MOVEit Reveals Another SQL Injection Bug; New Victims EmergeNew Vulnerability Allows Threat Actors to Modify, Disclose MOVEit Database Content
The latest vulnerability in MOVEit's managed file transfer application could lead to escalated privileges and unauthorized access to customer environments.
Progress Software said a SQL injection flaw discovered Thursday in the MOVEit Transfer web application could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. From there, Progress Software said, an attacker could modify and disclose MOVEit database content by submitting a crafted payload to a MOVEit Transfer application endpoint.
In response, Progress Software took down HTTPS traffic for MOVEit Cloud and directed customers to disable all HTTP and HTTPS traffic in their MOVEit Transfer environment, according to an update issued Friday. As a workaround, Progress Software said administrators can access MOVEit Transfer by using a remote desktop to access the Windows machine and accessing their local host.
This is the second new MOVEit vulnerability Progress Software has discovered since patching the initial zero-day flaw on May 31. A week ago, the company identified additional SQL injection vulnerabilities that gave attackers access to the MOVEit transfer database. The Clop ransomware-as-a-service group said it had orchestrated attacks on the initial vulnerability, and hundreds of organizations were likely affected (see: MOVEit Discloses More Vulnerabilities, Issues Patch).
Progress Software on Friday returned MOVEit Cloud to full service across all cloud clusters after testing and deploying a patch. MOVEit Transfer clients must apply the new patch, which was released Friday, before enabling HTTP and HTTPs traffic to their MOVEit Transfer environment. Progress Software said Friday it has not yet seen any indications that threat actors are exploiting this newly discovered vulnerability.
Federal, State Agencies Among Clop's Victims
The victim count from the original vulnerability continues to grow. The U.S. Department of Energy acknowledged late Thursday that records from two DOE entities had been compromised in the MOVEit Transfer cyberattack. A spokesperson told Information Security Media Group the department has notified authorities and taken immediate steps to prevent further exposure to the vulnerability.
"The Department has notified Congress and is working with law enforcement, CISA, and the affected entities to investigate the incident and mitigate impacts from the breach," an Energy Department spokesperson told ISMG.
A spokesperson for the Department of Agriculture told Recorded Future News on Friday that it may have been hit by MOVEit-related cyberattacks. "USDA is aware of a possible data breach with a vendor that may impact a very small number of employees, and any employees whose data may have been affected will be contacted and provided support," the spokesperson said.
In Louisiana, all residents with a state-issued driver's license, ID or car registration likely had their Social Security numbers, driver's license numbers, vehicle registration information and other personal details exposed to the threat actors, according to the state's Office of Motor Vehicles. There is no indication the hackers sold, used, shared or released the data obtained, and they have not contacted state government (see: Breach Roundup: More MOVEit Victims, Including US Government).
The Oregon Department of Transportation said Thursday that MOVEit hackers had accessed the data of 3.5 million Oregonians who have driver's licenses or state IDs. "While much of this information is available broadly, some of it is sensitive personal information," the department said.