Exploiting a zero-day Vulnerability, hackers have targeted organizations and conducted data theft by exploiting Progress Software’s Moveit Transfer.
On May 31, Progress Software issued a warning stating that its managed file transfer (MFT) software, Moveit Transfer, is susceptible to a critical SQL injection vulnerability. This vulnerability enables unauthorized attackers to access MOVEit Transfer databases without authentication.
The severity of the attack varies depending on the database engine employed (MySQL, Microsoft SQL Server, or Azure SQL). In some cases, attackers can extract database structure and content information and execute SQL statements to modify or delete database elements.
Progress Software Security Advisory
Progress Software has released an advisory regarding a potential security vulnerability in their MOVEit Transfer. The advisory, however, contains some ambiguity as it mentions both the development of patches and the availability of updated versions that address the security issue. The recommended patches are included in versions 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1). The cloud version of the product is also believed to be affected.
While the advisory does not explicitly state that the vulnerability has been exploited in the wild, customers are strongly urged to apply the patches promptly. Additionally, indicators of compromise (IoCs) associated with the observed attacks are provided to assist customers in identifying potential breaches.
Several cybersecurity firms, including Huntress, Rapid7, TrustedSec, GreyNoise, and Volexity, have reported attacks involving the MOVEit zero-day vulnerability.
TrustedSec has reported that a wave of mass exploitation targeting the vulnerability began on May 28. The timing of the attacks around the Memorial Day weekend was likely a strategic move by the threat actors to maximize their chances of unauthorized data theft while avoiding detection. There are indications of limited exploitation even before the holiday weekend.
GreyNoise has detected scanning activities related to this vulnerability as early as March 3, suggesting that the attackers had been probing for potential targets for some time.
In the recent attacks, the adversaries have leveraged the zero-day vulnerability to implant a webshell/backdoor named ‘human2.aspx’ in the ‘wwwroot’ directory of the MOVEit software. This backdoor enables them to retrieve a list of files and users associated with the MOVEit product, download files stored within MOVEit, and create a backdoor, administrative user account.
Mandiant Reports Mass Exploitation
Mandiant, a subsidiary of Google, has been actively investigating the zero-day attack and has reported “mass exploitation and extensive data theft” occurring recently.
While the exact number of affected organizations remains unclear, a Shodan search reveals approximately 2,500 publicly accessible instances of MOVEit Transfer.
Given that MOVEit Transfer is utilized by hundreds of thousands of enterprises, including 1,700 software firms, it is evident that major organizations are among those impacted.
Security researcher Kevin Beaumont discovered that one of the publicly accessible MOVEit instances belongs to the US Department of Homeland Security (DHS).
In response, the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) issued an alert to notify organizations about the zero-day vulnerability. The majority of the exposed instances are located in the United States.
These attackers specifically target valuable data, leading to suspicions that a ransomware or extortion group is orchestrating the attacks. If confirmed, this would mark the second instance of cybercriminals targeting a popular Managed File Transfer (MFT) product, following the recent exploitation of a vulnerability in Fortra’s GoAnywhere software by a ransomware group for data theft.
