SQL injection vulnerability affects MOVEit Transfer: A security appeal

The Progress Software company recently updated a security advisory confirming the existence of a SQL Injection vulnerability in the MOVEit Transfer web application. Although a CVE number has not yet been assigned, this vulnerability could allow an unauthenticated attacker to gain unauthorized access to the application database. According to the information provided, an attacker could be able to infer information about the structure and contents of the database, as well as execute SQL statements that could alter or delete elements of the database. This could happen regardless of the database engine used, which could be MySQL, Microsoft SQL Server or Azure SQL. The vulnerability affects all versions of MOVEit Transfer.

Prevention and remedy measures

The security advisory also includes links to updated versions of the application that contain the bug fix, as well as indicators of compromise (IoCs) - such as scripts, webshells, C2 IP addresses, user accounts - and more detailed system cleanup recommendations . Recommended measures include disabling all HTTP and HTTPS traffic to the MOVEit Transfer environment, deleting unauthorized files and user accounts, resetting credentials, and installing patch or updating the installation to a corrected version. Finally, after enabling HTTP and HTTPS traffic, you should verify that the cleanup was successful and no rogue accounts remain. In case the cleaning was not effective, it would be necessary to repeat the procedure.

The survey of researchers and sources of information

Several researchers from Huntress, TrustedSec and Rapid7 analyzed the webshell/backdoor, released YARA signatures and SIGMA rules to detect IoCs and look for suspicious files, and shared more technical information about the attacks. This information could be useful for security personnel to further investigate possible intrusions. Additionally, a Reddit thread provides recent information and additional details, apparently contributed by sysadmins and security professionals from some of the compromised organizations.

The impact of vulnerability

The exact number of organizations affected by the incident is not yet known, but Rapid7 reports that its managed services teams have observed this vulnerability being exploited in multiple customer environments. John Hammond, threat hunter and researcher at Huntress, reported that while fewer than ten organizations in their partner network use MOVEit Transfer software, Shodan suggests that there are over 2,500 publicly accessible servers on the Internet. However, only one of their organizations experienced a full attack with all indicators of compromise. Most of these Internet-facing servers are located in the United States. Kevin Beaumont, a security researcher, reports that the intrusions began several weeks ago and that he has received reports of "multiple incidents at various organizations". According to Beaumont, the preparations for the attack would have lasted weeks, if not months. The incident would also affect MOVEit's SaaS offering (MOVEit Cloud), which Progress Software would later disable. At present, there have been no reported ransom demands from the attackers to return the stolen information.