Threat actors are actively exploiting a zero-day vulnerability in the Progress MOVEit Transfer file transfer product to steal data from organizations.
MOVEit Transfer is a managed file transfer that is used by enterprises to securely transfer files using SFTP, SCP, and HTTP-based uploads
The vulnerability is a SQL injection vulnerability, it an be exploited by an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database.
“a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to MOVEit Transfer’s database.” reads the advisory published by the company. “Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.”
The vulnerability affects all MOVEit Transfer versions, it doesn’t affect the cloud version of the product. The company also shared Indicators of Compromise (IoCs) for this attack and urges customers that notice any of the indicators to immediately contact its security and IT teams.
Multiple security firms are warning that the vulnerability has been actively exploited in the wild.
GreyNoise researchers have observed scanning activity for the login page of MOVEit Transfer located at /human.aspx as early as March 3rd, 2023, for this reason, the experts recommend Progress customers to review potentially malicious activity that was recorded in the last 90 days.
By May 31, Rapid7 experts discovered approximately 2,500 instances of MOVEit Transfer publicly accessible on the internet, with a significant portion located in the United States.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this flaw by June 23, 2023.
(SecurityAffairs – hacking, CISA)