MOVEit Transfer Critical Vulnerability
Description
A critical zero-day vulnerability has been discovered in the MOVEit Transfer file transfer software, widely used by businesses and developers worldwide. The vulnerability has been exploited by unknown threat actors to perform mass data theft from organizations. Progress Software Corporation, the developer of MOVEit, has issued a security advisory urging customers to take immediate action to protect their environments. They recommend blocking external traffic to ports 80 and 445 on the MOVEit server, and to check the c:\MOVEitTransfer\wwwroot\ folder for unusual files. A patch is currently released.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2023-06-01
- Author: Michael Haag, Splunk
- ID: e8c05f9b-6ad4-45ac-8f5d-ff044da417c9
Narrative
Hackers have been actively exploiting a zero-day vulnerability found in the MOVEit Transfer software. This software, developed by Progress Software Corporation, a US-based company and its subsidiary Ipswitch, is a managed file transfer solution. It is used by thousands of organizations worldwide, including Chase, Disney, GEICO, and MLB, and by 3.5 million developers. The software allows for secure file transfers between business partners and customers using SFTP, SCP, and HTTP-based uploads.
The zero-day vulnerability has been exploited to steal data on a large scale from various organizations. The identity of the threat actors and the exact timeline of the exploitation remains unclear. However, it has been confirmed that multiple organizations have experienced breaches and data theft.
In response to this critical situation, Progress released a security advisory warning customers of the vulnerability and providing mitigation strategies while a patch has been released. They urged customers to take immediate action to protect their MOVEit environments. They suggested blocking external traffic to ports 80 and 445 on the MOVEit server and checking the c:\MOVEitTransfer\wwwroot\ folder for unexpected files, including backups or large file downloads.
Blocking these ports will prevent external access to the web UI, prevent some MOVEit Automation tasks from working, block APIs, and prevent the Outlook MOVEit plugin from working. However, SFTP and FTP/s protocols can continue to be used for file transfers.
There is currently no detailed information about the zero-day vulnerability. But based on the ports blocked and the specific location to check for unusual files, the flaw is likely a web-facing vulnerability.
While Progress has officially confirmed that the vulnerability is being actively exploited, it is clear from several reports that multiple organizations have already had data stolen using this zero-day vulnerability. The exploitation appears very similar to the mass exploitation of a GoAnywhere MFT zero-day in January 2023 and the December 2020 zero-day exploitation of Accellion FTA servers. These were both managed file transfer platforms heavily exploited by the Clop ransomware gang to steal data and extort organizations.
Detections
| Name | Technique | Type |
|---|---|---|
| Windows MOVEit Transfer Writing ASPX | Exploit Public-Facing Application, External Remote Services | TTP |
Reference
- https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
- https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/
- https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/
- https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/
- https://gist.github.com/MHaggis/faa672b1929a23fc48fc0ee47585cc48
source | version: 1