Zero-day vulnerability in MoveIt Transfer under attack

A critical vulnerability in Progress Software’s MoveIt Transfer is under exploitation, according to a report from Rapid7.

The zero-day vulnerability, which Progress disclosed Wednesday, is a SQL injection flaw that could lead to escalated privileges and potential unauthorized access in the managed file transfer (MFT) product. Currently, there is no patch available for the flaw, and it has not been assigned a CVE.

UPDATE: A Progress Software spokesperson said a patch was made available to all affected version of MoveIt transfer.

Progress’ advisory did not note any exploitation activity. However, in a blog post Thursday morning, Rapid7 said it is currently observing active exploitation of the flaw.

“We have observed an uptick in related cases since the vulnerability was disclosed publicly yesterday (May 31, 2023); file transfer solutions have been popular targets for attackers, including ransomware groups, in recent years,” wrote Caitlin Condon, vulnerability research manager at Rapid7. “We strongly recommend that MoveIt Transfer customers prioritize mitigation on an emergency basis.”

Condon’s post referenced the attacks on Fortra’s GoAnywhere MFT software earlier this year. The attacks on GoAnywhere began in late January with zero-day exploitation of a remote code injection flaw, CVE-2023-0669, and continued into February. Many of the attacks appeared to be the work of the Clop and LockBit ransomware gangs.

It’s unclear what threat actors are behind the attacks on the MoveIt Transfer zero-day. Condon wrote that Rapid7 discovered the same web shell in several customer environments, which she said indicates a possible automated exploit. She also noted that there are approximately 2,500 MoveIt Transfer instances exposed to the public internet, with the majority of them being located in the U.S.

In its advisory, Progress urged MoveIt Transfer customers to take “immediate action” by implementing temporary mitigation while the vendor completes work on a patch. The vendor urged customers to immediately disable all HTTP and HTTPS traffic to their MoveIt Transfer instances and to check for potential indicators of compromise over the last 30 days, such as the creation of “unexpected files” or any large file downloads.

Rob Wright is a longtime technology reporter who lives in the Boston area.

Articles You May Like

AquaLith might have an answer to the US battery material shortage problem
Don’t want that commuter stipend? Bundl enables employees to choose their own company benefits
Threads adds easy profile switching to its mobile apps
TikTok Faces Massive €345 Million Fine Over Child Data Violations in E.U.
Fraudsters Steal Over $1m in Three Weeks Through ‘Pig Butchering’ Crypto Scam

Leave a Reply

Your email address will not be published. Required fields are marked *