A SQL injection vulnerability has been found in the MOVEit Transfer web application, allowing an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database. Progress Software has discovered a vulnerability in its file transfer software MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment, the company said in a security advisory. “A SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database,” the company said in the post, adding that depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements. MOVEit Transfer is designed to allow enterprises to transfer files between business partners and customers securely. “All MOVEit Transfer versions are affected by this vulnerability,” Progress said in the advisory. The company has made patches available for versions 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1). The vulnerability is yet to be assigned a CVE and CVS score. The vulnerability has been exploitedSeveral cybersecurity firms have reported that threat actors have likely already exploited the vulnerability. “Progress Software is advising MOVEit customers to check for indicators of unauthorized access over at least the past 30 days, which implies that attacker activity was detected before the vulnerability was disclosed,” Rapid7 said in a blog post. As of May 31, there were roughly 2,500 instances of MOVEit Transfer exposed to the public internet, the majority of which look to be in the US, Rapid7 said in the blog. The firm has identified the same web shell name in multiple customer environments, which may indicate automated exploitation. The web shell code can first determine if an inbound request contains a header named X-siLock-Comment, and returns a 404 “Not Found” error if the header is not populated with a specific password-like value.“As of June 1, 2023, all instances of Rapid7-observed MOVEit Transfer exploitation involve the presence of the file human2.aspx in the wwwroot folder of the MOVEit install directory (human.aspx is the native aspx file used by MOVEit for the web interface),” Rapid7 said in the blog. Users advised reviewing activity for the last 90 daysCybersecurity firm GreyNoise has observed scanning activity for the login page of MOVEit Transfer located at /human.aspx as early as March 3rd, 2023.“While we have not observed activity directly related to exploitation, all of the 5 IPs we have observed attempting to discover the location of MOVEit installations were marked as “Malicious” by GreyNoise for prior activities, the company said in a blog post, adding that based on the scanning activity observed, it is recommended that users of MOVEit Transfer should extend the time window for their review of potentially malicious activity to at least 90 days. Similarly, TrustedSec, also noted that the backdoors have been uploaded to public sites since May 28, 2023, “meaning the attackers likely took advantage of the Memorial Day holiday weekend to gain access to systems. There have also been reports of data exfiltration from affected victims,” TrustedSec said in a blog post. Mitigation recommendationsProgress advises users to deny all HTTP (TCP/80) and HTTPS (TCP/443) traffic to the MOVEit environment. Note that this will block all access to the system, but SFTP/FTP, which currently appears unaffected, will still work.The company also advises isolating the servers by blocking inbound and outbound traffic and inspecting the environments for possible indicators of compromise, and if so, deleting them before applying the fixes.“File transfer solutions have been popular targets for attackers, including ransomware groups, in recent years. We strongly recommend that MOVEit Transfer customers prioritize mitigation on an emergency basis,” Rapid7 said in the post. An alert urging users and organizations to follow the mitigation steps to secure against any malicious activity has also been issued by CISA.Update: Microsoft has attributed the MOVEit exploit to the Clop ransomware group. Related content feature The biggest data breach fines, penalties, and settlements so far Hacks and data thefts, enabled by weak security, cover-ups or avoidable mistakes have cost these companies a total of nearly $4.4 billion and counting. By Shweta Sharma and Michael Hill Apr 26, 2024 16 mins Data Breach Security news New CISO appointments 2024 Keep up with news of CSO, CISO, and other senior security executive appointments. By CSO Staff Apr 26, 2024 14 mins CSO and CISO IT Jobs IT Governance news Top cybersecurity product news of the week New product and service announcements from Forcepoint, Ionix, Amplifier Secutiry and Torq. By CSO staff Apr 26, 2024 81 mins Generative AI Security feature Looking outside: How to protect against non-Windows network vulnerabilities Security administrators who work in Windows-based environments should heed the lessons inherent in recent vulnerability reports. By Susan Bradley Apr 25, 2024 7 mins Windows Security Network Security Security Practices PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe