Progress Software, developer of the MOVEit Transfer application, has released patches to address a new SQL injection vulnerability affecting its file transfer solution that allows the theft of sensitive information.
“Multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application, which could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database,” the company said. Said In a recommendation released on June 9, 2023.
“An attacker could send a specially crafted payload to the MOVEit Transfer application endpoint, resulting in the modification and disclosure of the contents of the MOVEit database.”
This flaw affecting all versions of the service is resolved in MOVEit Transfer versions 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1) it was done. .6), and 2023.0.2 (15.0.2).all MOVEit cloud instance Fully patched.
Cybersecurity firm Huntress credited Discover and report vulnerabilities as part of a code review. Progress Software said it has not observed any indication that the newly discovered flaw is being exploited in the wild.
This development comes after the previously reported MOVEit Transfer vulnerability (CVE-2023-34362) was extensively exploited to drop a web shell onto the targeted system.
The activity is attributed to the notorious Cl0p ransomware gang, which has been organizing data theft campaigns and exploiting zero-day bugs in various managed file transfer platforms since December 2020.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
Kroll, an enterprise research and risk consulting firm, has been experimenting with how cybercrime gangs have exploited CVE-2023-34362 as far back as July 2021, extracting data from compromised MOVEit servers since at least April 2022. I also found evidence that they had devised a way to do it. .
Much of the malicious reconnaissance and testing activity in July 2021 was manual in nature until April 2022, when they switched to automated mechanisms to investigate and gather information from multiple organizations. It is said that
“The Clop threat actor appears to have completed the MOVEit Transfer exploit at the time of the GoAnywhere event and chose to execute the attack sequentially rather than in parallel,” the company said. “These findings highlight significant planning and preparation that presumably precedes large-scale exploitation events.”
Cl0p actors have also issued extortion notices to affected companies, asking them to contact the group by June 14, 2023 or publish the stolen information on a data exfiltration site.