Progress Software has alerted customers to critical SQL injection vulnerabilities identified in its MOVEit Transfer managed file transfer (MFT) solution. These security flaws could allow attackers to access and steal information from customer databases. The vulnerabilities were uncovered with assistance from cybersecurity firm Huntress, following detailed code reviews initiated by Progress on May 31. This came after the company addressed a flaw that was exploited as a zero-day by the Clop ransomware gang in data theft attacks. The newly discovered vulnerabilities affect all versions of MOVEit Transfer and can enable unauthenticated attackers to compromise internet-exposed servers, altering or extracting customer information.
In an advisory published by Progress, the company states, "An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content." A patch was released on June 9, 2023, and all MOVEit Transfer customers are urged to apply it. Progress also mentioned that they have not yet seen indications that the newly discovered vulnerabilities have been exploited, but the investigation is ongoing.
According to the company, all MOVEit Cloud clusters have already been patched against the new vulnerabilities, securing them against potential attack attempts. The Clop ransomware gang claimed responsibility for targeting the CVE-2023-34362 MOVEit Transfer zero-day in a message sent over the weekend, which led to a series of data-theft attacks allegedly affecting "hundreds of companies." The credibility of their statements remains uncertain, but it aligns with findings from Microsoft, which linked the campaign to the hacking group it tracks as Lace Tempest, which overlaps with TA505 and FIN11 activity.
Kroll security experts also found evidence that Clop has been searching for ways to exploit the now-patched MOVEit zero-day since 2021 and methods to extract data from compromised MOVEit servers since at least April 2022. The Clop cybercriminal group has a history of orchestrating data theft campaigns and exploiting vulnerabilities in various managed file transfer platforms, including the zero-day breach of Accellion FTA servers in December 2020, the 2021 SolarWinds Serv-U Managed File Transfer attacks, and the widespread exploitation of a GoAnywhere MFT zero-day in January 2023.
Following the disclosure of Clop's MOVEit data theft attacks, affected organizations have started to acknowledge data breaches and security incidents. For example, UK-based payroll and HR solutions provider Zellis informed that it suffered a data breach due to these attacks, which could potentially impact some of its customers. Among its affected customers are British Airways (the UK's flag carrier), Aer Lingus (the Irish flag carrier), and the Minnesota Department of Education. Clop has also recently threatened impacted organizations, urging them to initiate ransom negotiations to prevent the public leak of their data.