Progress Software, the company behind the MOVEit Transfer application, has released a patch to address a new SQL injection vulnerability affecting file transfer solutions that could enable the theft of sensitive information.
“Several SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database,” the company said. said in an advisory released on June 9, 2023.
“Attackers could deliver artificial payloads to the MOVEit Transfer application endpoints which could result in modification and disclosure of MOVEit database contents.”
The flaw, which affects all versions of the service, has been addressed in MOVEit Transfer versions 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2). All MOVEit Cloud instances has been fully patched.
Cybersecurity company Huntress has credited by finding and reporting vulnerabilities as part of code review. Progress Software says it hasn’t observed any indication of the newly discovered weakness being exploited in the wild.
The development comes about because the previously reported Transfer MOVEit vulnerability (CVE-2023-34362) has undergone a massive exploit to drop a web shell on targeted systems.
The activity is linked to the infamous Cl0p ransomware gang, which has a track record of orchestrating data theft campaigns and exploiting zero-day bugs on various managed file transfer platforms since December 2020.
🔐 Mastering API Security: Understanding Your True Attack Surface
Find untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
The firm’s investigation and risk consulting firm Kroll also found evidence that cybercrime gangs have been experimenting with exploiting CVE-2023-34362 since July 2021, as well as devising methods to extract data from compromised MOVEit servers since at least April 2022.
Most malicious reconnaissance and testing activity in July 2021 was said to be manual, before switching to automated mechanisms in April 2022 to investigate organizations and gather information.
“It appears that the Clop threat actor completed the MOVEit Transfer exploit during the GoAnywhere event and chose to execute the attacks sequentially, rather than in parallel,” the company said. “These findings highlight the significant planning and preparation that likely preceded mass exploitation events.”
The Cl0p actors have also issued blackmail notices to affected companies, urging them to contact the group by June 14, 2023, or have their stolen information published on data leak sites.