It’s time to patch your MOVEit Transfer solution again!

Progress Software customers who use the MOVEit Transfer managed file transfer solution might not want to hear it, but they should quickly patch their on-prem installations again: With the help of researchers from Huntress, the company has uncovered additional SQL injection vulnerabilities that could potentially be used by unauthenticated attackers to grab data from the web application’s database.

The vulnerabilities are yet to receive a CVE number, but patches/fixed versions have been provided.

“The investigation is ongoing, but currently, we have not seen indications that these newly discovered vulnerabilities have been exploited,” the company said, and confirmed that they’ve “deployed a new patch to all MOVEit Cloud clusters to address the new vulnerabilities.”

A variety of targets

On May 31, Progress warned about the active exploitation of CVE-2023-34362, an (at the time) zero-day vulnerability that has been exploited to hit a variety of organizations during the Memorial Day weekend in the US.

Progress quickly released patches and urged customers to implement them and search for webshells dropped by the attackers – the Cl0p cyber extortion gang – in the days and weeks before the initial public warning.

Targeted organizations ranged from small businesses to big enterprises, in a variety of sectors (tech, manufacturing, healthcare, financial services, etc.) and across the world.

On Friday, Netcraft revealed that more than a week since remediation instructions were published, they have discovered web shells still present on servers associated with energy, healthcare, and finance companies – mostly US-based, but they also in Canada, Oman, and the Philippines.

Cl0p had the exploit and began testing it two years ago?

The fact that Progress has partnered with third-party cybersecurity experts to do a detailed code review is welcome news, but a similar effort one or two years earlier might have nipped these attacks in the bud.

According to an analysis by Kroll cybersecurity investigators, the Cl0p threat actors were likely experimenting with this particular exploit for this particular vulnerability as far back as 2021.

“Kroll’s initial analysis of clients impacted by the MOVEit Transfer vulnerability indicated a broad swath of activity associated with the vulnerability on or around May 27 and 28, 2023, just days prior to Progress Software’s public announcement of the vulnerability on May 31, 2023,” the company said.

“Activity during the May 27–28 period appeared to be an automated exploitation attack chain that ultimately resulted in the deployment of the human2.aspx web shell.”

But after reviewing impacted clients’ Microsoft Internet Information Services (IIS) logs, they found evidence of similar activity occurring in April 2022 and July 2021. They believe that this shows that the attackers were testing access to organizations and grabbing information from the MOVEit Transfer servers to identify which organization they were accessing.

Essentially, they were doing reconnaissance way before performing the final data exfiltration attacks.

“Kroll assesses with high confidence that the MOVEit Transfer exploit as it exists today was available and being used/tested in April 2022, and was available and being used/tested in July 2021,” the company noted.

“This finding illustrates the sophisticated knowledge and planning that go into mass exploitation events such as the MOVEit Transfer cyberattack. According to these observations, the Clop threat actors potentially had an exploit for the MOVEit Transfer vulnerability prior to the GoAnywhere MFT secure file transfer tool exploitation in February 2023 but chose to execute the attacks sequentially instead of in parallel.”