MOVEit hacked: Hackers exploited zero-day vulnerability in popular file transfer tool to steal data from organizations, researchers say
Progress Software’s MOVEit has fallen victim to a recently discovered zero-day vulnerability after hackers exploited the flaw in the popular file transfer tool to steal critical data from various organizations, U.S. security researchers said on Thursday.
The news came just a day after Progress the Burlington, Massachusetts-based Progress Software disclosed that a security flaw had been discovered. MOVEit enables organizations to transfer files and data between business partners and customers.
The extent of the impact on organizations or the exact number of those affected by potential breaches caused by the software was not immediately known. Ian Pitt, the Chief Information Officer, declined to disclose specific details regarding the organizations involved.
However, Pitt confirm that Progress Software had swiftly made fixes available once they became aware of the vulnerability, which was discovered on the evening of May 28. He also told Reuters in a statement that the cloud-based service associated with the software had also experienced some negative effects as a result of this situation. “As of now we see no exploit of the cloud platform,” he said.
On May 31, Progress Software issued a warning regarding a critical vulnerability in its MOVEit Transfer managed file transfer (MFT) software. The flaw in question is an SQL injection vulnerability, which poses a significant threat as it can be exploited by an unauthenticated attacker. Exploiting this vulnerability grants unauthorized access to MOVEit Transfer databases.
“Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements,” the company said.
The vulnerability in question is currently in the process of being assigned a CVE identifier. The advisory released by Progress Software can be somewhat perplexing, as it mentions that the company is actively working on developing patches while simultaneously listing updated versions that are believed to address the security flaw.
The patches are expected to be incorporated in versions 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1). It is worth noting that the cloud-based version of the software seems to have also been affected.
Although the advisory does not explicitly state whether the vulnerability has been exploited in real-world situations, it emphasizes the critical importance of promptly applying patches to protect against potential attacks. Additionally, it provides customers with indicators of compromise (IoCs) associated with the observed attacks.
Several cybersecurity firms, including Huntress, Rapid7, TrustedSec, GreyNoise, and Volexity, have also reported instances of attacks involving the MOVEit zero-day vulnerability.
Rapid7 Inc and Mandiant Consulting, owned by Alphabet’s Google, also said they had found a number of cases in which the flaw had been exploited to steal data.
“Mass exploitation and broad data theft has occurred over the past few days,” Charles Carmakal, chief technology officer of Mandiant Consulting, said in a statement. Such “zero-day,” or previously unknown, vulnerabilities in managed file transfer solutions have led to data theft, leaks, extortion, and victim-shaming in the past, Mandiant said.
“Although Mandiant does not yet know the motivation of the threat actor, organizations should prepare for potential extortion and publication of the stolen data,” Carmakal said.