Vulnerability In MOVEit Transfer Exploited In The Wild


An unnamed vulnerability in MOVEit Transfer has been exploited in the wild and is expected to have caused data breaches.

MOVEit Transfer is a popular file transfer tool marketed by software maker Progress, formerly Ipswitch. The zero-day vulnerability has not been assigned a CVE at the time of publishing.

The developers of the company are working on the patch, the company announced.

“If you are a MOVEit Transfer customer, it is extremely important that you take immediate action as noted below in order to help protect your MOVEit Transfer environment, while our team produces a patch,” the company alerted.

Zero-day vulnerability in MOVEit Transfer

MOVEit allows organizations to securely transfer files between parties using SFTP–, SCP–, and HTTP–based uploads.

The vulnerability in MOVEit Transfer could be exploited to gain escalated- privileges and unauthorized access to the environment, according to the company.

The vulnerability is an SQL injection one in the MOVEit Transfer web application that could allow access to its database.

A hacker may also gain information about the structure and contents of the database based on the database engine they use. Namely, MySQL, Microsoft SQL Server, or Azure SQL Server. They may delete the database by executing SQL statements.

“Active exploitation of this vulnerability has been observed in the wild, which could lead to escalated privileges and potential unauthorized access to an environment,” said a threat analysis report by cybersecurity company Reliaquest.

“ReliaQuest observed exploitation of this vulnerability since at least May 27, 2023.”

Impact of the zero-day vulnerability in MOVEit Transfer

Screenshot of the affected products and the updated versions available (Photo: Progress)

According to the company, no version of MOVEit Transfer remains unaffected by this vulnerability. Users are urged to upgrade to the fixed versions.

Mass downloading of data from several organizations has been performed by exploiting the flaw in MOVEit Transfer, according to reports. There is no clarity about the time and which cybercriminal group is compromising devices.

While a patch is being prepared, the company has urged its customers worldwide to look out for these indicators of compromise.

Indicators of compromise

Indicator Type Context
C:WindowsTEMP[random][random].cmdline Folder Path Script that is executed to create the human2.aspx file. The folder path and filename are randomized.
human2.aspx Filename Webshell used during exploitation.
human2.aspx.lnk Filename Webshell used during exploitation.
POST /moveitisapi/moveitisapi.dll HTTP POST
POST /guestaccess.aspx HTTP POST
POST /api/v1/folders/[random]/files HTTP POST
5.252.189.0/24 CIDR Attacker command and control
5.252.190.0/24 CIDR Attacker command and control
5.252.191.0/24 CIDR Attacker command and control
198.27.75.110 IPv4 Attacker command and control
209.222.103.170 IPv4 Attacker command and control
84.234.96.104 IPv4 Attacker command and control
Health Check Service User Display Name Webshell creates a MOVEit Transfer user account session with the display name ‘Health Check Service’.
0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9 SHA256 Hash Human2.aspx Webshell used during exploitation.
110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286 SHA256 Hash Human2.aspx Webshell used during exploitation.
1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2 SHA256 Hash Human2.aspx Webshell used during exploitation.
2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59 SHA256 Hash Human2.aspx Webshell used during exploitation.
58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166 SHA256 Hash Human2.aspx Webshell used during exploitation.
98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8 SHA256 Hash Human2.aspx Webshell used during exploitation.
a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986 SHA256 Hash Human2.aspx Webshell used during exploitation.
b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03 SHA256 Hash Human2.aspx Webshell used during exploitation.
cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621 SHA256 Hash Human2.aspx Webshell used during exploitation.
ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c SHA256 Hash Human2.aspx Webshell used during exploitation.
0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9 SHA256 Hash Human2.aspx Webshell used during exploitation.
110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286 SHA256 Hash Human2.aspx Webshell used during exploitation.
1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2 SHA256 Hash Human2.aspx Webshell used during exploitation.
2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59 SHA256 Hash Human2.aspx Webshell used during exploitation.
58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166 SHA256 Hash Human2.aspx Webshell used during exploitation.
98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8 SHA256 Hash Human2.aspx Webshell used during exploitation.
a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986 SHA256 Hash Human2.aspx Webshell used during exploitation.
b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03 SHA256 Hash Human2.aspx Webshell used during exploitation.
cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621 SHA256 Hash Human2.aspx Webshell used during exploitation.
ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c SHA256 Hash Human2.aspx Webshell used during exploitation.

“If you do notice any of the indicators noted above, please immediately contact your security and IT teams and open a ticket with Progress Technical Support,” warned the company.

Mitigation and best practices to defend against exploitation

The parent company of MOVEit Transfer, Progress suggested some best practices to deter and report threat arising from the exploitation of the zero-day vulnerability in MOVEit Transfer. The issue was addressed by the company on May 31, 2023 and the following mitigation steps were offered:

  1. Disable all HTTP and HTTPs traffic to MOVEit Transfer. To do this, users may modify firewall rules to deny the said traffic to MOVEit on ports 80 and 443. This can be changed back after the patch has been updated.
  2. As a result of this step, users will not be able to log on to the MOVEit web UI, nor will MOVEit Automation tasks will functional.
  3. MOVEit Transfer add-in for Outlook will also not be working nor be REST, Java and .NET APIs.
  4. Review, and delete unauthorized files and user accounts they find. Delete instances of human2.aspx and .cmdline script files. Review logs for other downloads especially from unknown IPs. Reset service account login credentials for MOVEit.
  5. Apply patches for all MOVEit Transfer versions that are made available. The license file is the same for patching.
  6. Admins are urged to monitor networks, endpoints, and logs for Indicators of Compromise.

Popularity of file transfer tools like MOVEit make vulnerabilities in them highly risky for global organizations.

A vulnerability in managed file transfer (MFT) software GoAnywhere, which serves more than 3,000 organizations across the world, opened the biggest stream of ransomware attacks in Q1, 2023.

Cl0p ransomware had a filed day exploiting a Fortra GoAnywhere MFT RCE vulnerability  CVE-2023-0669. From global corporations such as Hitachi and P&G to city administrations and state governments, the ransomware group had a field day.





Source link