A zero-day vulnerability affecting MOVEit Transfer has been reported being actively exploited by hackers worldwide.
MOVEit Transfer is a popular file transfer program developed by Ipswitch, a subsidiary of US-based Progress Software Corporation and widely used by organizations to securely exchange sensitive data over networks. However, reports warn that a recently discovered zero-day vulnerability is being exploited and several thousands of MOVEit Transfer servers have already fallen victim of mass data theft.
As reported by the vendor’s advisory this SQL injection vulnerability affects MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), 2023.0.1 (15.0.1) and could potentially be leveraged to gain access to confidential data in transit, lead to escalated privileges and unauthorized access to the environment and remote code execution.
To mitigate the risk, organizations using MOVEit Transfer are advised to follow the mitigation provided by the vendor and upgrade to the latest software version.
The remediation steps include to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443. The trade-off for this operation will be that Transfer web UI will not be accessible to the users and MOVEit Automation tasks, as well as that REST, Java and .NET APIs and MOVEit Transfer add-in for Outlook will not work. However, access to MOVEit Transfer will be possible by using a remote desktop, and SFTP and FTP/s protocols will continue to work as normal.
As further mitigation steps, Progress recommends to delete any instances of the human2.aspx and .cmdline script files, review any file created in the C:\MOVEitTransfer\wwwroot\ and C:\Windows\TEMP\[random]\ directories, in particular those with the [.]cmdline file extension, remove any unauthorized user accounts, check the logs for large downloads from unknown IPs and reset the credentials for affected systems and MOVEit Service Account.
Consideration of Alternative File Transfer Mechanisms
Although the patches for all supported MOVEit Transfer versions are available, before upgrading and resume using the application, in addition to the the advised workarounds, MOVEit Transfer users are recommended to consider alternative secure file transfer mechanisms and carry out an investigation to determine if any asset has been compromised.
Threat Actors & Potential Motivations
The threat actors and their motivations are still unclear to researches, however this zero-day vulnerability could be leveraged to lanuch mass data theft attacks. In these attacks, cybercriminals specifically target servers and abuse the vulnerability to steal confidential information while it is in transit. The stolen data can then be used for various malicious purposes, including extortion, identity theft, or further compromise of the affected organizations.
Holm Security Vulnerability Management Platform – Detection Instructions
Vulnerability test HID-2-1-5343624 for the MOVEit zero day vulnerability, has been added into the default scanning configuration and no special configuration is required. This is all applicable for Scanner Appliances and external nodes.
You will need to perform authenticated scans in Security Center to be able to scan for this vulnerability.
We will keep you updated as additional information becomes available.
by Mihail Lupan, Head of Security Research at Holm Security