MOVEit

Progress Software warned customers today of newly found critical SQL injection vulnerabilities in its MOVEit Transfer managed file transfer (MFT) solution that can let attackers steal information from customers' databases.

These security bugs (collectively tracked as CVE-2023-35036) were discovered with the help of cybersecurity firm Huntress following detailed code reviews initiated by Progress on May 31, when it addressed a flaw exploited as a zero-day by the Clop ransomware gang in data theft attacks.

They affect all MOVEit Transfer versions and enable unauthenticated attackers to compromise Internet-exposed servers to alter or extract customer information.

"An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content," Progress says in an advisory published today.

"All MOVEit Transfer customers must apply the new patch, released on June 9, 2023. The investigation is ongoing, but currently, we have not seen indications that these newly discovered vulnerabilities have been exploited," the company added.

The company says that all MOVEit Cloud clusters have already been patched against these new vulnerabilities to secure them against potential attack attempts.

Below you can find the current list of MOVEit Transfer versions that have a patch available for these new vulnerabilities:

Affected Version  Fixed Version (full installer)  Documentation 
MOVEit Transfer 2023.0.x (15.0.x)  MOVEit Transfer 2023.0.2  MOVEit 2023 Upgrade Documentation 
MOVEit Transfer 2022.1.x (14.1.x)  MOVEit Transfer 2022.1.6  MOVEit 2022 Upgrade Documentation 
MOVEit Transfer 2022.0.x (14.0.x)  MOVEit Transfer 2022.0.5 
MOVEit Transfer 2021.1.x (13.1.x)  MOVEit Transfer 2021.1.5  MOVEit 2021 Upgrade Documentation 
MOVEit Transfer 2021.0.x (13.0.x)  MOVEit Transfer 2021.0.7 
MOVEit Transfer 2020.1.x (12.1)  Special Patch Available  See KB Vulnerability (May 2023) Fix for MOVEit Transfer 2020.1 (12.1)
MOVEit Transfer 2020.0.x (12.0) or older  MUST upgrade to a supported version  See MOVEit Transfer Upgrade and Migration Guide 

MOVEit zero-day in Clop's hands since 2021

The Clop ransomware gang has claimed responsibility for targeting the CVE-2023-34362 MOVEit Transfer zero-day in a message sent to Bleepingomputer over the weekend, which led to a series of data-theft attacks that have allegedly affected "hundreds of companies." 

While the credibility of their statements remains uncertain, the group's admission aligns with findings from Microsoft, which linked this campaign to the hacking group it tracks as Lace Tempest, which overlaps with TA505 and FIN11 activity.

Kroll security experts also found evidence that Clop has been looking for ways to exploit the now-patched MOVEit zero-day since 2021, as well as methods to extract data from compromised MOVEit servers since at least April 2022.

The Clop cybercriminal group has a history of orchestrating data theft campaigns and exploiting vulnerabilities in various managed file transfer platforms. 

These exploits encompassed the zero-day breach of Accellion FTA servers in December 2020, the 2021 SolarWinds Serv-U Managed File Transfer attacks, and the widespread exploitation of a GoAnywhere MFT zero-day in January 2023.

Since Clop's MOVEit data theft attacks have been disclosed, affected organizations have slowly started coming forward to acknowledge data breaches and security incidents. 

For instance, UK-based provider of payroll and HR solutions Zellis told BleepingComputer that it suffered a data breach due to these attacks, an incident that could likely impact some of its customers.

Some of its affected customers include British Airways (the UK's flag carrier), Aer Lingus (the Irish flag carrier), and the Minnesota Department of Education.

To further escalate the situation, Clop has recently threatened impacted organizations, urging them to initiate ransom negotiations to prevent the public leak of their data.

Related Articles:

Hackers steal data of 2 million in SQL injection, XSS attacks

Apple fixes two new iOS zero-days exploited in attacks on iPhones

Anycubic 3D printers hacked worldwide to expose security flaw

Rhysida ransomware wants $3.6 million for children’s stolen data

Lazarus hackers exploited Windows zero-day to gain Kernel privileges