Alex - stock.adobe.com
Zero-day vulnerability in MoveIt Transfer under attack
Rapid7 observed exploitation of a SQL injection vulnerability in Progress Software's managed file transfer product, which was disclosed this week but has not been patched.
A critical vulnerability in Progress Software's MoveIt Transfer is under exploitation, according to a report from Rapid7.
The zero-day vulnerability, which Progress disclosed Wednesday, is a SQL injection flaw that could lead to escalated privileges and potential unauthorized access in the managed file transfer (MFT) product. Currently, there is no patch available for the flaw, and it has not been assigned a CVE.
UPDATE: A Progress Software spokesperson said a patch was made available to all affected version of MoveIt transfer. The vulnerability is tracked as CVE-2023-34362.
UPDATE 6/9: Progress Software issued an advisory Friday stating additional vulnerabilities in MoveIT Transfer were discovered during code reviews for CVE-2023-34362. "As part of these code reviews, cybersecurity firm Huntress has helped us to uncover additional vulnerabilities that could potentially be used by a bad actor to stage an exploit," the advisory said. "These newly discovered vulnerabilities are distinct from the previously reported vulnerability shared on May 31, 2023." Progress released a new patch for the new flaws, which are "multiple SQL injection vulnerabilities" in the MOVEit Transfer web application. The vulnerabilities do not have an assigned CVE yet.
Progress' advisory did not note any exploitation activity. However, in a blog post Thursday morning, Rapid7 said it is currently observing active exploitation of the flaw.
"We have observed an uptick in related cases since the vulnerability was disclosed publicly yesterday (May 31, 2023); file transfer solutions have been popular targets for attackers, including ransomware groups, in recent years," wrote Caitlin Condon, vulnerability research manager at Rapid7. "We strongly recommend that MoveIt Transfer customers prioritize mitigation on an emergency basis."
Condon's post referenced the attacks on Fortra's GoAnywhere MFT software earlier this year. The attacks on GoAnywhere began in late January with zero-day exploitation of a remote code injection flaw, CVE-2023-0669, and continued into February. Many of the attacks appeared to be the work of the Clop and LockBit ransomware gangs.
It's unclear what threat actors are behind the attacks on the MoveIt Transfer zero-day. Condon wrote that Rapid7 discovered the same web shell in several customer environments, which she said indicates a possible automated exploit. She also noted that there are approximately 2,500 MoveIt Transfer instances exposed to the public internet, with the majority of them being located in the U.S.
In its advisory, Progress urged MoveIt Transfer customers to take "immediate action" by implementing temporary mitigation while the vendor completes work on a patch. The vendor urged customers to immediately disable all HTTP and HTTPS traffic to their MoveIt Transfer instances and to check for potential indicators of compromise over the last 30 days, such as the creation of "unexpected files" or any large file downloads.
Rob Wright is a longtime technology reporter who lives in the Boston area.