Zero-Day Vulnerability Is Actively Exploited

June 02, 2023Ravie Lakshmanan Zero-Day / Vulnerability

A critical flaw in Progress Software in managed file transfer application MOVEit Transfer has been widely exploited in the wild to take over vulnerable systems.

The drawback, which has not been assigned a CVE identifier, is related to a severe SQL injection vulnerability that could lead to elevated privileges and potential unauthorized access to the environment.

“A SQL injection vulnerability has been discovered in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database,” the company said. said.

“Depending on the database engine used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that change or delete database elements.”

A patch for the bug has been made available by the Massachusetts-based company, which also owns Telerik, in the following versions: 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4 ), 2022.1. 5 (14.1.5), and 2023.0.1 (15.0.1).

The development was first reported by Computer Sleep. Based on Huntress And hurry7approximately 2,500 instances of MOVEit Transfer were exposed to the public internet as of May 31, 2023, most of them located in the US

The successful exploitation attempt led to the deployment of a web shell, a file called “human2.aspx” in the “wwwroot” directory created via a script with a random filename, to “exploit various data stored by the local MOVEit service.”

The web shell was also engineered to add a new admin user account session with the name “Health Check Service” in a possible attempt to avoid detection, a analysis from series of attacks have disclosed.

Threat intelligence company GreyNoise said it “observed scan activity for the Transfer MOVEit login page located at /human.aspx as early as March 3, 2023,” adding five different IP addresses had been detected “trying to locate a MOVEit installation location.”

“While we don’t know the specifics around the group behind the zero day attacks involving MOVEit, it underscores the worrying trend of threat actors targeting file transfer solutions,” said Satnam Narang, senior staff research engineer at Tenable.

These developments have prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to issued a warningurges users and organizations to follow mitigation measures to safeguard against any malicious activity.

It is also recommended to isolate the server by blocking incoming and outgoing traffic and checking the environment for possible compromise indicators (IoC), and if so, remove them before implementing the fix.

“If it turns out to be a ransomware group again, it will be the second enterprise MFT zero day in a year, cl0p went wild with GoAnywhere recently,” security researcher Kevin Beaumont said.