MOVEit Transfer under attack by zero-day exploit
Threat actors have been discovered by security researchers at Rapid7 to be exploiting a zero-day vulnerability in Progress Software’s MOVEit Transfer product, widely used by enterprises for secure file transfers. The cybercriminals are leveraging a SQL injection vulnerability (CVE-2023-34362) to gain unauthorized access to the product’s database.
The vulnerability allows unauthenticated attackers to infiltrate MOVEit Transfer’s database, potentially executing SQL statements to modify or delete critical database elements. This was confirmed by Progress Software, who issued an advisory stating, “a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database.”
It impacts all versions of MOVEit Transfer, but, MOVEit Automation, MOVEit Client, MOVEit Add-in for Microsoft Outlook, MOVEit Mobile, WS_FTP Client, WS_FTP Server, MOVEit EZ, MOVEit Gateway, MOVEit Analytics, and MOVEit Freely are not affected.
Rapid7 researchers said they noticed the presence of a webshell named “human2.aspx” in the compromised systems’ wwwroot folder, suggesting automated exploitation. This webshell, designed to stay unnoticed among legitimate files used by MOVEit Transfer’s web interface, is password-protected. Unauthorized attempts to access the webshell result in a 404 Not Found error, indicating a potential attempt at concealing the malicious activity.
According to Rapid7, there are more than 2,500 instances of MOVEit Transfer publicly accessible on the internet by May 31st, with a significant concentration in the United States. In the meantime, Progress Software has provided customers with Indicators of Compromise (IoCs) associated with the attack and urges immediate contact with their security and IT teams upon detection of any suspicious activity.
The sources for this piece include an article in SecurityAffairs.