Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Vulnerability in MOVEit file transfer leads to data theft

Days after Progress Software released an announcement revealing that it had discovered a vulnerability in its MOVEit file transfer software, security researchers have observed threat actors taking advantage of the flaw to steal data and map out the structure of certain databases.

user icon David Hollingworth
Mon, 05 Jun 2023
Vulnerability in MOVEit file transfer leads to data theft
expand image

While Progress made its initial announcement on 31 May, researchers at Rapid7 noted that the initial compromise dates to 27 May, with data exfiltration starting to occur on 28 May.

“Progress has discovered a vulnerability in MOVEit Transfer and MOVEit Cloud that could lead to escalated privileges and potential unauthorised access to the environment,” Progress said in a security update. “If you are a MOVEit Transfer customer, it is extremely important that you take immediate action in order to help protect your environment.”

A patch was released within 24 hours of the initial announcement, and on 2 June, a CVE ID was assigned to the vulnerability.

============
============

The vulnerability is an SQL injection flaw that leads to unauthorised access to the file transfer software’s database.

“Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database,” the CVE advisory read, “and execute SQL statements that alter or delete database elements”.

According to Rapid7, there was an uptick in incidents related to the flaw following Progress’ announcement, mostly targeting organisations in North America and most likely all opportunistic in nature rather than targeted at specific organisations. Rapid7 has also spotted the same webshell name turning up in multiple data exfiltration events, which could represent some element of automation in the attack chain.

“... the uniformity of the artifacts we’re seeing could plausibly be the work of a single threat actor throwing one exploit indiscriminately at exposed targets,” Rapid7 said in a blog post. Mandiant has also backed up the theory that a single actor may be behind the majority of attacks.

Rapid7 said it has observed around 2,500 instances of the vulnerable software on the public internet, and while an updated version of the software is now available, Progress recommends that users of MOVEit Transfer update their firewall rules, review accounts for unauthorised users, update remote access policies, and enable multifactor authentication.

“At Progress, security is always a top priority, and we have taken actions to mitigate the issue,” Progress said. “We do, however, recommend that customers conduct their own due diligence.”

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.