Software developer Progress again warns customers about critical vulnerabilities in MOVEit Transfer. Using an SQL injection, an unauthorized user can manipulate and steal the contents of the MOVEit Transfer database. The developer advises customers to install the released patch as soon as possible. Progress reports this in a recent Security Advisory.
Developer sounds alarm for dangerous zero-day exploit
MOVEit Transfer is an application that many commercial parties use to exchange confidential files internally and mutually. The developer pointed out that the application contained a zero-day exploit in late May. Unauthorized users could use an SQL injection to manipulate the MOVEit Transfer database in such a way that they could steal confidential data. Because attackers also had admin rights, they could break into other parts of company networks. The developer and the National Cyber Security Center (NCSC) advised installing a security update and checking the network for unauthorized access and other Indicators of Compromise (IoC).
Security researchers find three new critical vulnerabilities
Following this event, security researchers put MOVEit Transfer under a microscope. That led to several critical vulnerabilities. This month’s Service Pack includes patches for three new Common Vulnerabilities and Exposures (CVE). These are CVE-2023-36934 , CVE-2023-36933 , and CVE-2023-36932 . The first vulnerability has been marked as ‘critical’, the other two as ‘high’.The former exploit is a SQL injection vulnerability that could allow unauthorized access to the MOVEit Transfer database. An attacker could send an edited payload to an endpoint of the MOVEit Transfer application, which could lead to modification and disclosure of the contents of the MOVEit database. Progress recommends that customers install the latest Service Pack to address the security vulnerabilities above. The company also promises to release more Service Packs for MOVEit products.
Hundreds of Organizations Victim of MOVEit Transfer Vulnerabilities
The Russian hacker group Clop claims to have exploited the vulnerabilities in MOVEit Transfer to rob ‘hundreds’ of companies and organizations worldwide of confidential information. Among others, airlines British Airways and Aer Lingus, pharmacy chain Boots, the British broadcaster BBC, the government of the Canadian province of Nova Scotia, the British payroll company Zellis and the University of Rochester that hackers had stolen data via this application. Landal GreenParks and Shell recently reported that they were affected by security vulnerabilities in MOVEit Transfer. The most recent victim is Gen Digital, the parent company of Norton, Avast, Avira and AVG, among others. According to security researcher Brett Callow, Clop has struck at 238 organizations since the end of May and obtained the data of 17.5 million people.