A SQL injection vulnerability has been found in the MOVEit Transfer web application, allowing an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database. Progress Software has discovered a vulnerability in its file transfer software MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment, the company said in a security advisory. “A SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database,” the company said in the post, adding that depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements. MOVEit Transfer is designed to allow enterprises to transfer files between business partners and customers securely. “All MOVEit Transfer versions are affected by this vulnerability,” Progress said in the advisory. The company has made patches available for versions 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1). The vulnerability is yet to be assigned a CVE and CVS score. The vulnerability has been exploitedSeveral cybersecurity firms have reported that threat actors have likely already exploited the vulnerability. “Progress Software is advising MOVEit customers to check for indicators of unauthorized access over at least the past 30 days, which implies that attacker activity was detected before the vulnerability was disclosed,” Rapid7 said in a blog post. As of May 31, there were roughly 2,500 instances of MOVEit Transfer exposed to the public internet, the majority of which look to be in the US, Rapid7 said in the blog. The firm has identified the same web shell name in multiple customer environments, which may indicate automated exploitation. The web shell code can first determine if an inbound request contains a header named X-siLock-Comment, and returns a 404 “Not Found” error if the header is not populated with a specific password-like value.“As of June 1, 2023, all instances of Rapid7-observed MOVEit Transfer exploitation involve the presence of the file human2.aspx in the wwwroot folder of the MOVEit install directory (human.aspx is the native aspx file used by MOVEit for the web interface),” Rapid7 said in the blog. Users advised reviewing activity for the last 90 daysCybersecurity firm GreyNoise has observed scanning activity for the login page of MOVEit Transfer located at /human.aspx as early as March 3rd, 2023.“While we have not observed activity directly related to exploitation, all of the 5 IPs we have observed attempting to discover the location of MOVEit installations were marked as “Malicious” by GreyNoise for prior activities, the company said in a blog post, adding that based on the scanning activity observed, it is recommended that users of MOVEit Transfer should extend the time window for their review of potentially malicious activity to at least 90 days. Similarly, TrustedSec, also noted that the backdoors have been uploaded to public sites since May 28, 2023, “meaning the attackers likely took advantage of the Memorial Day holiday weekend to gain access to systems. There have also been reports of data exfiltration from affected victims,” TrustedSec said in a blog post. Mitigation recommendationsProgress advises users to deny all HTTP (TCP/80) and HTTPS (TCP/443) traffic to the MOVEit environment. Note that this will block all access to the system, but SFTP/FTP, which currently appears unaffected, will still work.The company also advises isolating the servers by blocking inbound and outbound traffic and inspecting the environments for possible indicators of compromise, and if so, deleting them before applying the fixes.“File transfer solutions have been popular targets for attackers, including ransomware groups, in recent years. We strongly recommend that MOVEit Transfer customers prioritize mitigation on an emergency basis,” Rapid7 said in the post. An alert urging users and organizations to follow the mitigation steps to secure against any malicious activity has also been issued by CISA. Update: Microsoft has attributed the MOVEit exploit to the Clop ransomware group. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe