CISA has added an actively exploited security bug in the Progress MOVEit Transfer managed file transfer (MFT) solution to its list of known exploited vulnerabilities, ordering U.S. federal agencies to patch their systems by June 23.
The critical flaw (tracked as CVE-2023-34362) is an SQL injection vulnerability that enables unauthenticated, remote attackers to gain access to MOVEit Transfer’s database and execute arbitrary code.
While BOD 22-01 primarily focuses on federal agencies, it is highly recommended that private companies also prioritize securing their systems against this actively exploited MOVEit Transfer flaw.
Progress advises all customers to patch their MOVEit Transfer instances to block exploitation attempts and potential breaches.
Those who cannot immediately apply security updates can also disable all HTTP and HTTPS traffic to their MOVEit Transfer environments to remote the attack surface.
You can find the list of affected MOVEit Transfer versions and the fixed versions in the table embedded below.
“Mass exploitation and broad data theft has occurred over the past few days,” Carmakal told BleepingComputer.
“Although Mandiant does not yet know the motivation of the threat actor, organizations should prepare for potential extortion and publication of the stolen data.”
Exploited to drop web shells and steal data
BleepingComputer has been told that multiple organizations have already been breached and their data stolen with the help of a newly discovered web shell (dubbed LemurLoot by Mandiant).
LemurLoot helps the attackers harvest Azure Blob Storage account information, including credentials which can be used to exfiltrate data from the victims’ Azure Blob Storage containers.
Mandiant also found possible links between attacks targeting MOVEit Transfer servers and the FIN11 financially-motivated threat group, known for data theft extortion attempts through the Clop ransomware gang’s leak site following exploitation of zero-days in other file transfer systems.
As of now, the identity of the attackers remains unknown, as they have yet to start extorting their victims.
Both GoAnywhere MFT and Accellion FTA are managed file transfer platforms that weretargeted by the notorious Clop ransomware gang to steal data and extort victims.