CISA

CISA has added an actively exploited security bug in the Progress MOVEit Transfer managed file transfer (MFT) solution to its list of known exploited vulnerabilities, ordering U.S. federal agencies to patch their systems by June 23.

The critical flaw (tracked as CVE-2023-34362) is an SQL injection vulnerability that enables unauthenticated, remote attackers to gain access to MOVEit Transfer’s database and execute arbitrary code.

According to the November 2022 binding operational directive (BOD 22-01), Federal Civilian Executive Branch Agencies (FCEB) must patch this security vulnerability once added to CISA’s Known Exploited Vulnerabilities catalog.

While BOD 22-01 primarily focuses on federal agencies, it is highly recommended that private companies also prioritize securing their systems against this actively exploited MOVEit Transfer flaw.

Progress advises all customers to patch their MOVEit Transfer instances to block exploitation attempts and potential breaches.

Those who cannot immediately apply security updates can also disable all HTTP and HTTPS traffic to their MOVEit Transfer environments to remote the attack surface.

You can find the list of affected MOVEit Transfer versions and the fixed versions in the table embedded below.

Currently, there are more than 2,500 MOVEit Transfer servers on the Internet, most of which are in the United States.

Threat actors have been exploiting CVE-2023-34362 as a zero-day vulnerability since at least May 27, according to Mandiant CTO Charles Carmakal, four days before Progress publicly disclosed it and began testing security patches for vulnerable systems.

“Mass exploitation and broad data theft has occurred over the past few days,” Carmakal told BleepingComputer.

“Although Mandiant does not yet know the motivation of the threat actor, organizations should prepare for potential extortion and publication of the stolen data.”

Exploited to drop web shells and steal data

BleepingComputer has been told that multiple organizations have already been breached and their data stolen with the help of a newly discovered web shell (dubbed LemurLoot by Mandiant).

LemurLoot helps the attackers harvest Azure Blob Storage account information, including credentials which can be used to exfiltrate data from the victims’ Azure Blob Storage containers.

Mandiant also found possible links between attacks targeting MOVEit Transfer servers and the FIN11 financially-motivated threat group, known for data theft extortion attempts through the Clop ransomware gang’s leak site following exploitation of zero-days in other file transfer systems.

As of now, the identity of the attackers remains unknown, as they have yet to start extorting their victims.

Nevertheless, the method of exploitation bears a remarkable resemblance to previous instances, including the zero-day exploitation of Accellion FTA servers in December 2020 and the mass exploitation of a GoAnywhere MFT zero-day in January 2023.

Both GoAnywhere MFT and Accellion FTA are managed file transfer platforms that were targeted by the notorious Clop ransomware gang to steal data and extort victims.

Source: www.bleepingcomputer.com