A critical vulnerability has emerged in Progress Software’s MOVEit Transfer, a managed file transfer application, resulting in extensive exploitation and system takeovers. This flaw, labeled with the CVE identifier CVE-2023-34362, concerns a significant SQL injection vulnerability that could facilitate privilege escalation and unauthorized access within affected environments.
According to statements from the company, “An SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database.” Depending on the database system in use—whether MySQL, Microsoft SQL Server, or Azure SQL—attackers might not only discern the structure and contents of the database but could also execute SQL commands that may modify or erase database components.
Progress Software has released patches for this vulnerability in various versions: 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1). These updates aim to mitigate the risks associated with the identified flaw.
The issue was initially reported by Bleeping Computer. Research from Huntress and Rapid7 revealed that around 2,500 MOVEit Transfer instances were publicly accessible as of May 31, 2023, predominantly in the U.S.
Successful exploitation attempts can result in the installation of a web shell, specifically a script-generated file named “human2.aspx” located in the “wwwroot” directory, used for extracting various data stored within the local MOVEit service. This web shell is reportedly equipped to create new administrative user account sessions under the alias “Health Check Service” to potentially evade detection, a tactic highlighted in analysis of the attack chain.
Threat intelligence firm GreyNoise has recorded scanning activities targeting MOVEit Transfer’s login portal located at /human.aspx, commencing as early as March 3, 2023. Five distinct IP addresses were identified as trying to locate MOVEit installations. While the specific group behind these zero-day attacks remains unidentified, experts point to a concerning trend wherein cybercriminals are increasingly focusing on file transfer solutions, as noted by Satnam Narang, a senior research engineer at Tenable.
In response to this significant cybersecurity threat, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert urging organizations to adopt immediate remedial actions to counteract potential malicious activities. This includes isolating servers by blocking unnecessary traffic and investigating environments for indicators of compromise (IoCs) prior to implementing the patches.
If opportunistic ransomware groups are involved, this incident could mark the second occurrence within a year targeting enterprise-managed file transfer solutions, akin to the recent exploitation of GoAnywhere by the cl0p group. CISA has subsequently included the SQL injection vulnerability in its Known Exploited Vulnerabilities (KEV) catalog, advising all federal agencies to apply the necessary vendor patches by June 23, 2023.
Mandiant, tracking the activity under the placeholder UNC4857, has observed that these attacks are indiscriminately targeting a diverse array of sectors across nations including Canada, India, the U.S., Italy, Pakistan, and Germany. It noted incidents where extensive data had been extracted from victims’ MOVEit Transfer systems, with the web shell dubbed LEMURLOOT also capable of pilfering Azure Storage Blob information.
While the precise motivations driving this broad-spectrum exploitation are yet to be determined, cybersecurity experts indicate that the potential monetization of stolen data via extortion is a likely objective. This recent surge in targeting enterprise file transfer systems underscores the ongoing vulnerabilities and risks faced by organizations as they navigate the complex landscape of cybersecurity.
(This article has been updated to include the CVE identifier and the addition of the vulnerability to the KEV catalog.)