A critical flaw in Progress Software’s managed file transfer application MOVEit Transfer has been widely exploited in the wild to take over vulnerable systems.
The flaw, which has not yet been assigned a CVE ID, is related to a critical SQL injection vulnerability that could lead to elevation of privilege and possible unauthorized access to the environment.
“An SQL injection vulnerability was found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database,” the company said.
“Depending on the database engine used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker can infer information about the structure and contents of the database, as well as execute SQL statements that alter or delete items from the database.”
The Massachusetts-based company, which also owns Telerik, has made patches for the bug available in the following versions: 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0. 4 (14.0.4). ), 2022.1.5 (14.1.5) and 2023.0.1 (15.0.1).
The development was first reported by Bleeping Computer. According to Huntress and Rapid7, approximately 2,500 instances of MOVEit Transfer were exposed on the public Internet as of May 31, 2023, most of which were located in the US
Successful exploit attempts culminate in the deployment of a web shell, a file named “human2.aspx” in the “wwwroot” directory that is created by a script with a random file name, to “exfiltrate various data stored by the service MOVEit local”.
The web shell is also designed to add new administrator user account sessions with the name “Health Check Service” in a likely effort to avoid detection, a analysis of the attack chain has revealed.
Threat intelligence firm GreyNoise said it “observed scanning activity on the MOVEit Transfer login page located at /human.aspx since March 3, 2023.” and added that five different IP addresses have been detected “attempting to discover the location of MOVEit facilities”. “
🔐 Master API Security: Understand your true attack surface
Discover unexploited vulnerabilities in your API ecosystem and take proactive steps toward absolute security. Join our in-depth webinar!
Join the session
“While we do not know the details of the group behind the zero-day attacks involving MOVEit, it highlights a worrying trend of threat actors targeting file transfer solutions,” said Satnam Narang, an engineer at Tenable senior research.
The development has prompted the US Cyber Security and Infrastructure Security Agency (CISA) to issue an alert, urging users and organizations to take mitigation steps to protect themselves from any malicious activity.
It is also advised to isolate servers by blocking inbound and outbound traffic and inspect environments for possible indicators of compromise (IoC) and, if so, remove them before applying fixes.
“If it’s a ransomware group again, this will be MFT’s second zero-day in a year, cl0p went wild with GoAnywhere recently,” said security researcher Kevin Beaumont.
Source link
At Ikaroa, we remain vigilant against threats to the security of both our own products and those of other companies. One of the most serious and concerning threats is the zero-day vulnerability actively being exploited by malicious actors.
A zero-day vulnerability is an exploit discovered by attackers before the technical community is aware of it. The threat posed by these platform flaws is that they are often unpatched, meaning hackers can take advantage of them before a fix can be applied. This makes zero-day exploits particularly appealing to cybercriminals and can result in significant financial harm to organizations.
Ikaroa is at the forefront of the fight against zero-day vulnerabilities. We take proactive measures in mitigating the risks posed by these threats. We have a highly experienced team of security professionals that constantly monitor for new vulnerabilities, develop better strategies for their detection, and issue patches faster.
In addition to our assessment and detection efforts, one of the most effective ways to mitigate zero-day vulnerabilities is to use a sandbox environment. This is a secure environment in which a vulnerability can be studied, tested, and studied again. This kind of approach can help provide additional protection against unknown threats.
Zero-day vulnerabilities are a real and growing threat, and it is critical to remain vigilant and proactive in our defense against them. At Ikaroa, we are committed to protecting our customers and their data with the most up-to-date security solutions available. Our goal is to keep our customers safe and secure and ensure their data is protected from malicious actors.
