Progress Software today notified customers of newly discovered critical SQL injection vulnerabilities in its MOVEit Transfer managed file transfer (MFT) solution that may allow attackers to steal information from customer databases.

These security bugs were discovered with the help of cybersecurity firm Huntress following detailed code reviews initiated by Progress on May 31, when it corrected a defect exploited as a zero-day by the Clop ransomware gang in data theft attacks.

They affect all versions of MOVEit Transfer and allow unauthenticated attackers to compromise Internet-facing servers to modify or extract customer information.

“An attacker could submit a specially crafted payload to a MOVEit Transfer application endpoint, which could lead to the modification and disclosure of the contents of the MOVEit database”, Progress said in a notice published today.

“All MOVEit Transfer customers should apply the new patch, released June 9, 2023. Investigation is ongoing, but currently we have not seen any indications that these newly discovered vulnerabilities have been exploited,” said the society. added.

The company said that all MOVEit Cloud clusters have already been patched against these new vulnerabilities to protect them against possible attack attempts.

Below is the current list of MOVEit Transfer versions for which a patch is available for these new vulnerabilities:

MOVEit zero-day in the hands of Clop since 2021

The Clop ransomware gang claimed responsibility for targeting zero-day transfer CVE-2023-34362 MOVEit in a message sent to Bleepingomputer over the weekend, leading to a series of computer theft attacks. data that would have affected “hundreds of companies”.

While the credibility of their statements remains unclear, the group’s admission aligns with findings from Microsoft, which has linked this campaign to the hacking group it tracks as Lace Tempest, which overlaps with TA505’s activities. and FIN11.

Kroll security experts too found evidence that Clop was researching ways to exploit the now-patched zero-day MOVEit since 2021, as well as methods to extract data from compromised MOVEit servers since at least April 2022.

Cybercriminal group Clop has a history of orchestrating data theft campaigns and exploiting vulnerabilities in various managed file transfer platforms.

These exploits included the zero-day breach of Accellion FTA servers in December 2020, the 2021 SolarWinds Serv-U Managed file transfer attacks and widespread exploitation of a GoAnywhere MFT day zero in January 2023.

Since Clop’s MOVEit data theft attacks were disclosed, affected organizations have slowly started to come forward to acknowledge the data breaches and security incidents.

For example, UK payroll and HR solutions provider Zellis told BleepingComputer that it suffered a data breach as a result of these attacks, an incident that could likely impact some of its customers.

Some of its affected customers include British Airways (the UK airline), Aer Lingus (the Irish airline) and the Minnesota Department of Education.

To make matters worse, Clop has recently threatened organizations concerned, urging them to enter into ransom negotiations to prevent the public leak of their data.