A critical zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer application could have a broad impact — leading to escalated privileges and potential unauthorized access to millions of IT environments.
In the past two days since Progress Software made the disclosure about the SQL injection vulnerability — CVE-2023-34362 — researchers from Huntress to Mandiant to security researcher Kevin Beaumont have commented on the vulnerability, imploring security teams to patch.
According to Progress Software, thousands of enterprises, including 1,700 software companies and 3.5 million developers use MOVEit. Security researchers also pointed out that the Department of Homeland Security and some large banks also use MOVEit. The Progress Software website boasts Chase Bank, Disney, BlueCross BlueShield, GEICO, JetBlue, and Major League Baseball as customers.
“We are already identifying active intrusions at several clients and expect many more in this short-term,” said John Hultquist, chief analyst, Mandiant Intelligence at Google Cloud. “Everyone needs to move fast to patch, and in cases where they suspect exploitation, prepare for possible public release of their data."
John Hammond, senior security researcher at Huntress, explained that MOVEit is managed file transfer software that uses multiple protocols to share data securely in an automated manner. Hammond said potential use cases include a university that desires potential students to upload their application online in a secure manner. Another good example: a financial institution that requires customers to upload their data to apply for a loan.
"If this MOVEit transfer is exposed to the internet — as Shodan suggests 2,500 devices are — it’s likely that it could have been compromised during the Memorial Day weekend, or perhaps even earlier," said Hammond. “We know that there have been cases of data exfiltration for affected victims, and the deployed backdoor we’ve seen in this campaign offers persistent access to the threat actor. Without cleaning up the intrusion, the adversary can potentially steal Azure account information or continue operations later."
Charles Carmakal, CTO at Mandiant Consulting at Google Cloud, added that Mandiant has been investigating several intrusions related to the exploitation of the MOVEit managed file transfer zero-day vulnerability. Carmakal said mass exploitation and broad data theft has occurred over the past few days.
“In addition to patching their systems, any organization using MOVEit should forensically examine the system to determine if it was already compromised and if data was stolen,” said Carmakal. “Although Mandiant does not yet know the motivation of the threat actor, organizations should prepare for potential extortion and publication of the stolen data. Mass exploitation of zero-day vulnerabilities with other managed file transfer solutions have resulted in data theft, extortion, publication of stolen data, and victim shaming."
Progress Software said all versions of MOVEit Transfer are affected by this vulnerability. They recommend that security teams apply the patches issued in its advisory.