The US Department of Energy and other federal bodies are among a growing list of organizations hit by Russians exploiting the MOVEit file-transfer vulnerability. Many orgs, including the US government, have been hit via this flaw, with Clop blamed for this mass exploitation.
"Disable HTTP and HTTPS traffic to MOVEit Transfer," says Progress Software, and the timeframe for doing so is "Immediately", no ifs, no buts. Progress Software is the maker of file-sharing software MOVEit Transfer, and the hosted MOVEit Cloud alternative that's based on it, and this is its third warning in three weeks about hackable vulnerabilities in its product.
Progress warned MOVEit Transfer customers to restrict all HTTP access to their environments after info on a new SQL injection vulnerability was shared online today. "Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment," Progress said.
The Clop ransomware gang has started extorting companies impacted by the MOVEit data theft attacks, first listing the company's names on a data leak site-an often-employed tactic before public disclosure of stolen information. The Clop gang took responsibility for the attacks, claiming to have breached "Hundreds of companies" and warning that their names would be added to a data leak site on June 14th if negotiations did not occur.
As more victim organizations of Cl0p gang's MOVEit rampage continue popping up, security researchers have released a PoC exploit for CVE-2023-34362, the RCE vulnerability exploited by the Cl0p cyber extortion group to plunder confidential data. Rapid7 has released an analysis of the vulnerability and a full exploit chain for CVE-2023-34362.
Two more organizations hit in the mass exploitation of the MOVEit file-transfer tool have been named - the Minnesota Department of Education in the US, and the UK's telco regulator Ofcom - just days after security researchers discovered additional flaws in Progress Software's buggy suite. Ofcom disclosed this week it is among the businesses and public bodies that have had their internal data stolen by crooks exploiting a MOVEit flaw.
Horizon3 security researchers have released proof-of-concept exploit code for a remote code execution bug in the MOVEit Transfer managed file transfer solution abused by the Clop ransomware gang in data theft attacks. With the release of this RCE PoC exploit, more threat actors will likely move quickly to deploy it in attacks or create their own custom versions to target any unpatched servers left exposed to Internet access.
Progress Software customers who use the MOVEit Transfer managed file transfer solution might not want to hear it, but they should quickly patch their on-prem installations again: With the help of researchers from Huntress, the company has uncovered additional SQL injection vulnerabilities that could potentially be used by unauthenticated attackers to grab data from the web application's database. "The investigation is ongoing, but currently, we have not seen indications that these newly discovered vulnerabilities have been exploited," the company said, and confirmed that they've "Deployed a new patch to all MOVEit Cloud clusters to address the new vulnerabilities."
Infosec in brief Security firms helping Progress Software dissect the fallout from a ransomware attack against its MOVEit file transfer suite have discovered more issues that the company said could be used to stage additional exploits. The newly discovered exploits are distinct from the issue reported earlier, and as such another patch for MOVEit Transfer and MOVEit Cloud have been issued to fix this latest discovered bug.
Progress Software, the company behind the MOVEit Transfer application, has released patches to address brand new SQL injection vulnerabilities affecting the file transfer solution that could enable the theft of sensitive information. "Multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database," the company said in an advisory released on June 9, 2023.