CISA has added an actively exploited security bug in the managed file transfer (MFT) solution Progress MOVEit Transfer to its list of known exploited vulnerabilities, ordering US federal agencies to patch their systems by June 23.

The critical defect (monitored as CVE-2023-34362) is an SQL injection vulnerability that allows remote, unauthenticated attackers to access the MOVEit Transfer database and execute arbitrary code.

According to November 2022 Binding Operational Directive (BOD 22-01)Federal Civilian Executive Branch Agencies (FCEBs) are to patch this security vulnerability once added CISA’s catalog of known exploited vulnerabilities.

Although BOD 22-01 primarily focuses on federal agencies, private companies are strongly recommended to prioritize securing their systems against this actively exploited MOVEit Transfer flaw.

Progress advise all customers to patch their MOVEit Transfer instances to block exploit attempts and potential breaches.

Those unable to immediately apply security updates can also disable all HTTP and HTTPS traffic to their MOVEit Transfer environments to keep the attack surface away.

You can find the list of affected MOVEit Transfer versions and fixed versions in the table embedded below.

Currently there are more than 2,500 MOVEit Transfer servers on the Internet, most of which are in the United States.

Threat actors exploited CVE-2023-34362 as a zero-day vulnerability since at least May 27, according to Mandiant CTO Charles Carmakal, four days before Progress disclosed it publicly and began testing security patches for vulnerable systems.

“Massive exploitation and large-scale data theft has been happening in the past few days,” Carmakal told BleepingComputer.

“While Mandiant does not yet know the motivation of the threat actor, organizations should be prepared for potential extortion and the release of stolen data.”

Exploited to drop web shells and steal data

BleepingComputer has been informed that several organizations have already been breached and their data stolen using a recently discovered web shell (nicknamed LemurLoot by Mandiant).

LemurLoot helps attackers harvest Azure Blob Storage account information, including credentials that can be used to exfiltrate data from victims’ Azure Blob Storage containers.

Mandiant also found possible links between attacks targeting MOVEit Transfer servers and the financially motivated threat group FIN11, known for its data extortion attempts via the Clop ransomware gang leak site following the exploitation of zero days in other file transfer systems.

For now, the identity of the attackers remains unknown, as they have not yet started to extort their victims.

Nevertheless, the mining method bears a remarkable resemblance to previous cases, including zero-day operation of Accellion FTA servers in December 2020 and the massive exploitation of a zero-day GoAnywhere MFT in January 2023.

GoAnywhere MFT and Accellion FTA are managed file transfer platforms that were target by the notorious Clop ransomware gang to steal data and extort victims.