Earlier in June DefenseStorm became aware of a vulnerability disclosure involving MOVEit and posted an article. The casualty list for this vulnerability is growing by the day largely due to exploitation by the Clop Ransomware gang of unpatched instances.
This is an update and reminder to please stay updated on patching and patch for the MOVEit vulnerabilities as soon as possible.
July 9, 2023
Earlier in June DefenseStorm became aware of a vulnerability disclosure involving MOVEit and posted an article about it in this forum. The casualty list for this vulnerability is growing by the day largely due to exploitation by the Clop Ransomware gang of unpatched instances. This is an update and reminder to please stay up to date on patching, and if you haven’t patched for the MOVEit vulnerabilities, please do so as soon as possible.
Information relating to MOVEit and its disclosed vulnerabilities can be found on the Progress Security Page and refer to it to ensure you have all of the latest updates and details on patching and mitigation steps.
DefenseStorm Response
DefenseStorm has already identified and has been uploading numerous IOCs related to this vulnerability into its ThreatMatch Feed and has continued to do so since the original post. We are still investigating additional IOCs/IOAs that are related to this incident and will upload any discovered accordingly.
Please bookmark the Progress Security Page and check it regularly to stay updated with available patches and mitigation steps.
June 5, 2023
Is DefenseStorm Impacted?
DefenseStorm itself is not impacted by this vulnerability we are currently investigating any IOCs or IOAs that are related to this incident and will upload any discovered accordingly.
Our recommendation is to patch and follow the guidance provided by hxxps://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023.
In addition, when searching for files or other IOC/IOAs, it is strongly encouraged to search for those indicators on potentially impacted servers themselves and not just through GRID Active logging.
June 2, 2023
DefenseStorm is aware of a recent vulnerability disclosure involving MOVEit. Please see the below information obtained from: hxxps://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023.
Issue
SQL Injection (CVE Pending – Submitted to MITRE)
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.
Affects
All MOVEit Transfer versions are affected by this vulnerability. See the table below for the security patch for each supported version.
Recommended Remediation
To help prevent the successful exploitation of the mentioned SQLi vulnerability to your MOVEit Transfer environment, we strongly recommend that you immediately apply the following mitigation measures per the steps below.
More specifically, modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 until the patch can be applied.
It is important to note that until HTTP and HTTPS traffic is enabled again:
Please note: SFTP and FTP/s protocols will continue to work as normal
Administrators will still be able to access MOVEit Transfer by using a remote desktop to access the Windows machine and then accessing hxxps://localhost/. For more information on localhost connections, please refer to MOVEit Transfer Help.
Patches for all supported MOVEit Transfer versions are available below. Supported versions are listed at the following link: hxxps://community.progress.com/s/products/moveit/product-lifecycle. Please note, the license file can remain the same to apply the patch.
Affected Version | Fixed Version | Documentation |
MOVEit Transfer 2023.0.0 | MOVEit Transfer 2023.0.1 | MOVEit 2023 Upgrade Documentation |
MOVEit Transfer 2022.1.x | MOVEit Transfer 2022.1.5 | MOVEit 2022 Upgrade Documentation |
MOVEit Transfer 2022.0.x | MOVEit Transfer 2022.0.4 | |
MOVEit Transfer 2021.1.x | MOVEit Transfer 2021.1.4 | MOVEit 2021 Upgrade Documentation |
MOVEit Transfer 2021.0.x | MOVEit Transfer 2021.0.6 |
Additional Security Best Practices
If you are unable to follow the recommended mitigation steps above, we strongly suggest taking the below security steps to help reduce risk to your MOVEit Transfer environment from unauthorized access. It’s important to note, that these are not considered mitigation steps to the mentioned vulnerability.
Please see here for MOVEit Security Best Practices.
DefenseStorm Response
DefenseStorm has already identified and uploaded numerous IOCs related to this vulnerability into its ThreatMatch Feed. We are currently investigating additional IOCs/IOAs that are related to this incident and will upload any discovered accordingly.
Additional sources: