Source: The Hacker News
Summary
Progress Software announced that it had discovered a third vulnerability in its MOVEit Transfer application. The new vulnerability, not yet assigned a CVE number, could allow a threat actor to use SQL injection to escalate privileges and potentially obtain unauthorized access to the environment.
The announcement comes a week after Progress divulged another set of SQL injection vulnerabilities that were being exploited by the Cl0p Ransomware gang. So far, Cl0p has listed the names of 27 companies it says it has hacked using the MOVEit vulnerability on its darknet leak portal.
Analysis
It’s likely that additional vulnerabilities will be found within the MOVEit Transfer software as Progress continues to closely review the software’s code and hackers reverse engineer the patches addressing these vulnerabilities.
Secure data transfer services, such as MOVEit, will remain popular targets for exploitation, given the nature of the data they secure and the desirable list of organizations using them. Including MOVEit Transfer, four of the 10 most popular secure file transfer services have already been breached by threat actors, suggesting this pattern is likely to continue.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities in software such as MOVEit Transfer. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate threat activity. Covalence users are automatically notified when vulnerable software, such as MOVEit Transfer, is detected in their environment.
Field Effect recommends that organizations apply the appropriate mitigation measures and patch any affected versions of MOVEit Transfer as soon as possible according to the instructions issued by Progress.
If your organization uses a secure data transfer service, ensure proper mitigations are in place to detect unauthorized access, misconfigurations, and data theft before a vulnerability is officially announced.
References
