Progress has warned MOVEit Transfer customers to restrict all HTTP access to their environments after information about a new SQL Injection (SQLi) vulnerability was shared online today.
A patch fixing this new critical security bug is not yet available, but one is currently being tested and will be released “soon”, according to the company.
“Progress has discovered a vulnerability in MOVEit Transfer that could lead to elevation of privilege and potentially unauthorized access to the environment,” Progress said. said.
“We have reduced HTTPs traffic for MOVEit Cloud in light of the recently published vulnerability and are asking all MOVEit Transfer customers to immediately drop their HTTP and HTTPs traffic to protect their environments while the patch is finalized,” it said. he declares. added.
Until security updates are released for affected MOVEit Transfer versions, Progress “strongly” recommends modifying firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 as a temporary workaround.
Although users will no longer be able to log in to their accounts through the web UI, file transfers will still be available as SFTP and FTP/s protocols will continue to work as expected.
Administrators can also access MOVEit Transfer by connecting to the Windows server via remote desktop and then going to https://localhost/.
Although Progress has not shared the location where the details of this new SQLi flaw have been shared, at least one security researcher has shared information on Twitter about what looks like proof-of-concept exploit code for a new zero-day bug of MOVEit Transfer.
The researcher told BleepingComputer that they believe this new warning from Progress is related to the PoC they are working on.
“I did not reach the RCE. This vulnerability is not a workaround of a previous vulnerability. It has its own attack path,” the researcher added.
BleepingComputer was also informed that the vulnerability had already been disclosed to Progress with the help of Huntress’s senior security researcher, John Hammond – the disclosure likely prompted the company’s warning as well.
Today’s warning follows another advisory issued on Friday which revealed critical SQL injection vulnerabilities collectively tracked as CVE-2023-35036 and discovered following a security audit launched on May 31, when Progress published fixes for a defect (CVE-2023-34362) exploited as a zero-day by the Clop ransomware gang in data theft attacks.
CVE-2023-35036 affects all versions of MOVEit Transfer and allows unauthenticated attackers to compromise unpatched, internet-exposed servers to steal client information.
The Clop ransomware gang claimed responsible for CVE-2023-34362 attacks and told BleepingComputer they allegedly breached the MOVEit servers of “hundreds of companies”.
kroll too found evidence that Clop has been testing exploits for the now patched zero-day MOVEit since 2021 and ways to exfiltrate stolen data from compromised MOVEit servers since at least April 2022.
Clop has been linked to other high-impact campaigns targeting managed file transfer platforms, including breaching Accellion FTA servers in December 2020, SolarWinds Serv-U 2021 Managed File Transfer Attacks and Widespread Exploitation of GoAnywhere MFT servers in January 2023.
The organizations concerned are already extorted
Wednesday, the Clop gang started extorting organizations affected by the MOVEit data theft attacks by listing their names on its dark web data leak site.
Five of the publicly traded companies – British multinational oil and gas company Shell, University of Georgia (UGA) and University System of Georgia (USG), UnitedHealthcare Student Resources (UHSR), Heidelberger Druck and Landal Greenparks – have since confirmed to BleepingComputer that they were affected by the attacks.
Other organizations that have previously disclosed MOVEit Transfer violations include Zellis (and its customers BBC, Boots, Aer Lingus and Irish HSE), OfcamTHE Nova Scotia governmentTHE US state of MissouriTHE US state of Illinoisthe University of Rochester, the American Board of Internal Medicine, BORN IN OntarioAnd Extreme networks.
Today, the US Cybersecurity and Infrastructure Security Agency (CISA) also revealed that several US federal agencies have been hacked, according to a CNN report. Two U.S. Department of Energy (DOE) entities were also compromised, according to Federal News Network.