MOVEit Discloses More Vulnerabilities, Issues PatchProgress Software Says New Vulnerabilities Are Unrelated to Zero-Day Used by Clop
The company behind the MOVEit managed file transfer application is urging customers into a new round of emergency patching after identifying additional vulnerabilities.
See Also: 2022 Unit 42 Incident Response Report
Progress Software in a Friday update said it had identified additional SQL injection vulnerabilities allowing attackers access to the MOVEit transfer database. "These newly discovered vulnerabilities are distinct from the previously reported vulnerability," it wrote.
Likely hundreds of customers have already been affected by an SQL zero-day the company patched on May 31, tracked as CVE-2023-34362.
The Clop ransomware-as-a-service group said it orchestrated the attacks. The Russian-speaking gang has threatened to begin naming victims starting Wednesday (see: Clop Ransomware Gang Asserts It Hacked MOVEit Instances).
The Massachusetts company, whose products are popular with the government, health and education sectors, said the newly identified vulnerability doesn't yet have a CVE assigned to it. It allows an attacker to "submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content."
Cyber risk company Kroll said Clop may have started experimenting with how to exploit CVE-2023-34362 as early as 2021.
The assertion comes from logs showing automated scanning of MOVEit instances, including some emanating from IP addresses with the same network ID as known Clop addresses or an address previously attributed to Clop. The scans, said Kroll, scraped the unique identifier associated with each file transfer software customer. Log analysis found an instance of the scans occurring in July 2021.
"These findings highlight the significant planning and preparation that likely precede mass exploitation events," Kroll said.
Clop is behind other high-profile attacks on file transfer applications, including Accellion's File Transfer Appliance and GoAnywhere Managed File Transfer, made by Fortra (see: Fortra Hacker Installed Tools on Victim Machines).