Skip to content
TRAC-Logo
 

Compliance. Simplified.

Simplify cybersecurity risk management and tackle your cybersecurity challenges with ease. TRAC automates the tedious risk assessment process and produces customized results that align with regulations, best practices, and your strategic goals.

Threat advisory logo.
Shane DanielJune 06, 20234 min read

Threat Advisory: MOVEit Transfer Zero-Day Vulnerability

Executive Summary

  • Progress Software’s MOVEit Transfer is a popular tool used within governments, payroll service providers, and the financial services industry, including the major core banking and FinTech providers.
  • Since June 1, 2023, security experts have been raising alarms about the new vulnerability (CVE-2023-34362) affecting Progress Software’s MOVEit Transfer.
  • Reporting active exploitation that could enable attackers to escalate privilege and potentially gain unauthorized access to a targeted system.
  • While Progressive Software has not explicitly indicated that the vulnerability has been actively exploited, the vendor has requested that customers check for indicators of unauthorized access within the last 30 days.
  • Disable connectivity until remediation steps are completed.
  • Review the Progress Software’s MOVEit Transfer Critical Vulnerability Advisory (May 2023) for remediation.
  • Apply remediation steps, including patches.
  • Monitor network, endpoints, and logs for indicators of compromise (IoCs).
  • On June 4, 2023 - Rapid7 documented the method to determine indicators of compromises and the extent to which data was exfiltrated.
  • On June 5, 2023 - Microsoft identified the Lace Tempest, a threat actor previously linked to Clop (also known as C10p) ransomware with a history of exploiting popular file transfer services, data theft, and extortion attacks, as the group behind the exploit.

 

Who Can Be Affected?

Regardless of version, anyone using MOVEit on-premises solutions or cloud-based services is affected.

 

What Has Been Reported?

Following Progress Software’s initial disclosure on May 31, 2023, Rapid7 noticed increased attempts to exploit the SQL injection vulnerability that enables privilege escalation and potentially unauthorized access to target systems.


Rapid7 managed services teams observed active exploitation of a critical, zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution in numerous of Rapid7’s customer environments.


Rapid7 reports that the vulnerability was exploited by threat actors at least four days before the advisory, and Progress Software is advising MOVEit customers to check for indicators of unauthorized access over "at least the past 30 days."

 

Potential For Mass Exploitation and Extortion

“Mass exploitation of zero-day vulnerabilities with other managed file transfer solutions have resulted in data theft, extortion, publication of stolen data, and victim shaming,” said Caitlin Condon, senior manager of vulnerability research at Rapid7. Impacted companies should prepare for potential extortion and publication of stolen data.

 

Broad Scope

The vulnerability impacts on-prem and cloud-based versions of MOVEit. Referencing Shodan data, Condan noted, “As of May 31, there were roughly 2,500 instances of MOVEit Transfer exposed to the public internet, the majority of which look to be in the United States.”

 

What Can You Do?

The vulnerability is awaiting analysis and is being tracked as CVE-2023-34362 in the NIST National Vulnerability Database.


Companies that use MOVEit or have third-party relations that utilize MOVEit should follow the Cybersecurity and Infrastructure Security Agency (CISA) alert and MOVEit Transfer Advisory, follow the mitigation steps, apply the necessary updates, and hunt for any malicious activity.


Progress Software strongly recommends that users immediately apply the following mitigation measures per the steps below.


1. Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment.

More specifically, modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 until the patch can be applied.

It is important to note that until HTTP and HTTPS traffic is enabled again:

  • Users will not be able to log on to the MOVEit Transfer web UI.
  • MOVEit Automation tasks that use the native MOVEit Transfer host will not work.
  • REST, Java and .NET APIs will not work.
  • MOVEit Transfer add-in for Outlook will not work.

Please note: SFTP and FTP/s protocols will continue to work as normal. Administrators will still be able to access MOVEit Transfer by using a remote desktop to access the Windows machine and then accessing https://localhost/. For more information on localhost connections, please refer to MOVEit Transfer Help.


2. Review, delete, and reset.

  • Delete unauthorized files and user accounts
    • Delete any instances of the human2.aspx and .cmdline script files.
    • On the MOVEit Transfer server, look for any new files created in the C:\MOVEitTransfer\wwwroot\ directory.
    • On the MOVEit Transfer server, look for new files created in the C:\Windows\TEMP\[random]\ directory with a file extension of [.]cmdline
    • Remove any unauthorized user accounts. See Progress MOVEit Users Documentation article.
    • Review logs for unexpected downloads of files from unknown IPs or large numbers of files downloaded. For more information on reviewing logs, please refer to MOVEit Transfer Logs guide.
    • Review IIS logs for any events, including GET /human2.aspx. Large numbers of log entries or entries with large data sizes may indicate unexpected file downloads
    • If applicable, review Azure logs for unauthorized access to Azure Blob Storage Keys and consider rotating any potentially affected keys.
       
  • Reset credentials
    • Reset service account credentials for affected systems and MOVEit Service Account. See KB 000115941.
       
  • Apply the patch
    Patches for all supported MOVEit Transfer versions are available below. Supported versions are listed at the following link: https://community.progress.com/s/products/moveit/product-lifecycle. Please note that the license file can remain the same to apply the patch.
     
  • Verification
    • To confirm the files have been successfully deleted and no unauthorized accounts remain, follow steps 2A again. If you do find indicators of compromise, you should reset the service account credentials again.
       
  • Enable all HTTP and HTTPs traffic to your MOVEit Transfer environment
     
  • Continuous monitoring
    • Monitor network, endpoints, and logs for indicators of compromise (IoCs) as listed in the advisory.

 

Further Information:

avatar

Shane Daniel

Shane Daniel is a Senior Information Security Consultant for SBS CyberSecurity. As a former community bank internal auditor and compliance officer, Shane has over 25 years of experience helping financial institutions manage risk and profitability.

RELATED ARTICLES