Progress Software rushes to patch another MOVEit SQL vulnerability

Progress Software rushed to deploy a fresh patch to MOVEit Transfer users overnight Thursday following the discovery of a new SQL injection vulnerability affecting the file transfer solution.

It was the second MOVEit Transfer patch issued within a week that also saw the start of extortion attempts against some victims of last month’s zero-day attacks targeting a large number of MOVEit users.

The Clop ransomware group claimed responsibility for the May attacks, saying it had exfiltrated data from “hundreds” of organizations by exploiting a now-patched SQL injection vulnerability, CVE-2023-34362.

Progress Software issued a second patch last Friday to address a number of additional SQL injection vulnerabilities (CVE-2023-35036), and found itself having to do the same again on Thursday.

“We are currently rolling out patches for MOVEit Transfer,” Progress said in an update on its website on Thursday night.

Earlier in the day it disabled HTTPs traffic on the cloud version of its solution, MOVEit Cloud, which was also impacted by the new vulnerability.

“We took HTTPs traffic down for MOVEit Cloud in light of the newly published vulnerability and asked all MOVEit Transfer customers to take down their HTTP and HTTPs traffic to safeguard their environments while a patch was created and tested,” the update said.

Progress Software also “strongly” recommended customers modified their firewall rules to block HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443.

While disabling HTTP and HTTPs affected access to MOVEit Transfer’s web user interface, some automation tasks, APIs and the application’s Outlook add-in, Progress Software said SFTP and FTP/s protocols would continue to work as normal.

“As a workaround, administrators will still be able to access MOVEit Transfer by using a remote desktop to access the Windows machine and then accessing https://localhost/,” its update said.

Clop starts naming its victims

After last month’s attacks, Clop said victims had until June 14 to make contact if they did not want their names published on its website.

This week it started making good on that threat and by Thursday had published the names of 27 organizations it claimed to have attacked, according to a post by ReliaQuest threat intelligence analyst Riam Kim-McLeod.

“Although we haven’t yet seen any of the major organizations that previously disclosed MOVEit Transfer breaches named on [Clop’s website], it is highly likely that Clop is just getting started naming possibly compromised organizations,” Kim-McLeod wrote.

Known victims of the attack include the BBC, British Airways, UK drugstore chain Boots, the provincial government of Nova Scotia, payroll service provider Zellis, the states of Illinois and Missouri, and Minnesota's Department of Education. The drivers license systems in Louisiana and Oregon were compromised late Thursday, affecting millions of people in each state, according to CNN.

“Several” federal government agencies, also fell victim to the attacks, including two Department of Energy entities.

Russian-backed Clop, also known as Lace Tempest, TA505, and FIN11, was responsible for attacks earlier this year that exploited a zero-day vulnerability in Fortra’s GoAnywhere Managed File Transfer solution, which targeted more than 130 organizations and compromised information belonging to over a million patients.

Kim-McLeod said Clop “ramped up” the naming of its GoAnywhere victims, initially releasing 26 names, then adding 91 more over a fortnight at the end of March, including 52 in a single day.

“It’s possible that we’ll see similarly large dumps of [MOVEit Transfer victim] organization names in the coming weeks,” she said.