A financially motivated threat group, potentially linked to organizations like FIN11, has been actively exploiting a critical zero-day vulnerability in Progress Software’s MOVEit Transfer application. Organizations, including prominent names such as Disney, Chase, and Geico widely use this managed file transfer software. The exploitation began on May 27, several days before Progress disclosed the vulnerability and released patches. This article highlights the vulnerability, and the impact on affected organizations, and emphasizes the urgent need for patching to mitigate the risk.
The zero-day vulnerability in MOVEit Transfer is an SQL injection flaw that allows unauthorized access to the application’s database. Identified as CVE-2023-34362, it grants threat actors access to data uploaded by MOVEit Transfer users. Attackers swiftly steal sensitive information by exploiting a newly discovered LEMURLOOT Web shell, with data breaches occurring within minutes in some cases. The exploit activity has been observed as early as March 3, indicating that it may have persisted for an extended period. Thousands of potentially vulnerable hosts, including those in the financial, educational, and governmental sectors, have been identified.
Following the pattern of recent zero-day exploits, such as the one targeting Forta’s GoAnywhere Managed File Transfer product, this attack on MOVEit Transfer poses significant risks. Cybercriminals have shifted their focus from data encryption to data theft, viewing file transfer technologies as lucrative targets. Compromising these platforms grants access to sensitive information from numerous businesses. Given the popularity of MOVEit Transfer and its vast user base, the impact of this exploitation could be extensive. The threat group behind the attacks may be laying the groundwork for future ransomware campaigns, making it crucial to address the vulnerability promptly.
My take: Promptly patching the zero-day vulnerability in MOVEit Transfer is paramount to mitigating the risk of data breaches and subsequent ransomware attacks. Organizations utilizing the software are advised to review their environments for any suspicious activity in the past 30 days and urgently apply the provided patches. Progress Software has acknowledged the severity of the situation and issued guidance to its customers. However, it is vital to note that scanning activity related to MOVEit Transfer was observed before the official disclosure, indicating the potential for an extended period of exploitation. The financial sector, educational institutions, government agencies, and businesses across various industries must prioritize patching to safeguard their data and prevent potential disruptions.
Sources:
Dark Reading
Bleeping Computers