability that can be exploited by an unauthenticated attacker to access MOVEit Transfer databases.

“Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements,” the vendor said. 

A CVE identifier is in the process of being assigned to the vulnerability. 

Progress’ advisory is confusing as it states that the company is working on patches, but it also lists updated versions that should fix the security hole. Patches should be included in versions 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5) and 2023.0.1 (15.0.1). The cloud version of the product appears to be impacted as well.

The company’s advisory does not clearly state that the vulnerability has been exploited in the wild, but it does tell customers that patching is extremely important and it does provide indicators of compromise (IoCs) associated with the observed attacks.

Several cybersecurity firms have reported seeing attacks involving the MOVEit zero-day, including Huntress, Rapid7, TrustedSec, GreyNoise, and Volexity.

TrustedSec reported that mass exploitation started on May 28, with the attackers likely taking advantage of Memorial Day to increase their chances of being able to steal data without being detected. There is also some indication of limited exploitation prior to the holiday weekend. 

Advertisement. Scroll to continue reading.

GreyNoise reported seeing scanning activity that could be related to this vulnerability as early as March 3. 

In the attacks observed in recent days, threat actors seem to have exploited the zero-day to deploy a webshell/backdoor in a file named ‘human2.aspx’ in the ‘wwwroot’ folder of the MOVEit software. This backdoor allows them to obtain a list of files and users associated with the MFT product, download files within MOVEit, and add a backdoor admin user.

Google-owned Mandiant has been investigating intrusions related to the zero-day attack and the company told SecurityWeek that it has seen “mass exploitation and broad data theft” in the past few days. 

Major organizations appear to be impacted. It’s unclear exactly how many are affected, but a Shodan search shows roughly 2,500 internet-exposed instances of MOVEit Transfer, and the vendor says its products are used by hundreds of thousands of enterprises, including 1,700 software firms.

Researcher Kevin Beaumont pointed out that one of the exposed MOVEit instances appears to belong to the US Department of Homeland Security (DHS). The DHS’s Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued an alert to warn organizations about the zero-day. A vast majority of the internet-exposed instances are indeed located in the United States. 

The attackers appear to be using the exploit to steal potentially valuable data, which, as Beaumont noted, indicates that a ransomware or extortion group is behind the attacks. 

If confirmed, this would be the second popular MFT product targeted by cybercriminals in recent months. A vulnerability affecting Fortra’s GoAnywhere software has been used by a ransomware group to steal data from many organizations.

Related: GoAnywhere Zero-Day Attack Hits Major Orgs  

Related: Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.